Solved

IP Masquerading on linux

Posted on 2010-11-23
13
427 Views
Last Modified: 2012-05-10
I'm new to IP masquerading. I have 2 networks in my linux box and would like to take all the traffic from my eth1 and need to forward all the traffic to eth0, from eth0 I need to connect to switch, and then I need to connect to my other boxes. If I understand correctly, when I do IP masquerading, all of my private IPs will change to eth1 IP address or eth0 IP address?
0
Comment
Question by:mokkan
  • 9
  • 3
13 Comments
 

Author Comment

by:mokkan
Comment Utility
I read some of the info and I need to do Masquerading on eth0 since it is the one connected to public network.  Am  I right?
0
 

Author Comment

by:mokkan
Comment Utility
Masquerading IP will be the public IP address?
0
 
LVL 12

Accepted Solution

by:
mccracky earned 500 total points
Comment Utility
eth0 or eth1 don't define which is which.  Where you plug them into the network infrastructure gives them their definitions.

It sounds like you want to make your linux box your firewall/gateway/router for your network.  That's fine, but you need to make sure you have a good firewall and all the security patches up to date (and not running unnecessary services would be good, too) if you are going to connect it to the public network.

Many times it is just easier (and "safer") to install a dedicated little router/firewall in the network. (or install something like pfsense on a dedicated box.

That said, one will connect to the "WAN" (Wide Area Network--most commonly the Internet) and the other will connect to the LAN (Local Area Network).  Your LAN addresses should be in the non-routable address ranges (e.g 192.168.x.x) and would need to be translated (NATed or Masqueraded) before the packets go out the WAN side.

So, you need to Masquerade the LAN addresses and they will all appear as coming from the WAN address after translation.

See this for more information:
http://www.revsys.com/writings/quicktips/nat.html
http://www.howtoforge.com/nat_iptables
http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html

Or for more in depth:
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html
0
 

Author Comment

by:mokkan
Comment Utility
Thank you for the info.  What I'm doing is that connecting internet to eth0 interface and eth1 interface to private network.


I checked the link you have given and trying to get clear understanding.

>>>  /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The packets are leaving from eth0 source address will be changed  because of the above command. If I'm wrong correct me


/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
Any packets come to  etho will be forwarded to eth1, but only related and established and if  there is a new packet, what will happen?


/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
Any packets coming to eth1 will be forwarded to eth0


If there is a external request from private network, packet will go through eth1 to eth0, once the connection is established, when packet come back, etho interface will accpet since we put established on iptables command.

I'm trying to get clear understanding..........

thanks in advance







0
 
LVL 12

Assisted Solution

by:mccracky
mccracky earned 500 total points
Comment Utility
Basically you have it correct.  The first one masquerades the internal address, the second allows anything already related or established in, and the third allows all outgoing traffic.  So, anything initiated from the inside (LAN) will be allowed (rule 3) and all responses will be accepted (rule 2).  Make sure you also allow forwarding between your network interfaces or nothing will pass through:

echo 1 > /proc/sys/net/ipv4/ip_forward

Also, if you want to actually use the linux box as well (web surfing, etc) you will need other rules.  The rules above only are for forwarded packets between the interfaces.  To use the same linux box, too (don't know from your posts whether you want to or not), you would need to also have:

/sbin/iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -j ACCEPT
0
 

Author Comment

by:mokkan
Comment Utility
Thank you very much. I'm almost there.  Also, I believe before it transfer the packets, it store the packet's source IP and send the packet. I believe it is storing locally. Can we able to check that table?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:mokkan
Comment Utility
Also, if I want to test the box from eth1 to private network, I need the cross over cable right?
0
 
LVL 7

Expert Comment

by:mchkorg
Comment Utility
Hi,
Something that might help if iptables makes you sick :)
Install "shorewall" (there's a package for that). It's, let say, a easier tool to write iptables rules.

With shorewall, masquerading is easy as writing "eth1    eth0" in the "/etc/shorewall/masq" configuration file.
This means: trafic from eth0 (my LAN) has masquerading enabled through eth1 (my public interface)

Then, some examples of a simple rule in /etc/shorewall/rules :
ACCEPT      net       fw     tcp    25 # will allow incoming traffic from your interNET interface to your local FireWall
ACCEPT      loc        net   tcp 80,443 # allow your LAN to go to http[s] (however, a bit stupid, you might want to use a proxy ; just an example)

On the web site (or in the documentation), you'll have pre-configured configuration files for 1-, 2-, 3-interfaces server. "3" in your case : net, loc and the fw itself.

bye bye iptables complex rules. shorewall will generate them for you.
This was a quick example. You can really write awesome things easily with shorewall.

I hope it'll help you
0
 

Author Comment

by:mokkan
Comment Utility
Thank you very much. I really wanted to do it in command line since at work are not allowed to download any third party RPM. Now, I understood most of the part and I can play around with the rule.  Also, I need to use cross over cable from eth1 to private box right?
0
 

Author Comment

by:mokkan
Comment Utility
Also, if  private  linux box needs web access, then following command should work  right?


iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED  -j ACCEPT
 
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535  -m state --state  ESTABLISHED    -j ACCEPT


iptables -A OUTPUT -p udp -i eth0 --dport 80  --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state  ESTABLISHED -j ACCEPT
0
 
LVL 12

Assisted Solution

by:mccracky
mccracky earned 500 total points
Comment Utility
Not sure what you mean by "private box", but if you are connecting two computers together without a switch in between you do need a crossover cable.

If by "private box" you mean the computer connected through your linux box, then you shouldn't need the above rules (#34205156) as everything outgoing is already allowed by the rules above and the responses as well because of the related/established allow rules.  (As well as the INPUT/OUTPUT tables only apply to the linux box itself, not the LAN connected behind it--you would need to put the rules in the FORWARD table.)

But it does somewhat sound like you are trying to get around some company policy thing by doing this in order to connect your personal laptop to your company LAN?  I'd be careful about that and let someone know what I was doing.
0
 

Author Comment

by:mokkan
Comment Utility
This is for my personal use and testing purpose. I might going to work on one of the IPtables project that's why I'm testing at my hours.l  Sorry, private box mean which is under private network.
0
 

Author Closing Comment

by:mokkan
Comment Utility
Thanks a lot. I will try and if there is any questions let you know.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now