Originally Published: Tuesday, 16 May 2000 Author: Matthew Craven
Published to: learn_articles_support/Articles Page: 1/1 - [Printable]

An Introduction to IP Masquerading (Part 1 of 2)

Now that relatively high-bandwidth Internet connections are becoming both commonplace and inexpensive, cable modem and DSL users wanting to put more than one computer on the Internet find that their Internet service provider will not allow them to do so. Typically, an ISP will grant a user a single, dynamically-allocated IP address to be used by only one computer at the user's home, in order to conserve their precious pool of IP addresses.

   Page 1 of 1  

Now that relatively high-bandwidth Internet connections are becoming both commonplace and inexpensive, cable modem and DSL users wanting to put more than one computer on the Internet find that their Internet service provider will not allow them to do so. Typically, an ISP will grant a user a single, dynamically-allocated IP address to be used by only one computer at the user's home, in order to conserve their precious pool of IP addresses.

However, that one IP address can be put to much use by employing IP masquerading. In this technique, one's Linux box acts as a gateway between an Internet connection and one's other home computers (whichever operating system they run). The other computers are assigned "private" IP addresses which are not routable on the Internet, and the Linux box takes the address granted to you by your ISP. Once masquerading is working, all traffic bound to the Internet from your home network will be sent to your Linux box, which will translate the private IP addresses of your local machines into the one real address from your ISP. Traffic returning from the Internet will pass through your Linux box, which determines the computer on your home network that will receive the data. This way, multiple machines on your home network can be using identical services (such as ftp), and your Linux gateway will automatically sort which data goes where.

Phew! Sounds complicated, but don't worry: we'll break it down into a few simple steps, and go from there.

Building a home network

The home network, to which I referred above, is just a local network that you set up yourself within your home. At its simplest, your home network will be your Linux box, an at least one other computer that you want to be connected to the Internet. The Linux machine will be connected to your cable/DSL modem, and will also be connected to your home network, all via ethernet. There are two possible ways to connect your network with the cable/DSL modem. First, if you have only one ethernet card in your Linux box, then your Linux box, cable/DSL modem, and other computer will all be connected to the hub. Traffic bound for the Internet will be sent to the Linux box over the local network, which will translate the local addresses into your real Internet address, and send the traffic to your cable/DSL modem back over your network (figure 1).

The second method involves putting two ethernet cards into your Linux box. Traffic bound for the Internet will be sent to the Linux box over the local network, which then handles address translation, and sends the traffic to the cable/DSL modem via its second ethernet card (figure 1). This is the preferred method, as you will get better network performance, and you won't have to worry about packets straying off your local network.

Now that the hardware is configured, we'll move on to configuring the Linux kernel for IP Masquerading.

Now that you've decided how you want to set up your home network, we'll move on to configuring the kernel to support IP Masquerading.

The newest stable release of the Linux kernel is version 2.2.15. Please see this kernel HOWTO for detailed instructions on obtaining, configuring, and compiling the kernel.

First, enter the kernel configuration utility of your choice, and make the necessary configuration choices for your hardware, including Ethernet cards.

Next, enter the following configuration menus, and enable these options in the order listed here:

 Code maturity level options:
        [*] Prompt for development and/or incomplete code/drivers

Loadable module support: [*] Enable loadable module support

Networking options: <*> Packet socket [*] Kernel/User netlink socket <*> Netlink device emulation (NEW) [*] Network firewalls [*] TCP/IP networking [*] IP: firewalling (NEW) [*] IP: firewall packet netlink device (NEW) [*] IP: masquerading (NEW) [*] IP: ICMP masquerading (NEW) [*] IP: optimize as router not host [*] IP: TCP syncookie support (not enabled per default)

Network device support: [*] Network device support <M> Dummy net driver support

Filesystems: [*] /proc filesystem support

After making these changes, you need to: build the kernel and the kernel modules, install the modules, install the kernel, and reboot. For more on how to do this, please see the kernel HOWTO listed above.

Note that these are just the configuration options necessary to enable IP Masquerading. If you would like more information about these kernel options, or if you are interested in more advanced features of the Linux kernel firewall, please see the IP Masquerading HOWTO.

Next we'll cover configuration of your Ethernet cards and setting up the kernel firewall to handle IP Masquerading.





   Page 1 of 1