IP Masquerading

I am using Caldera Open Linux Base which uses the 2.0.29 kernel and I have compiled the needed stuff into the kernel. I have a direct ethernet connection to my ISP. I am far from being a Linux guru and it would probably be a stretch to even call me a novice with linux but I do learn quick so bear with me. Ambrose Au's mini how to isn't quite specific enough for me to completely understand although I have accomplished what little I have by using it. Here's the problem:

1. If I type: ipfwadm -F -a m -S -D and give a client machine the address referring to (linux box's true inet ip) then neither machine can see each other.

2. If I ifconfig eth0 to be and change my client machine to refer to that address as its router then the machines see each other but neither can reach the internet.

3. I guess my question is how do I get eth0 to act as both so that my internal net can see it and also act as so that it can still reach the internet to forward the masq'ed traffic?

This may take a little interaction by e-mail if the responder wouldn't mind. Thanks
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You say you have a direct ethernet connection. You are trying to use your Linux box as a router, which, by definition routes packets across two (or more) interfaces, yet your machine has only a single interface. You have a couple of ways to go as I see it.

Best option, for security reasons is to stick a second ethernet card into your Linux box. Then, set it up so that eth0 is, and connected onto the piece of cable going to the ISP, and eth1 is and connected onto a piece of ethernet going onto all your workstations. Then your linux box will happily forward/masquerade over the two interfaces.

If you don't want to add an extra NIC, you must bind two IP addresses to the same NIC. Securitywise, if all your machines are on the same bit of ethernet, directly connected to your ISP, anyone could talk directly to any of the machines by altering routing tables such that the packets got to your bit of ethernet. Source routing could assure this, and you would be potentailly vulnerable.

However, if you did want to do this, I believe you'd have to look into IP aliasing, to bind two addresses to the same NIC. After having done that, then you have two virtual interfaces to route between, and the rest is normal. If you want to, you can mail me as mike@coruscant.demon.co.uk.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
scrutchfieldAuthor Commented:
You were exactly right, installing a second ethernet card solved my problem.  From what I gather from you and some others, I could use just one card but I open a whole new can of worms because I would then have to configure IP aliasing.  Had I known in the beginning I needed 2 network cards to set this up, I could have had the whole masquerading setup done in 2 or 3 hours.  Oh well, we learn from our mistakes.  Thanks for your help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.