Go Premium for a chance to win a PS4. Enter to Win


IP Masquerading on linux

Posted on 2010-11-23
Medium Priority
Last Modified: 2012-05-10
I'm new to IP masquerading. I have 2 networks in my linux box and would like to take all the traffic from my eth1 and need to forward all the traffic to eth0, from eth0 I need to connect to switch, and then I need to connect to my other boxes. If I understand correctly, when I do IP masquerading, all of my private IPs will change to eth1 IP address or eth0 IP address?
Question by:mokkan
  • 9
  • 3

Author Comment

ID: 34196511
I read some of the info and I need to do Masquerading on eth0 since it is the one connected to public network.  Am  I right?

Author Comment

ID: 34196536
Masquerading IP will be the public IP address?
LVL 12

Accepted Solution

mccracky earned 2000 total points
ID: 34198543
eth0 or eth1 don't define which is which.  Where you plug them into the network infrastructure gives them their definitions.

It sounds like you want to make your linux box your firewall/gateway/router for your network.  That's fine, but you need to make sure you have a good firewall and all the security patches up to date (and not running unnecessary services would be good, too) if you are going to connect it to the public network.

Many times it is just easier (and "safer") to install a dedicated little router/firewall in the network. (or install something like pfsense on a dedicated box.

That said, one will connect to the "WAN" (Wide Area Network--most commonly the Internet) and the other will connect to the LAN (Local Area Network).  Your LAN addresses should be in the non-routable address ranges (e.g 192.168.x.x) and would need to be translated (NATed or Masqueraded) before the packets go out the WAN side.

So, you need to Masquerade the LAN addresses and they will all appear as coming from the WAN address after translation.

See this for more information:

Or for more in depth:
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.


Author Comment

ID: 34199674
Thank you for the info.  What I'm doing is that connecting internet to eth0 interface and eth1 interface to private network.

I checked the link you have given and trying to get clear understanding.

>>>  /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The packets are leaving from eth0 source address will be changed  because of the above command. If I'm wrong correct me

/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
Any packets come to  etho will be forwarded to eth1, but only related and established and if  there is a new packet, what will happen?

/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
Any packets coming to eth1 will be forwarded to eth0

If there is a external request from private network, packet will go through eth1 to eth0, once the connection is established, when packet come back, etho interface will accpet since we put established on iptables command.

I'm trying to get clear understanding..........

thanks in advance

LVL 12

Assisted Solution

mccracky earned 2000 total points
ID: 34200520
Basically you have it correct.  The first one masquerades the internal address, the second allows anything already related or established in, and the third allows all outgoing traffic.  So, anything initiated from the inside (LAN) will be allowed (rule 3) and all responses will be accepted (rule 2).  Make sure you also allow forwarding between your network interfaces or nothing will pass through:

echo 1 > /proc/sys/net/ipv4/ip_forward

Also, if you want to actually use the linux box as well (web surfing, etc) you will need other rules.  The rules above only are for forwarded packets between the interfaces.  To use the same linux box, too (don't know from your posts whether you want to or not), you would need to also have:

/sbin/iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -j ACCEPT

Author Comment

ID: 34202417
Thank you very much. I'm almost there.  Also, I believe before it transfer the packets, it store the packet's source IP and send the packet. I believe it is storing locally. Can we able to check that table?

Author Comment

ID: 34202498
Also, if I want to test the box from eth1 to private network, I need the cross over cable right?

Expert Comment

ID: 34203315
Something that might help if iptables makes you sick :)
Install "shorewall" (there's a package for that). It's, let say, a easier tool to write iptables rules.

With shorewall, masquerading is easy as writing "eth1    eth0" in the "/etc/shorewall/masq" configuration file.
This means: trafic from eth0 (my LAN) has masquerading enabled through eth1 (my public interface)

Then, some examples of a simple rule in /etc/shorewall/rules :
ACCEPT      net       fw     tcp    25 # will allow incoming traffic from your interNET interface to your local FireWall
ACCEPT      loc        net   tcp 80,443 # allow your LAN to go to http[s] (however, a bit stupid, you might want to use a proxy ; just an example)

On the web site (or in the documentation), you'll have pre-configured configuration files for 1-, 2-, 3-interfaces server. "3" in your case : net, loc and the fw itself.

bye bye iptables complex rules. shorewall will generate them for you.
This was a quick example. You can really write awesome things easily with shorewall.

I hope it'll help you

Author Comment

ID: 34204765
Thank you very much. I really wanted to do it in command line since at work are not allowed to download any third party RPM. Now, I understood most of the part and I can play around with the rule.  Also, I need to use cross over cable from eth1 to private box right?

Author Comment

ID: 34205156
Also, if  private  linux box needs web access, then following command should work  right?

iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED  -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535  -m state --state  ESTABLISHED    -j ACCEPT

iptables -A OUTPUT -p udp -i eth0 --dport 80  --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state  ESTABLISHED -j ACCEPT
LVL 12

Assisted Solution

mccracky earned 2000 total points
ID: 34205757
Not sure what you mean by "private box", but if you are connecting two computers together without a switch in between you do need a crossover cable.

If by "private box" you mean the computer connected through your linux box, then you shouldn't need the above rules (#34205156) as everything outgoing is already allowed by the rules above and the responses as well because of the related/established allow rules.  (As well as the INPUT/OUTPUT tables only apply to the linux box itself, not the LAN connected behind it--you would need to put the rules in the FORWARD table.)

But it does somewhat sound like you are trying to get around some company policy thing by doing this in order to connect your personal laptop to your company LAN?  I'd be careful about that and let someone know what I was doing.

Author Comment

ID: 34206002
This is for my personal use and testing purpose. I might going to work on one of the IPtables project that's why I'm testing at my hours.l  Sorry, private box mean which is under private network.

Author Closing Comment

ID: 34213164
Thanks a lot. I will try and if there is any questions let you know.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses
Course of the Month12 days, 21 hours left to enroll

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question