Download presentation source

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
Document related concepts

Deep packet inspection wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Net neutrality law wikipedia , lookup

Dynamic Host Configuration Protocol wikipedia , lookup

Network tap wikipedia , lookup

Spanning Tree Protocol wikipedia , lookup

Parallel port wikipedia , lookup

Net bias wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Distributed firewall wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Transcript 
Linux IP Masquerading
Brian Vargyas
XNet Information Systems
1
Agenda
• What is IP Masquerade
• How does it work
• Example
• Setting Up IP Masquerade
• References
2
What not to expect
• Teaching you how to set up Redhat
Linux 5.1
• How to compile and install a new
kernel
3
Why is IP Masquerading HOT?
• Demand to share a single Internet
address across multiple machines.
• Demand to save Internet IPv4 address
space.
• Demand for better internal network
security.
4
Emerging Applications
• Network Hiding
• Cable Modem Solutions
• xDSL Solutions
• Dial on Demand Internet
5
So what is it?
• A Developing networking function
built in to RedHat Linux 5.1
• Allows machines connected to the
Linux system to access the Internet
as if they were coming from a single
IP address.
• Provides a secure way of hiding
internal networks.
6
A Simple Setup
eth0
ISDN
ISP
10.0.0.0/8
Static Class A Network
Linux
Gateway
204.248.50.100/32
Dynamic IP Address
7
How it works
• Translation Tables Manage Inside to
Outside Address Translation
• IPFWADM (IP Firewall Administration)
• IPPORTFW (IP Port Forwarding)
• Loadable kernel modules for special
IP services like FTP, IRC, QUAKE.
8
IP Translation Tables
Net
• Maintains IP Address Source/Dest.
Port Pairs.
• Pool of 4096 Ports.
Inside Addresses
10.0.0.1
10.0.0.2
10.0.0.3
23
80
25
Address / Dest. Port Pairs
Outside Address
100.0.0.1 2000
100.0.0.1 2001
100.0.0.1 2002
Address / Source Port Pairs
9
IPFWADM (Firewall)
• Manages Permit/Deny Firewall Access
Lists
• Controls which networks are allowed
to IP Masquerade
• Deny access to all other networks.
10
IPPORTFW (Port Forwarding)
• Controls mapping of incoming port
requests to a inside address.
• Lets you run mail/web server on
another host inside your network.
• Provides complete flexibility on
where to place IP services.
• Not included in standard Redhat 5
distribution.
11
Loadable Kernel Modules
• Lets special IP services such as FTP
operate correctly. I.E. Back Channel
Data (Not Passive).
• Only loads into memory if needed
• Some services not supported.
• PPTP Patches.
12
Example (My Home)
• 3 Machines needs Internet access
• 1 DHCP dynamic address provided
from Cable Company.
• Backup ISDN dialup
• Windows NT web/mail server
14
Example Config
ISP
ISDN
eth1
eth0
Cable
Modem
10.0.0.0/8
Static Class A Network
Linux
Gateway
Cable
Network
15
Setup Procedure
• Configure all system interfaces. Make sure you
can ping remote machines. Verify connectivity to
your ISP is working.
• Install IPPORTFW Kernel Patches, Rebuilt Kernel,
Install and Reboot. (Kernel 2.0.33/2.0.34) Compile
IPPORTFW utility and install in /bin.
• Edit your /etc/rc.d/rc2.d/S99local file and include
the necessary IPFWADM and IPPORTFW
configuration.
• Make sure you have a default route (0.0.0.0/0)
pointed at your ISP Interface.
15
Setup Configuration (S99local)
# S99local
echo "1" > /proc/sys/net/ipv4/ip_forwarding
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a m -S 10.0.0.0/24 -D 0.0.0.0/0
/sbin/ipportfw -A -t 24.131.169.80/80 -R 10.0.0.3/80
/sbin/ipportfw -A -t 24.131.169.80/25 -R 10.0.0.3/25
route add default 24.131.169.1
16
Verify Configuration
[root@bv-gw /]# netstat -M
IP masquerading entries, free ports: UDP 4095
prot
udp
expire source
4:52.95 10.0.0.3
TCP 4096
destination
ports
204.91.243.41
1085 -> 4000 (61058)
[root@bv-gw /]# ipfwadm -F -l
IP firewall forward rules, default policy: deny
type
prot source
acc/m all
10.0.0.0/24
destination
ports
anywhere
n/a
[root@bv-gw /]# ipportfw -L
Prot Local Addr/Port > Remote Addr/Port
TCP 24.131.169.80/25 > 10.0.0.3/25
TCP 24.131.169.80/80 > 10.0.0.3/80
17
Problems
• Not every IP protocol works
• Difficult to run web/mail when you
have a DHCP address that keeps
changing.
• DNS needs to be hosted by ISP
18
Private IP Address Space (RFC 1918)
• Must use following address space for
internal networks:
• 10.0.0.0/8
255.0.0.0
• 172.16.0.0/12
255.240.0.0
• 192.168.0.0/16
255.255.0.0
19
Illegal Address Space Issues
• Problems getting to the network
being used. (DNS Related Issues)
• Need to use another vendor
implementation to solve problem
• IP NAT Overlapping (CISCO)
20
References
• IP Masquerade Web Page
http://ipmasq.home.ml.org/
• Port Forwarding Web Page
http://www.ox.compsoc.org.uk/~
steve/portforwarding.html
• My Web Page
http://www.xnet.com/~brianv
21
Related documents
Nona*s Homemade * Marketing Project * C Block Marketing Class
Nona*s Homemade * Marketing Project * C Block Marketing Class
Win32 Programming
Win32 Programming
Chapter 1 Introduction
Chapter 1 Introduction
Chapter 1: Protocols and Layers
Chapter 1: Protocols and Layers
Project brief 2007 COUNTRY: EGYPT PROJECT NAME: DAMIETTA
Project brief 2007 COUNTRY: EGYPT PROJECT NAME: DAMIETTA
Chapter 2 Operating System Overview
Chapter 2 Operating System Overview
Operating Systems (OS)
Operating Systems (OS)
ETC212 Linux Operating Systems and Mobile Devices 3 Credits
ETC212 Linux Operating Systems and Mobile Devices 3 Credits
ppt
ppt
ppt
ppt
Greetings Hnoagain. D. O'Dell
Greetings Hnoagain. D. O'Dell