IP Masquerade is a networking function in Linux similar to one-to-many NAT (Network Address Translation) found in many commercial firewalls and network routers. For example, if a Linux host is connected to the Internet via PPP, Ethernet, etc., the IP Masquerade feature allows other "internal" computers connected to this Linux box (via PPP, Ethernet, etc.) to also reach the Internet as well. Linux IP Masquerading allows for this functionality even though these internal machines don't have an officially assigned IP addresses.
MASQ allows a set of machines to invisibly access the Internet via the MASQ gateway. To other machines on the Internet, all this outgoing traffic will appear to be from the IP MASQ Linux server itself. In addition to the added functionality, IP Masquerade provides the foundation to create a VERY secure networking environment. With a well built firewall, breaking the security of a well configured masquerading system and internal LAN should be considerably difficult.
If you would like to know more on how MASQ differs from 1:1 NAT and Proxy solutions, please see the what-is-masq FAQ entry.
IP Masquerade has been out for several years now and is fairly mature as Linux enters the 2.2.x kernel stage. Kernels since Linux 1.3.x have had MASQ support built-in. Today many individuals and commercial businesses are using it with excellent results.
Common network uses like Web browsing, TELNET, FTP, PING, TRACEROUTE, etc. work well over IP Masquerade. Other communications such as FTP, IRC, and Real Audio work well with the appropriate IP MASQ modules loaded. Other network-specific programs like streaming audio (MP3s, True Speech, etc) work too. Some fellow users on the mailing list have even had good results with video conferencing software.
It should also be noted that running IP Masquerade with only ONE network card (NIC) to MASQ between internal and external Ethernet networks is NOT recommended. For more details, please see the aliasing FAQ section for full details.
Anyway, please refer to Supported Client Software section for a more complete listing of software supported.
IP Masquerade works well as a server to other 'client machines' running various different OS and hardware platforms. There are successful cases with internal MASQed systems using :
The list goes on and on but the point is, if your OS platform talks TCP/IP, it should work with IP Masquerade!
From the original IP Masquerade FAQ by Ken Eves:
Here is a drawing of the most simple setup: SLIP/PPP +------------+ +-------------+ to ISP provider | Linux | SLIP/PPP | Anybox | <---------- modem1| #1 |modem2 ----------- modem3| | 111.222.121.212 | | 192.168.0.100 | | +------------+ +-------------+ In the above drawing, a Linux box with IP_MASQUERADING is installed as Linux #1 and is connected to the Internet via SLIP/or/PPP using modem1. It has an assigned public IP address of 111.222.121.212. It also has modem2 connected to allow callers to dial-in and start a SLIP/or/PPP connection. The second system (which doesn't have to be running Linux) calls into the Linux #1 box and starts a SLIP/or/PPP connection. It does NOT have a publicly assigned IP address from the Internet so it uses the private address 192.168.0.100. (see below for more info) With IP Masquerade and the routing configured properly, the machine "Anybox" can interact with the Internet as if it was directly connected to the Internet (with a few small exceptions). Quoting Pauline Middelink: Do not forget to mention that the "ANYBOX" machine should have the Linux #1 box configured as its gateway (whether is be the default route or just a subnet is no matter). If the "ANYBOX" machine can not do this, the Linux machine should be configured to support proxy arp for all routed addresses. But, the setup and configuration of proxy arp is beyond the scope of the document. The following is an excerpt from a previous post on comp.os.linux.networking which has been edited to match the names used in the above example: o I tell machine ANYBOX that my PPP or SLIPed Linux box is its gateway. o When a packet comes into the Linux box from ANYBOX, it will assign it a new TCP/IP source port number and slap its own IP address in the packet header, saving the originals. The MASQ server will then send the modified packet out over the SLIP/PPP interface to the Internet. o When a packet returns from the Internet to the Linux box, Linux examines if the port number is one of those ports that was assigned above. If so, the MASQ server will get the original port and IP address, put them back in the returned packet header, and send the packet to ANYBOX. o The host that sent the packet will never know the difference.
Another IP Masquerading Example:
A typical example is given in the diagram below:
+----------+ | | Ethernet | A-box |:::::: | |.2 : 192.168.0.x +----------+ : : +----------+ PPP +----------+ : .1 | Linux | link | | :::::::| Masq-Gate|:::::::::::::::::::// Internet | B-box |:::::: | | 111.222.121.212 | |.3 : +----------+ +----------+ : : +----------+ : | | : | C-box |:::::: | |.4 +----------+ | | | | <-Internal Network--> | | <- External Network ----> | | |
In this example, there are (4) computer systems that we are concerned about. There is also presumably something on the far right that your PPP connection to the Internet comes through (terminal server, etc.) and that there is some remote host (very far off to the right of the page) out on the Internet that you are interested communicating with). The Linux system Masq-Gate
is the IP Masquerading gateway for ALL the internal network of machines A-box
, B-box
and C-box
to get to the Internet. The internal network uses one of the several RFC-1918 assigned private network addresses where in this case, the Class-C network 192.168.0.0. The Linux box having the TCP/IP address 192.168.0.1 while the other systems having the addresses:
The three machines, A-box
, B-box
and C-box
, can be running any operating system as long as they can speak TCP/IP. OSes such as Windows 95, Macintosh MacTCP or OpenTransport or even another Linux box can connect to other machines on the Internet. When running, the masquerading system or MASQ-gate
converts all of these internal connections so that they appear to originate from masq-gate
itself. MASQ then arranges so that data coming back in to a masqueraded connection is relayed back to the proper originating system. Because of this, the systems on the internal network see a direct route to the internet and are unaware that their data is being masqueraded. This is called a "Transparent" connection.
NOTE: Please see the FAQ for more details on topics such as:
** Please refer to IP Masquerade Resource for the latest information. **
NOTE #2: Most newer MASQ-supported-Distributions such as Redhat 5.2 might not be Linux 2.2.x ready for your setup. Tools like DHCP, NetUtils, etc. will need to be upgraded. More details can be found in the HOWTO.
ICQ MASQ module
PORTFW FTP Solutions:
IPROUTE2 for True 1:1 NAT, Policy-based (source) routing, and Traffic Shaping:
Some source code mirrors are:
ftp://linux.wauug.org/pub/net ftp://ftp.nc.ras.ru/pub/mirrors/ftp.inr.ac.ru/ip-routing/ ftp://ftp.gts.cz/MIRRORS/ftp.inr.ac.ru/ ftp://ftp.funet.fi/pub/mirrors/ftp.inr.ac.ru/ip-routing/ (STM1 to USA) ftp://sunsite.icm.edu.pl/pub/Linux/iproute/ ftp://ftp.sunet.se/pub/Linux/ip-routing/ ftp://ftp.nvg.ntnu.no/pub/linux/ip-routing/ ftp://ftp.crc.ca/pub/systems/linux/ip-routing/ ftp://ftp.paname.org (France) ftp://donlug.ua/pub/mirrors/ip-route/ ftp://omni.rk.tusur.ru/mirrors/ftp.inr.ac.ru/ip-routing/
RPMs are available at ftp://omni.rk.tusur.ru/Tango/ and at ftp://ftp4.dgtu.donetsk.ua/pub/RedHat/Contrib-Donbass/KAD/
Please see the IP Masquerade Resource page for more information available on these patches and possibly others as well.
** Please refer to IP Masquerade Resource for the latest information. **
Some of the new functionality includes the following pros and cons:
PROs:
CONs:
ip_masq_cuseeme.o ip_masq_icq.o ip_masq_quake.o ip_masq_user.o ip_masq_irc.o ip_masq_raudio.o ip_masq_vdolive.o
There is documentation on how to do this porting at http://netfilter.kernelnotes.org/unreliable-guides/netfilter-hacking-HOWTO-5.html, If you have the time, you talent would highly appreciated to get these ported over quickly.
As of this version of the HOWTO, Netfilter is NOT covered. Once the feature set of NetFilter is set, it will be added to -this- HOWTO or possibly a new HOWTO. Until then, please see the following links for the available NetFilter documentation. As it stands, the new NetFilter code will share 95% of the same setup and troubleshooting issues that IPCHAINS users have today. Because of this fact, this HOWTO is still very relevant for NetFilter firewall and NAT users.
http://netfilter.filewatcher.org/unreliable-guides/index.html and more specifically http://netfilter.filewatcher.org/unreliable-guides/NAT-HOWTO.html
Please see the IP Masquerade Resource page for more information available on these patches and possibly others as well.
** Please refer to IP Masquerade Resource for the latest information. **
PORTFWed FTP:
X-Windows display forwarders:
ICQ MASQ module
PPTP (GRE) and SWAN (IPSEC) VPNs tunneling forwarders:
Game specific patches:
Please note that some WWW browsers with automatically uncompress this .gz file. To download this file, hold down the SHIFT key as you click on the above URL.
Also check out Dan Kegel's NAT Page for more information. Additional information can be found in the Game-Clients section and the FAQ section.
Please see the IP Masquerade Resource page for more information available on these patches and possibly others as well.