<!DOCTYPE HTML PUBLIC "html.dtd">
<HTML>
<!doctype  html public "-//w3c//dtd html 4.0 transitional//en">
<HTML>
<HEAD>
   <META CONTENT="text/html; charset=iso-8859-1" HTTP-EQUIV="Content-Type">
   <META NAME="GENERATOR" CONTENT="Mozilla/4.7 [en] (X11; I; Linux 2.2.5-15 i686) [Netscape]">
   <TITLE> IP-MASQUERADING </TITLE>
</HEAD>
<BODY BGCOLOR="#BEBCD3">

<CENTER>
<H1>
IP-Masquerading</H1></CENTER>

<H2>
1 Masquerading ?</H2>

<H3>
1.1 About this document</H3>
This document has one reason for existing, to teach something to others.
<H3>
Who should be reading this document</H3>
If you have some computers standing at home and you want to share your
internet connection with the rest of the family, or if you like seeing
your mail on the screen on the left side of your desk and your irc window
on the screen that is standing at the right side of your desk you need
ip masquerading. Yes I know there are also modem sharing packets for Microsoft
products on the market. But the advantage is that this can be run on a
386 computer and it takes 3 more commands and you can have your own firewall.
There are also more providers who offer cable modems and (too) much bandwidth
for one computer. I think it is very handy. If I am reading my e-mail and
I want to see if one of my friends is on IRC I just have to turn my head.
You don't really need a cable modem, it also goes if you have a modem connection
(I am the living example of that).
<H3>
1.2 What do you need ?</H3>
Although I haven't explained what masquerading actually is (be patient)
I will start by telling you what you need in order to use masquerading.
You need:
<UL>
<LI>
Multiple (>2) computers</LI>

<LI>
A network connecting these computers</LI>

<LI>
Different ip-numbers assigned to all computers</LI>

<LI>
One pc who has a modem and an internet connection</LI>

<LI>
The Linux os with a 2.2.x or higher kernel running on that machine</LI>

<LI>
Half an hour of time (in the worst case)</LI>

<LI>
Something to eat</LI>
</UL>
So now you know what you need in order to use masquerading, I can start
explaining what masquerading actually is:
<H3>
What is it</H3>
I know that masquerading is a complicated process so before getting all
technical I'll start with an example that makes it easier to understand.
Person A loves person B but person A isn't at the same school nor has her
telephone number. There is also a common friend (person C) someone who
knows A and is at the some school of B. So A is going to ask C to talk
to B without mentioning who person A is. Pretending the acquired information
is for himself.
<P>You will probably wondering why I made that example or on what television
show you have seen the same. Well it is quite simple. Person B is the internet,
and person A is a masqueraded client and person C is the masqueraded server.
<P>For understanding it I'll first give a short introduction to TCP/IP".
TCP/IP stands for Transmission Control Protocol / Internet Protocol. It
is widely used for data communication among computers (before TCP/IP, everybody
used UUCP = Unix to Unix Copy Protocol). TCP/IP is literally a protocol
that controls your communication, it also uses IP numbers. IP-numbers consist
out of 12 numbers grouped by 3 (123.456.789.123). Every computer attached
to a network (and to the internet) have their own unique IP number. TCP/IP
works like the following.
<BR>=> I am 1.2.3.4 and i want to contact 1.2.3.3
<BR>-> I am 1.2.3.3 did you call me ?
<BR>=> I am 1.2.3.4 and I contacted you
<BR>-> I am 1.2.3.3 and ready
<BR>=> I am 1.2.3.4 and I want that file
<BR>-> I am 1.2.3.3 and I am sending the first part to 1.2.3.4
<BR>=> I am 1.2.3.4 and I have received it.
<BR>-> I am 1.2.3.3 and I am sending the second part to 1.2.3.4
<BR>=> I am 1.2.3.4 and I haven't received anything
<BR>-> I am 1.2.3.3 and I am sending again
<BR>=> I am 1.2.3.4 and I have received it.
<BR>-> I am 1.2.3.3 and I am waiting.
<BR>=> I am 1.2.3.4 and I am ready, bye
<BR>-> I am 1.2.3.3 Bye
<BR>I know this may seem a little childish but data communication (and
TCP/IP) are working like that.
<CENTER>
<P><IMG SRC="http://blacksun.box.sk/networking.gif" WIDTH="400" HEIGHT="200"></CENTER>

<P>Now you should be able to understand the image. You see a computer with
local IP 10.0.0.1 who is connected to the internet by a telephone line
and has achieved an IP number by this ISP (Internet Service Provider) that
IP is 11.1.1.4. What does this mean ? If someone on the internet tried
to contact 11.1.1.4 they would get a response but if they would try to
contact 10.0.0.1 they would not get a response although it is the same
computer because the IP 10.0.0.1 isn't recognized worldwide. Then we have
10.0.0.2 till 10.0.0.x who are connected to 10.0.0.1. In this case we could
consider 10.0.0.1 as a gateway (a gateway is a sort of exit to another
network, a gateway could be a link between 10.0.1.x and 10.0.0.x, but therefore
that machine must be recognized by 10.0.1.x and 10.0.0.x or with other
words it should have 2 network cards or in this case a modem and a network
card). So we could consider it as a gateway but there is one detail, for
10.0.0.1 being a gateway. But it isn't for the simple reason that the internet
wouldn't recognize it.
<BR>=> I'm 10.0.0.2 and I want to contact you
<BR>-> I'm 1.2.3.3 and I have now idea how to reach you, go away (this
messages isn't really broadcasted because there is no logical route between
the two computers, this is logged)
<BR>So what does masquerading actually do ? Well, it gives its own IP (11.1.1.4
this is the IP that is attached to the ISP, giving by DHCP by exemple)
to the entire network and remembers which computer requested which packet.
Something like:
<BR>=> I'm 10.0.0.2 and I want to contact 1.2.3.3
<BR>-> I'm 10.0.0.1 and I will be processing your request
<BR>-> I'm 14.1.1.4 and I want to contact 1.2.3.3
<BR>_> I'm 1.2.3.3 and awaiting your command
<BR>I hope this cleared out a lot. So a masqueraded server gives its IP
( in facts it masks the ip's of the network) in order for the other pc's
to get on the internet. And the incoming data is being filtered under the
10.0.0.x network.
<H2>
2 I hate theory I want to type something</H2>

<H3>
2.1 Preparing your system</H3>
I am supposing that you all have a computer with Linux OS installed on
it and that you have configured your internet account (if not, check the
help pages by your provider). And know some Linux basics like compiling
your own kernel. This entire site is only valid if you have a 2.2.x kernel.
Because masquerading went thru some changes lately. If you have not got
a 2.2.x kernel running, I suggest you upgrade. Because older kernels might
contain bugs, might not support your newest hardware and make your system
vulnerable to attacks. You can get the latest kernel from <A HREF="ftp://ftp.kernel.org/">ftp.kernel.org</A>
(I will explain short the kernel basics here)
<BR><I>[GoMoRRaH@SaTaN GoMoRRaH]$ mv mykernel.tar.gz /usr/src/</I>
<BR><I>[GoMoRRaH@SaTaN GoMoRRaH]$ cd /usr/src</I>
<BR><I>[GoMoRRaH@SaTaN src]$ rm linux (removes the symbolic link to your
old sources)</I>
<BR><I>[GoMoRRaH@SaTaN src]$ tar -zxvf mykernel.tar.gz</I>
<BR><I>(your kernel is now being extracted default in the directory linux)</I>
<BR><I>[GoMoRRaH@SaTaN src]$ cd linux</I>
<BR><I>[GoMoRRaH@SaTaN linux]$ make menuconfig</I>
<BR>(you can choose, type: make config for text based, type: make menuconfig
for graphical and type: make xconfig under X-windows)
<BR>Now you can see all the options you can use, this is different for
each system so, * stands for support and M stand for modules, modules are
pieces of kernel code that can be compiled in at any time, later on) But
however you have to say YES to the following:
<P>=> Prompt for development and or incomplete code / drivers
<BR>=>Enable loadable module support
<BR>=>Networking support
<BR>=>Network firewalls
<BR>=>TCP/IP Networking
<BR>=>IP:forwarding/gatewaying
<BR>=>IP:firewalling
<BR>=>IP:masquerading
<BR>=>IP:ipportfw masq support
<BR>=>IP:ipautofw masq support
<BR>=>IP:ICMP masquerading
<BR>=>IP:always defragment
<BR>=>Dummy net driver support
<BR>=>IP:ip fwmark masq-forwarding support
<P>Note that the above options are required for ip masquerading so you
still need other codes in your kernel. When you are finished you will be
prompted to save changes. The following commands do the actual compiling
and may take a from 10 - 40 minutes and will show many characters which
you may not understand on your screen, don't worry it is normal.
<BR><I>[GoMoRRaH@SaTaN linux]$ make dep</I>
<BR><I>[GoMoRRaH@SaTaN linux]$ make clean</I>
<BR><I>[GoMoRRaH@SaTaN linux]$ make bzImage</I>
<BR><I>[GoMoRRaH@SaTaN linux]$ cp /usr/src/linux/arch/i386/boot/bzImage
/boot/kernel</I>
<BR><I>[GoMoRRaH@SaTaN linux]$ make modules</I>
<BR><I>[GoMoRRaH@SaTaN linux]$ make modules_install</I>
<BR>At this point you should edit your <I>/etc/lilo.conf</I> file. You
should add something like
<BR>image=/boot/kernel
<BR>label=masqkernel
<BR>root=/dev/hdax (replace this by your root filesystem, harddisk, partition,
..)
<BR>read-only
<BR>This makes your boot manager find your new kernel at boot. So if your
see the lilo prompt the next time you should type <I>masqkernel</I>
<BR><I>[GoMoRRaH@SaTaN linux]$ lilo</I>
<BR><I>added linux-2.2.5-15 *</I>
<BR><I>added dos</I>
<BR><I>added masqkernel</I>
<BR>Now you should edit your
<I>/etc/rc.d/rc.local</I> file so the modules
needed are automatically loaded at boot
<BR>.
<BR>.
<BR>/sbin/depmode -a
<BR>/sbin/modprobe ip_masq_ftp
<BR>/sbin/modprobe ip_masq_raudio
<BR>/sbin/modprobe ip_masq_irc
<BR>.
<BR>.
<BR>These modules are needed for ftp, real audio and irc. There is only
one thing to do besides rebooting and that is enabling your IPV4 forwarding.
<BR><I>[GoMoRRaH@SaTaN linux] echo "1" > /proc/sys/net/ip_forward(ing)
</I>Now you should reboot your system with your newly made kernel, see
if everything boots properly, if not you should redo the above steps. Until
you have a properly working kernel.
<H3>
Start up your masquerade</H3>
In fact there isn't much to do once you've got your kernel right. It is
a matter of dialing in with you provider, and typing 2 commands. They are
used to set your forwarding policies. <I>[GoMoRRaH@SaTaN GoMoRRaH]$ ipchains
-P forward DENY</I>
<BR><I>[GoMoRRaH@SaTaN GoMoRRaH]$ ipchains -A forward -s 10.0.0.0/4 -j
MASQ</I>
<BR>In order for this to work on your local network the only thing you
have to adjust is the -s parameter. 10.0.0.0 is your network address and
the 4 is the highest ip number that is masqueraded. Your server should
work now. And yeah, that's really it, you have a lot of theory and a lot
of preparation with your kernel and you have to type 2 lines to get your
server up and running.
<H3>
Configuring your clients</H3>
You have a server but what is a server without clients ? What is a supermarket
without customers ? Not that you have to do so much configuring no not
at all. There is only one little thing that you have to take care of, (if
it isn't already done). Your clients should have as a gateway the IP of
your masqueraded server (here 10.0.0.1) This is located near your networking
options it shouldn't be hard to find.
<H2>
3 General</H2>
<B>Other information sources</B>
<BR>If you want to know more about Linux networking or Linux in general
you should read documents that are published by the LDP (Linux documentation
Project). They have published a Network administrators guide, a system
administrators guide, a programmers guide and several HOWTO's. They come
with each Linux distribution and are really worth reading.
<P>For any further questions, you can mail <A HREF="mailto:metal@digibel.org">GoMoRRaH</A>,
a member of <I><A HREF="http://blacksun.box.sk/">Black Sun Research Facility</A></I>
</BODY>
</HTML>