Search This Blog

Tuesday, November 4, 2008

What is IP Masquerade?

IP Masquerade is a networking function in Linux similar to the one-to-many (1:Many) NAT (Network Address Translation) servers found in many commercial firewalls and network routers. For example, if a Linux host is connected to the Internet via PPP, Ethernet, etc., the IP Masquerade feature allows other "internal" computers connected to this Linux box (via PPP, Ethernet, etc.) to also reach the Internet as well. Linux IP Masquerading allows for this functionality even though these internal machines don't have an officially assigned IP address.

MASQ allows a set of machines to invisibly access the Internet via the MASQ gateway. To other machines on the Internet, the outgoing traffic will appear to be from the IP MASQ Linux server itself. In addition to the added functionality, IP Masquerade provides the foundation to create a HEAVILY secured networking environment. With a well built firewall, breaking the security of a well configured masquerading system and internal LAN should be considerably difficult to accomplish.

IP Masquerade works well as a server to other 'client machines' running various operating systems and hardware platforms. Here is a sampling of successful reports with internal MASQed systems running :

  • UNIX: Sun Solaris, [Net,Free,Open,*i]-BSD, Hp-UX, Linux, IBM AIX, Digital UNIX, Ultrix, etc.

  • Microsoft Windows 2000, NT (3.x and 4.x), 95/98/ME, Windows for Workgroups (with the TCP/IP package)

  • IBM OS/2

  • Apple Macintosh MacOS machines running either MacTCP or Open Transport

  • DOS-based systems with packet drivers and the NCSA Telnet package

  • VAXen

  • Compaq/Digital Alpha running Linux and NT

  • Amiga computers with AmiTCP or AS225-stack.

The list goes on and on but the point is, if your OS platform talks TCP/IP, it should work with Linux's IP Masquerade!

Who Can Benefit From IP Masquerade?

  • If you have a Linux host connected to the Internet and..

  • if you have internal computers running TCP/IP connected that are connected to this Linux box via on a network, and/or

  • if your Linux host has more than one modem and acts as a PPP or SLIP server connected to other computers, and these machines do not have official or public assigned IP addresses (i.e. addressed with private TCP/IP numbers).

  • If you want those OTHER machines to communicate to the Internet without spending extra money to acquire additional Public / Official TCP/IP addresses from your ISP, then you should either configure Linux to be a router or purchase an external router.

Who Doesn't Need IP Masquerade?

  • If your machine is a stand-alone Linux host connected to the Internet (setting up a firewall is a good idea though), or

  • if you already have multiple assigned public addresses for your OTHER machines, and

  • if you don't like the idea of a 'free ride' using Linux and feel more comfortable using expensive commercial tools to perform the exact same functionalities.

How does IP Masquerade Work?

Based from the original IP Masquerade FAQ by Ken Eves: Here is a drawing of the most simplistic setup:

PPP/ETH/etc.        +------------+                         +-------------+
to ISP provider     |  Linux #1  |       PPP/ETH/etc.      | Anybox      |
                   |            |                         |             |
 <---------- modem1|            |modem2 ----------- modem3|             |
                   |            |                         |             |
   111.222.121.212 |            |           192.168.0.100 |             |
                   +------------+                         +-------------+

In the above drawing, a Linux box with IP_MASQUERADING is installed as Linux #1 and is connected to the Internet via PPP, Ethernet, etc. It has an assigned public IP address of 111.222.121.212. It also has another network interface (e.g. modem2) connected to allow incoming network traffic be it from a PPP connection, Ethernet connection, etc.

The second system (which does not need to be Linux) connects into the Linux #1 box and starts its network traffic to the Internet. This second machine does NOT have a publicly assigned IP address from the Internet, so it uses an RFC1918 private address, say 192.168.0.100. (see below for more info)

With IP Masquerade and the routing configured properly, this second machine "Anybox" can interact with the Internet as if it was directly connected to the Internet with a few small exceptions [noted later].

Quoting Pauline Middelink (the founder of Linux's IPMASQ):

"Do not forget to mention that the "ANYBOX" machine should have the Linux #1 box configured as its default gateway (whether it be the default route or just a subnet is no matter). If the "ANYBOX" machine is connected via a PPP or SLIP connection, the Linux #1 machine should be configured to support proxy arp for all routed addresses. But, the setup and configuration of proxy arp is beyond the scope of this document. Please see the PPP-HOWTO for more details."

The following is an excerpt on how IPMASQ briefly works though this will be explained in more detail later. This short text is based from a previous post on comp.os.linux.networking which has been edited to match the names used in the above example:

   o I tell machine ANYBOX that my PPP or Ethernet connected Linux box is its
    gateway.

  o When a packet comes into the Linux box from ANYBOX, it will assign the
    packet to a new TCP/IP source port number and insert its own IP address
    inside the packet header, saving the originals.  The MASQ server will
    then send the modified packet over the PPP/ETH interface onto the
    Internet.

  o When a packet returns from the Internet into the Linux box, Linux
    examines if the port number is one of those ports that was assigned
    above.  If so, the MASQ server will then take the original port and
    IP address, put them back in the returned packet header, and send
    the packet to ANYBOX.

  o The host that sent the packet will never know the difference. 

Another IP Masquerading Example:

A typical example is given in the diagram below:

                  Ethernet
                192.168.0.x
   +----------+
   |          | 
   | A-box    |::::::
   |          |.2   :
   +----------+     :
                    :      +----------+   PPP/ETH  
   +----------+     :   .1 |  Linux   |     link
   |          |     :::::::| Masq-Gate|:::::::::::::::::::>> Internet
   | B-box    |::::::      |          |  111.222.121.212
   |          |.3   :      +----------+
   +----------+     :
                    :
   +----------+     :
   |          |     :
   | C-box    |::::::
   |          |.4   
   +----------+ 

              
   |                       |          |                           >
   | <-Internal Network--> |          | <- External Network ----> >
   |   connected via an    |          |    Connected from the     >
   |   Ethernet hub or     |          |    Linux server to your   >
   |       switch          |          |    Internet connection    >

In this example, there are (4) computer systems that we are concerned about. There is also presumably something on the far right that your PPP/ETH connection to the Internet comes through (modem server, DSL DSLAM, Cablemodem router, etc.). Out on the Internet, there exists some remote host (very far off to the right of the page) that you are interested in communicating with). The Linux system named Masq-Gate is the IP Masquerading gateway for ALL internal networked machines. In this example, the machines A-box, B-box, and C-box would have to go through the Masq-Gate to reach the Internet. The internal network uses one of several RFC-1918 assigned private network addresses, where in this case, would be the Class-C network 192.168.0.0. If you aren't familiar with RFC1918, it is encouraged to read the first few chapters of the RFC but the jist of it is that the TCP/IP addresses 10.0.0.0/8, 172.16-31.0.0/12, and 192.168.0.0/16 are reserved. When we say "reserved", we mean that anyone can use these addresses as long as they aren't routed over the Internet. ISPs are even allowed to use this private addressing space as long as they keep these addresses within their own networks and NOT advertise them to other ISPs. Unfortunately, this isn't always the case but thats beyond the scope of this HOWTO.

Anyway, the Linux box in the diagram above has the TCP/IP address 192.168.0.1 while the other systems has the addresses:

  • A-Box: 192.168.0.2

  • B-Box: 192.168.0.3

  • C-Box: 192.168.0.4

The three machines, A-box, B-box and C-box, can have any one of several operating systems, just as long as they can speak TCP/IP. Some such as Windows 95, Macintosh MacTCP or OpenTransport , or even another Linux box have the ability to connect to other machines on the Internet. When running the IP Masquerade, the masquerading system or MASQ-gate converts all of these internal connections so that they appear to originate from the masq-gate itself. MASQ then arranges so that the data coming back to a masqueraded connection is relayed to the proper originating system. Therefore, the systems on the internal network are only able to see a direct route to the internet and are unaware that their data is being masqueraded. This is called a "Transparent" connection.

Requirements for IP Masquerade on Linux 2.4.x

" ** Please refer to IP Masquerade Resource for the latest information. ** "

  • The newest 2.4.x kernels are now using both a completely new TCP/IP network stack as well as a new NAT sub-system called NetFilter. Within this NetFilter suite of tools, we now have a tool called IPTABLES for the 2.4.x kernels much like there was IPCHAINS for the 2.2.x kernels and IPFWADM for the 2.0.x kernels. The new IPTABLES system is far more powerful (combines several functions into one place like true NAT functionality), offers better security (stateful inspection), and better performance with the new 2.4.x TCP/IP stack. But this new suite of tools can be a bit complicated in comparison to older generation kernels. Hopefully, if you follow along with this HOWTO carefully, setting up IPMASQ won't be too bad. If you find anything unclear, downright wrong, etc. please email David about it.

    Unlike the migration to IPCHAINS from IPFWADM, the new NetFilter tool has kernel modules that can actually support older IPCHAINS and IPFWADM rulesets with minimal changes. So re-writing your old MASQ or firewall ruleset scripts is not longer required. BUT.. with the 2.4.x kernels, you cannot use the old 2.2.x MASQ modules like ip_masq_ftp, ip_masq_irc, etc. AND IPCHAINS is incompatible with the new IPTABLES modules like ip_conntrack_ftp, etc. So, what does this mean? It basically means that if you want to use IPMASQ or PORTFW functionality under a 2.4.x kernel, you shouldn't use IPCHAINS rules but IPTABLES ones instead. Please also keep in mind that there might be several benefits in performing a full ruleset re-write to take advantage of the newer IPTABLES features like stateful tracking, etc. but that is dependant upon how much time you have to migrate your old rulesets.

Some new 2.4.x functionalities include the following:

PROs:

  • Lots of new protocols modules like: amanda, eggdrop, ipsec, ipv6, portscan, pptp, quota, rsh, talk, and tftp

  • TRUE 1:1 NAT functionality for those who have TCP/IP addresses and subnets to use (no more iproute2 commands)

  • Stateful application level (FTP, IRC, etc.) and stateful protocol level (TCP/UDP/ICMP) network traffic inspection

  • Built-in PORT Forwarding (no more ipmasqadm or ipportfw commands)

  • The built-in PORTFW'ing support works for both external and internal traffic. This means that users that have PORTFW for external traffic and REDIR for internal port redirection do not need to use two tools any more!

  • PORT Forwarding of FTP traffic to internal hosts is now completely supported and is handled in the conn_trak_ftp module

  • Full Policy-Based routing features (source-based TCP/IP address routing)

  • Compatibility with Linux's FastRoute feature for significantly faster packet forwarding (a.k.a Linux network switching).

    Note that this feature is still not compatible with packet filtering for strong firewall rulesets.

  • Fully supports TCP/IP v4, v6, and even DECnet (ack!)

  • Supports wildcard interface names like "ppp*" for serial interfaces like ppp0, ppp1, etc

  • Supports filtering on both input and output INTERFACES (not just IP addresses)

  • Source Ethernet MAC filtering

  • Denial of Service (DoS) packet rate limiting

  • Packet REJECTs now have user-selectable return ICMP messages

  • Variable levels of logging (different packets can go to different SYSLOG levels)

  • Other features like traffic mirroring, securing traffic per login, etc.

CONs:

  • Netfilter is an entirely new architechure thus most of the older 2.2.x MASQ kernel modules written to make non-NAT friendly network applications work through IPMASQ need to be re-written for the 2.4.x kernels. Because of this, if you specifically need functionality from some of these modules (see below), you should stay with a 2.2.x kernel until these modules have been either ported or the application has been updated to use NAT-friendly protocols. If you are curious on the porting status of a given module, please email the author of the module and NOT David or Ambrose. We don't code.. we just document. :-)

    Here is the status of the known IP Masq kernel modules or patches as found on the IPMASQ WWW site's Application Support Matrix. In addition, you should also setup out the Netfilter Patch-o-Matic URL as well. If you have the time and knowledge to help in the porting of code, your efforts would be highly appreciated:

     Status   = Module name =      Description and notes
    ---------   -----------   ----------------------------------
    Ported     CuSeeme      Used for Video conferencing
    
    NotPorted   DirectPlay    Used for online Microsoft-based games
    
    Ported        FTP        Used for file transfers
                             - NOTEs:  Built into the kernel and
                                       fully supports PORTFWed FTP
    
    ReWritten     H.323       Used for Video conferencing
    
    NotPorted      ICQ        Used for Instant messaging
                             * No longer required for modern ICQ clients
    
    Ported        Irc        Used for Online chat rooms
    
    Ported      Quake        Used for online Quake games
    
    Ported       PPTP        Allow for multiple clients to the same server
    
    NotPorted   Real Audio    Used for Streaming video / audio
                             * No longer required for modern RealVideo clients
    
    NotPorted    VDO Live     Used for Streaming audio?

    Documentation on how to perform MASQ module porting is available at http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO.html. If you have the time and knowledge, your talent would highly be appreciated in porting these modules.

If you'd like to read up more on NetFilter and IPTables, please see: http://www.netfilter.org/documentation/index.html#HOWTO and more specifically http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html

Linux 2.4.x IP Masquerade requirements include:

  • Any decent computer hardware. See Section 7.2 for more details.

  • The 2.4.x kernel source is available from http://www.kernel.org/.

    NOTE: Most modern Linux distributions, Section 7.1, that natively come with 2.4.x kernels are typically modular kernels and have all the IP Masquerade functionality already included. In such cases, there is no need to compile a new Linux kernel. If you are UPGRADING your kernel, you should be aware of other programs that might be required and/or need to be upgraded as well (mentioned later in this HOWTO).

  • The program "iptables" version 1.2.4 or newer ( 1.2.7a or newer is highly recommended ) archive available from http://www.netfilter.org/

    • NOTE #1: All versions of IPTABLES less than 1.2.3 have a FTP module issue that can bypass any existing firewall rulesets. ALL IPTABLES users are highly recommended to upgrade to the newest version. The URL is above.

      NOTE #2: All versions of IPTABLES less than 1.2.2 have a FTP "port" security vulnerability in the ip_conntrack_ftp module. All IPTABLES users are highly recommended to upgrade to the newest version. The URL is above.

    • This tool, much like the older IPCHAINS and IPFWADM tools enables the various Masquerding code, more advanced forms of NAT, packet filtering, etc. It also makes use of additional MASQ modules like the FTP and IRC modules. Additional information on version requirements for the newest IPTABLES howto, etc. is located at the Unreliable IPTABLES HOWTOs page.

  • Loadable kernel modules, preferably 2.1.121 or higher, are available from http://home.pi.se/blox/modutils/index.html or ftp://ftp.kernel.org/pub/linux/utils/kernel/modutils

  • A properly configured and running TCP/IP network running on the Linux machine as covered in Linux NET HOWTO and the Network Administrator's Guide . Also check out the TrinityOS document which is also authored by David Ranch. TrinityOS is a very comprehensive guide for Linux networking. Some topics include IP MASQ, security, DNS, DHCP, Sendmail, PPP, Diald, NFS, IPSEC-based VPNs, and performance sections, to name a few. There are over Fifty sections in all!

  • Connectivity to the Internet for your Linux host covered in Linux ISP Hookup HOWTO, Linux PPP HOWTO, and TrinityOS. Other helpful HOWTOs could include: Linux DHCP mini-HOWTO, Linux Cable Modem mini-HOWTO and http://www.tldp.org/HOWTO/DSL-HOWTO/index.html

  • Know how to configure, compile, and install a new Linux kernel as described in the Linux Kernel HOWTO. This HOWTO does cover kernel compiling but only for IP Masquerade related options.

No comments: