Go Premium for a chance to win a PS4. Enter to Win

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 236
  • Last Modified:

IP Masquerading

I am using Caldera Open Linux Base which uses the 2.0.29 kernel and I have compiled the needed stuff into the kernel. I have a direct ethernet connection to my ISP. I am far from being a Linux guru and it would probably be a stretch to even call me a novice with linux but I do learn quick so bear with me. Ambrose Au's mini how to isn't quite specific enough for me to completely understand although I have accomplished what little I have by using it. Here's the problem:

1. If I type: ipfwadm -F -a m -S -D and give a client machine the address referring to (linux box's true inet ip) then neither machine can see each other.

2. If I ifconfig eth0 to be and change my client machine to refer to that address as its router then the machines see each other but neither can reach the internet.

3. I guess my question is how do I get eth0 to act as both so that my internal net can see it and also act as so that it can still reach the internet to forward the masq'ed traffic?

This may take a little interaction by e-mail if the responder wouldn't mind. Thanks
1 Solution
You say you have a direct ethernet connection. You are trying to use your Linux box as a router, which, by definition routes packets across two (or more) interfaces, yet your machine has only a single interface. You have a couple of ways to go as I see it.

Best option, for security reasons is to stick a second ethernet card into your Linux box. Then, set it up so that eth0 is, and connected onto the piece of cable going to the ISP, and eth1 is and connected onto a piece of ethernet going onto all your workstations. Then your linux box will happily forward/masquerade over the two interfaces.

If you don't want to add an extra NIC, you must bind two IP addresses to the same NIC. Securitywise, if all your machines are on the same bit of ethernet, directly connected to your ISP, anyone could talk directly to any of the machines by altering routing tables such that the packets got to your bit of ethernet. Source routing could assure this, and you would be potentailly vulnerable.

However, if you did want to do this, I believe you'd have to look into IP aliasing, to bind two addresses to the same NIC. After having done that, then you have two virtual interfaces to route between, and the rest is normal. If you want to, you can mail me as mike@coruscant.demon.co.uk.

scrutchfieldAuthor Commented:
You were exactly right, installing a second ethernet card solved my problem.  From what I gather from you and some others, I could use just one card but I open a whole new can of worms because I would then have to configure IP aliasing.  Had I known in the beginning I needed 2 network cards to set this up, I could have had the whole masquerading setup done in 2 or 3 hours.  Oh well, we learn from our mistakes.  Thanks for your help.

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now