Solved

IP Masquerading

Posted on 1997-07-02
2
217 Views
Last Modified: 2010-03-17
I am using Caldera Open Linux Base which uses the 2.0.29 kernel and I have compiled the needed stuff into the kernel. I have a direct ethernet connection to my ISP. I am far from being a Linux guru and it would probably be a stretch to even call me a novice with linux but I do learn quick so bear with me. Ambrose Au's mini how to isn't quite specific enough for me to completely understand although I have accomplished what little I have by using it. Here's the problem:

1. If I type: ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 and give a client machine the address 192.168.1.3 referring to 206.155.118.65 (linux box's true inet ip) then neither machine can see each other.

2. If I ifconfig eth0 to be 192.168.1.1 and change my client machine to refer to that address as its router then the machines see each other but neither can reach the internet.

3. I guess my question is how do I get eth0 to act as both 192.168.1.1 so that my internal net can see it and also act as 206.155.118.67 so that it can still reach the internet to forward the masq'ed traffic?

This may take a little interaction by e-mail if the responder wouldn't mind. Thanks
0
Comment
Question by:scrutchfield
2 Comments
 
LVL 3

Accepted Solution

by:
sauron earned 50 total points
ID: 1585239
You say you have a direct ethernet connection. You are trying to use your Linux box as a router, which, by definition routes packets across two (or more) interfaces, yet your machine has only a single interface. You have a couple of ways to go as I see it.

Best option, for security reasons is to stick a second ethernet card into your Linux box. Then, set it up so that eth0 is 206.155.118.67, and connected onto the piece of cable going to the ISP, and eth1 is 192.168.1.1 and connected onto a piece of ethernet going onto all your workstations. Then your linux box will happily forward/masquerade over the two interfaces.

If you don't want to add an extra NIC, you must bind two IP addresses to the same NIC. Securitywise, if all your machines are on the same bit of ethernet, directly connected to your ISP, anyone could talk directly to any of the machines by altering routing tables such that the packets got to your bit of ethernet. Source routing could assure this, and you would be potentailly vulnerable.

However, if you did want to do this, I believe you'd have to look into IP aliasing, to bind two addresses to the same NIC. After having done that, then you have two virtual interfaces to route between, and the rest is normal. If you want to, you can mail me as mike@coruscant.demon.co.uk.


0
 

Author Comment

by:scrutchfield
ID: 1585240
You were exactly right, installing a second ethernet card solved my problem.  From what I gather from you and some others, I could use just one card but I open a whole new can of worms because I would then have to configure IP aliasing.  Had I known in the beginning I needed 2 network cards to set this up, I could have had the whole masquerading setup done in 2 or 3 hours.  Oh well, we learn from our mistakes.  Thanks for your help.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now