Next Previous Contents

2. Background Knowledge

2.1 What is IP Masquerade?

IP Masquerade is a networking function in Linux similar to one-to-many NAT (Network Address Translation) found in many commercial firewalls and network routers. For example, if a Linux host is connected to the Internet via PPP, Ethernet, etc., the IP Masquerade feature allows other "internal" computers connected to this Linux box (via PPP, Ethernet, etc.) to also reach the Internet as well. Linux IP Masquerading allows for this functionality even though these internal machines don't have an officially assigned IP addresses.

MASQ allows a set of machines to invisibly access the Internet via the MASQ gateway. To other machines on the Internet, all this outgoing traffic will appear to be from the IP MASQ Linux server itself. In addition to the added functionality, IP Masquerade provides the foundation to create a VERY secure networking environment. With a well built firewall, breaking the security of a well configured masquerading system and internal LAN should be considerably difficult.

2.2 Current Status

IP Masquerade has been out for several years now and is fairly mature as Linux enters the 2.2.x kernel stage. Kernels since Linux 1.3.x have had MASQ support built-in. Today many individuals and commercial businesses are using it with excellent results.

Common network uses like Web browsing, TELNET, FTP, PING, TRACEROUTE, etc. work well over IP Masquerade. Other communications such as FTP, IRC, and Real Audio work well with the appropriate IP MASQ modules loaded. Other network-specific programs like streaming audio (MP3s, True Speech, etc) work too. Some fellow users on the mailing list have even had good results with video conferencing software.

Please refer to Supported Client Software section for a more complete listing of software supported.

IP Masquerade works well as a server to other 'client machines' running various different OS and hardware platforms. There are successful cases with internal MASQed systems using :

The list goes on and on but the point is, if your OS platform talks TCP/IP, it should work with IP Masquerade!

2.3 Who Can Benefit From IP Masquerade?

2.4 Who Doesn't Need IP Masquerade?

2.5 How does IP Masquerade Work?

>From the original IP Masquerade FAQ by Ken Eves:

  Here is a drawing of the most simple setup:

   SLIP/PPP         +------------+                         +-------------+
   to ISP provider  |  Linux     |         SLIP/PPP        | Anybox      |
  <---------- modem1|    #1      |modem2 ----------- modem3|             |
    111.222.333.444 |            |           192.168.0.100 |             |
                    +------------+                         +-------------+

    In the above drawing, a Linux box with IP_MASQUERADING is installed as
  Linux #1 and is connected to the Internet via SLIP/or/PPP using modem1.  It has
  an assigned public IP address of 111.222.333.444.  It also has modem2 connected
  to allow callers to dial-in and start a SLIP/or/PPP connection.  

    The second system (which doesn't have to be running Linux) calls into the
  Linux #1 box and starts a SLIP/or/PPP connection.  It does NOT have a publicly
  assigned IP address from the Internet so it uses the private address
  192.168.0.100. (see below for more info)

    With IP Masquerade and the routing configured properly, the machine
  "Anybox" can interact with the Internet as if it was directly connected to the
  Internet (with a few small exceptions).

Quoting Pauline Middelink:

  Do not forget to mention that the "ANYBOX" machine should have the 
  Linux #1 box configured as its gateway (whether is be the default route or just 
  a subnet is no matter). If the "ANYBOX" machine can not do this, the Linux 
  machine should be configured to support proxy arp for all routed addresses. But,
  the setup and configuration of proxy arp is beyond the scope of the document.

The following is an excerpt from a previous post on comp.os.linux.networking which
has been edited to match the names used in the above example:

   o I tell machine ANYBOX that my PPP or SLIPed Linux box is its gateway.
   o When a packet comes into the Linux box from ANYBOX, it will assign it 
     a new TCP/IP source port number and slap its own IP address in the packet
     header, saving the originals.  The MASQ server will then send the modified 
     packet out over the SLIP/PPP interface to the Internet.
   o When a packet returns from the Internet to the Linux box, Linux examines 
     if the port number is one of those ports that was assigned above.  If so, the
     MASQ server will get the original port and IP address, put them back in the 
     returned packet header, and send the packet to ANYBOX.
   o The host that sent the packet will never know the difference. 

Another IP Masquerading Example:

A typical example is given in the diagram below:


    +----------+
    |          |  Ethernet
    | A-box    |::::::
    |          |.2   : 192.168.0.x
    +----------+     :
                     :      +----------+   PPP   
    +----------+     :   .1 |  Linux   |   link
    |          |     :::::::| Masq-Gate|:::::::::::::::::::// Internet
    | B-box    |::::::      |          |  111.222.333.444
    |          |.3   :      +----------+
    +----------+     :
                     :
    +----------+     :
    |          |     :
    | C-box    |::::::
    |          |.4    
    +----------+  
                
    |                       |          |
    | <-Internal Network--> |          | <- External Network ---->
    |                       |          |

In this example, there are (4) computer systems that we are concerned about. There is also presumably something on the far right that your PPP connection to the Internet comes through (terminal server, etc.) and that there is some remote host (very far off to the right of the page) out on the Internet that you are interested communicating with). The Linux system Masq-Gate is the IP Masquerading gateway for ALL the internal network of machines A-box, B-box and C-box to get to the Internet. The internal network uses one of the several RFC-1918 assigned private network addresses where in this case, the Class-C network 192.168.0.0. The Linux box having the TCP/IP address 192.168.0.1 while the other systems having the addresses:

The three machines, A-box, B-box and C-box, can be running any operating system as long as they can speak TCP/IP. OSes such as Windows 95, Macintosh MacTCP or OpenTransport or even another Linux box can connect to other machines on the Internet. When running, the masquerading system or MASQ-gate converts all of these internal connections so that they appear to originate from masq-gate itself. MASQ then arranges so that data coming back in to a masqueraded connection is relayed back to the proper originating system. Because of this, the systems on the internal network see a direct route to the internet and are unaware that their data is being masqueraded. This is called a "Transparent" connection.

NOTE: Please see the FAQ for more details on topics such as:

2.6 Requirements for IP Masquerade on Linux 2.0.x

** Please refer to IP Masquerade Resource for the latest information. **

2.7 Requirements for IP Masquerade on Linux 2.2.x

** Please refer to IP Masquerade Resource for the latest information. **

Please see the IP Masquerade Resource page for more information available on these patches and possibly others as well.

2.8 Requirements for IP Masquerade on Linux 2.3.x and 2.4.x

** Please refer to IP Masquerade Resource for the latest information. **


Next Previous Contents