IP Masquerading

Posted on 1997-07-02
Medium Priority
Last Modified: 2010-03-17
I am using Caldera Open Linux Base which uses the 2.0.29 kernel and I have compiled the needed stuff into the kernel. I have a direct ethernet connection to my ISP. I am far from being a Linux guru and it would probably be a stretch to even call me a novice with linux but I do learn quick so bear with me. Ambrose Au's mini how to isn't quite specific enough for me to completely understand although I have accomplished what little I have by using it. Here's the problem:

1. If I type: ipfwadm -F -a m -S -D and give a client machine the address referring to (linux box's true inet ip) then neither machine can see each other.

2. If I ifconfig eth0 to be and change my client machine to refer to that address as its router then the machines see each other but neither can reach the internet.

3. I guess my question is how do I get eth0 to act as both so that my internal net can see it and also act as so that it can still reach the internet to forward the masq'ed traffic?

This may take a little interaction by e-mail if the responder wouldn't mind. Thanks
Question by:scrutchfield

Accepted Solution

sauron earned 200 total points
ID: 1585239
You say you have a direct ethernet connection. You are trying to use your Linux box as a router, which, by definition routes packets across two (or more) interfaces, yet your machine has only a single interface. You have a couple of ways to go as I see it.

Best option, for security reasons is to stick a second ethernet card into your Linux box. Then, set it up so that eth0 is, and connected onto the piece of cable going to the ISP, and eth1 is and connected onto a piece of ethernet going onto all your workstations. Then your linux box will happily forward/masquerade over the two interfaces.

If you don't want to add an extra NIC, you must bind two IP addresses to the same NIC. Securitywise, if all your machines are on the same bit of ethernet, directly connected to your ISP, anyone could talk directly to any of the machines by altering routing tables such that the packets got to your bit of ethernet. Source routing could assure this, and you would be potentailly vulnerable.

However, if you did want to do this, I believe you'd have to look into IP aliasing, to bind two addresses to the same NIC. After having done that, then you have two virtual interfaces to route between, and the rest is normal. If you want to, you can mail me as mike@coruscant.demon.co.uk.


Author Comment

ID: 1585240
You were exactly right, installing a second ethernet card solved my problem.  From what I gather from you and some others, I could use just one card but I open a whole new can of worms because I would then have to configure IP aliasing.  Had I known in the beginning I needed 2 network cards to set this up, I could have had the whole masquerading setup done in 2 or 3 hours.  Oh well, we learn from our mistakes.  Thanks for your help.

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Watch the video to know how one can repair corrupt Exchange OST file effortlessly and convert OST emails to MS Outlook PST file format by using Kernel for OST to PST converter tool. It can convert OST to MSG, MBOX, EML to access them. It can migrate…
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question