Cover V05, I06
Article
Figure 1
Figure 2
Figure 3
Listing 1
Listing 10
Listing 11
Listing 2
Listing 3
Listing 4
Listing 5
Listing 6
Listing 7
Listing 8
Listing 9
Sidebar 1
Sidebar 2
Sidebar 3
Sidebar 4
Sidebar 5
Sidebar 6
Sidebar 7

jun96.tar


Sidebar: IP Masquerading

One of the new features in the Linux kernel is IP masquerading. This feature enables you to "hide" local systems behind one IP address. Its workings are best explained by means of an example.

If you look at Figure 2, the machine called "firewall" will connect to the Internet, using IP address 194.109.13.150. This is the address assigned to me by the Internet Service Provider. These addresses are single node addresses, which means that they cannot be used for routing traffic. So, the firewall cannot run routed to announce routes to the machines host1 or host2.

So, if we want to connect to the Internet from host1 or host2, we need to do something extra. Usually, we would install application proxies on the firewall. The local hosts will then connect to these proxies, which in turn will connect to the Internet.

IP masquerading, however, enables the firewall to modify the IP addresses in the IP packets sent by host1 or host2. For host1 and host2, the machine firewall is a "normal" gateway. So, all nonlocal IP traffic from host1 or host2 will be sent to this firewall at address 193.78.174.33. The firewall will then replace the source address, either 193.78.174.34 or 193.78.174.35, with the IP address of the firewall (in this case 194.109.13.150). Furthermore, it will store enough information from the IP packet in its internal administration to reconstruct the answer received. When the destination on the Internet sends a reply, the firewall will replace the destination address 194.109.13.150 with the address of the original sender, either 193.78.174.34 or 193.78.174.35.

This masquerading feature is configured with the ipfwadm program. You can specify which source addresses should be masqueraded. You only have to specify the outgoing route, from the local network to the Internet. The reverse is automatically done by the kernel.

Masquerading has some advantages over routing. First, you are able to completely hide the local network (and thus the local addresses) from the outside world. You only need to make one IP address publicly known, which is an added security benefit. Second, you don't need to configure a routing daemon. This will save you some trouble and avoid a potential security hazard. Third, you do not need to install proxy daemons on the firewall. This will also avoid a potential security hazard; the fewer daemons running on the firewall, the better. With masquerading, it is even possible to completely dispense with inetd. This limits the number of open ports on your firewall and, thus, the number of holes a hacker can probe to try to get in.