Solved

IP Masquerading

Posted on 1997-07-02
2
215 Views
Last Modified: 2010-03-17
I am using Caldera Open Linux Base which uses the 2.0.29 kernel and I have compiled the needed stuff into the kernel. I have a direct ethernet connection to my ISP. I am far from being a Linux guru and it would probably be a stretch to even call me a novice with linux but I do learn quick so bear with me. Ambrose Au's mini how to isn't quite specific enough for me to completely understand although I have accomplished what little I have by using it. Here's the problem:

1. If I type: ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 and give a client machine the address 192.168.1.3 referring to 206.155.118.65 (linux box's true inet ip) then neither machine can see each other.

2. If I ifconfig eth0 to be 192.168.1.1 and change my client machine to refer to that address as its router then the machines see each other but neither can reach the internet.

3. I guess my question is how do I get eth0 to act as both 192.168.1.1 so that my internal net can see it and also act as 206.155.118.67 so that it can still reach the internet to forward the masq'ed traffic?

This may take a little interaction by e-mail if the responder wouldn't mind. Thanks
0
Comment
Question by:scrutchfield
2 Comments
 
LVL 3

Accepted Solution

by:
sauron earned 50 total points
Comment Utility
You say you have a direct ethernet connection. You are trying to use your Linux box as a router, which, by definition routes packets across two (or more) interfaces, yet your machine has only a single interface. You have a couple of ways to go as I see it.

Best option, for security reasons is to stick a second ethernet card into your Linux box. Then, set it up so that eth0 is 206.155.118.67, and connected onto the piece of cable going to the ISP, and eth1 is 192.168.1.1 and connected onto a piece of ethernet going onto all your workstations. Then your linux box will happily forward/masquerade over the two interfaces.

If you don't want to add an extra NIC, you must bind two IP addresses to the same NIC. Securitywise, if all your machines are on the same bit of ethernet, directly connected to your ISP, anyone could talk directly to any of the machines by altering routing tables such that the packets got to your bit of ethernet. Source routing could assure this, and you would be potentailly vulnerable.

However, if you did want to do this, I believe you'd have to look into IP aliasing, to bind two addresses to the same NIC. After having done that, then you have two virtual interfaces to route between, and the rest is normal. If you want to, you can mail me as mike@coruscant.demon.co.uk.


0
 

Author Comment

by:scrutchfield
Comment Utility
You were exactly right, installing a second ethernet card solved my problem.  From what I gather from you and some others, I could use just one card but I open a whole new can of worms because I would then have to configure IP aliasing.  Had I known in the beginning I needed 2 network cards to set this up, I could have had the whole masquerading setup done in 2 or 3 hours.  Oh well, we learn from our mistakes.  Thanks for your help.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now