UNIX / Linux workshop
Original file: Linux IP Masquerade Mini Howto
Ambrose au, achau@wwnline.com
V1.00, 1 January 1997
Translation date: 1997/04/14
Translation maintenance: asdchen@ms1.hinet.net O
-------------------------------------------------- ------------- x ---
O
This file describes how to start an IP Masquerade feature on a Linux host.
, The connection to the Internet IP address allowed by your Linux machine
Connect to the Internet.
1 Introduction
Introduction
This file describes how to start an IP Masquerade feature on a Linux host.
, The connection to the Internet IP address allowed by your Linux machine
Connect to the Internet. Your machine may be connected to the Ethernet connection Linux or it
It types, like a point-to-point pair point (PPP) connection. This document will emphasize the Ethernet
Connect the situation because it should be the most common case.
This document is tended to use 2.0.x core users, do not include development
2.1.x core.
1.2. Foreword, Feedback & Reference Information
First of all, I want you to know that I am not very thorough or very implied.
Experienced person.
I found novices on the new core, like 2.x core, set ip massguerade
It is very confused. Although there is a common question collection (FAQ) and mail list (Mailing List)
However, there is no special document in this regard; and some on the list of posts
A request for a document (Howto). So, I decided to write it to all the novice as
A starting point, and hope to throw the jade, as a user who knows it very well
The basis of the document. If you think I am doing well, don't care about telling me, so I can
It does better.
Many of this file is the common question and answer set of the original Ken Eves and IP_masq.
There are many helpful messages in the list as the foundation. Special thanks Mr. Matthew Driver
The message in the mailing list triggered the inspiration of IP_masq and finally wrote this
Copy file.
If I have misuse or miss any information, please don't mind give any feedback or opinion.
Send to Achau@wwnline.com. Your invaluable feedback will affect this description of the future.
file!
This documentation is to make your IP masquerade to operate in the shortest time.
Fast guidance. The latest news and information can be used in IP Masquerade
Released on the resource page. If you have any technology about IP Masquerade
Question, join the IP Masquerade List and don't send me emails because
My time is limited, and the developers of IP_ Masq are more capable to answer your questions.
The latest version of this document can be found on IP Masquerade Resource, inside
There are also HTMLs and POSTScript versions.
. http://www.wwnline.com/~achau/ipmasq/
. Http://www.hwy401.com/achau/ipmasq/
. http://www.leg.uct.ac.za/mirrors/ipmasq/
. http://130.89.230.132/linux/ipmasq/
1.3. Copyright & Declaration
This file is copyrighted by Ambrose Au and is a free file. You can be in GNU
The general public authorization method is spreading it. The information in this document has made my greatest efforts with other content. anyway,
IP_MASQ is experimental, and I may also make some mistakes; so you should decide yourself
Is it necessary to do it according to information in this document.
No one will be responsible for computers or other losses caused by information in this document.
. I.E.
The author is not responsible for damage caused by this document content.
THIS Document Is Copyright (C) 1996 Ambrose Au, And It's A Free
Document. You can redistribute it Under the Terms of the gnu general
Public license.
THE Information and other Contents in this document is to the best of
My Knowledge. However, IP_MASQ IS Experimental, and There is Chance
That I make missakes as well; so you hope determine if you want to
Follow the information in this document.
Nobody Is Responsible for Any Damage ON Your Computers and Any Other
Losses by using the information on this document. I.e.
The Author Is Not Responsible for Any Damages Incurred Due
TO ACTIONS TAKEN BASED ON The Information in this Document.
2. Background knowledge
2.1. What is IP Masquerade?
IP Masquerade is a network function in Linux development. If a Linux
The host uses the IP Masquerade function to connect to the Internet, then connect it to the electricity
The brain (whether on the same area network or by the data wiring) can also contact the Internet.
Online, even if they do not get a formal designated IP address.
This allows some computers to hide the Gateway system to access the Internet network.
Not found, it seems like only this system is using the Internet. Breakthrough
Masquerade system security protection should be filtered by a good packing package
Packet filter firewall is more difficult (assuming that there is no
wrong).
2.2. Status
IP Masquerade is still in the experimental phase. Anyway, the core has started from 1.3.x
This support is built. Many individuals and even the company is using it, and satisfactory results.
Browsing the web and the remote check-in (Telnet) already reward indicates that can be on IP_MASQ
Work. Archive Transmission (FTP), Network Talk (IRC) and Listening Real Audio now
Some modules can be loaded. STREAMING AUDIO
It is also possible to operate like True Speech and Internet Wave. Some mailing list
The use partners in the middle have even tried the video conference software. Ping now cooperates with newest
The Internet Control Message Agreement (ICMP) repairs can also operate. More complete support
Please refer to Section 4.3 of the Software.
IP Masquerade is equipped with a number of different job systems and platforms with 'client machines'
Well. Successful cases have UNIX, Windows95, Windows NT,
Windows for Workgroup (with TCP / IP Package), OS / 2, Macintosh
System's Os with Mac TCP, Mac Open Transport, DOS with NCSATET PACKAGE, VAX, Alpha with Linux, or even Amiga with amitcp
OR AS225-Stack system.
2.3. Who can benefit from IP MasqueraDe?
. If you have a link to Linux, a link to the Internet, and
. If you have some computers that perform TCP / IP connect to Linux machines in the area network
On, and / or
. If your Linux host has more than one data machine and as a PPP or SLIP
Servers connect other computers, they
. These "other" machines do not have formally specified IP orders. (These machines are open from here
Being called "Other" machines later
. And of course, if you hope that these "other" machines do not have to have additional costs
Internet access :)
2.4. Who does not need ip masquerade?
. If your machine is a single (Stand-alone) Linux connected to the Internet
Host, then execute IP_masq does not make sense, or
. If your "other" machine has officially specified IP address, then you don't need
IP Masquerade,
. And of course, if you don't like this idea of free ride.
2.5. How is IP MasqueraDe working?
IP Masquerade FAQ from Ken EVES:
This is a simple set of sketches:
SLIP / PPP ------------ -----------
To Provider | Linux | SLIP / PPP | Anybox |
<---------- Modem1 | | MODEM2 ----------- Modem | |
111.222.333.444 | 192.168.1.100 | |
------------ -----------
One of the top sketches installed and executed with IP_masquerading Linux
The machine uses MODEM1 to connect to the Internet access via the SLIP / OR / PPP. It has one
The designated IP address 111.222.333.444. It sets MODEM2 allows the call
Check in and start the SLIP / OR / PPP link.
Second system (do not have to perform Linux system) Dial access to Linux
The machine and the start SLIP / OR / PPP link. It does not specify on the Internet
The IP address is used to use 192.168.1.100. (See also described below)
With IP_Masquerade and appropriate delivery configuration (Routing Configure)
Anybox This machine can communicate with the Internet is just like it is true.
(Except for a few exceptions).
PAULINE MIDDELINK:
Don't forget to mention that anybox should treat Linux machine as its gateway (whether
The preset delivery path or is just a subnet. If Anybox is not able to
In this way, the Linux machine should make a proxy address resolution for all the address to be delivered.
Analysis Agreement (Proxy ARP), but the agency address resolution exceeds this file
□ surround.
The following is an antector from Comp.OS.Linux.Networking and a little editing
In line with the above □
. I told Anybox's Linux machine that this machine runs Slip is its gate.
. When a packet enters the Linux machine from Anybox, it specifies the Source Port Number, set its own IP address into the header of the package.
Store it. Then it will make the modified package by the SLIP / OR / PPP interface
Send an internet.
. When a packet comes from the Internet to the Linux machine, if the number is the specified
One of them, it will take out the original number and IP address, put them back.
The header of the package and put the package to anybox.
. The host that sent the package will never know the difference.
An example of an ip masquerading:
The figure below is a typical example:
--------
| | Ethernet
| ABOX | :::::::
| | 2: 192.168.1.x
---------- :
: ---------- PPP
-------- : 1 | Linux | LINK
| | :::: | Masq-Gate | :::::::::: // Internet
| BBOX | :::::::
| | 3: ----------
---------- :
:
---------- :
| |
| CBOX | :::::::
| | 4
--------
<-Internal network->
In this example we consider 4 computer systems (you must have something to be far away.
Let your IP connection to the Internet access, and some (far more than this page)
On the Internet, you are interested in exchange information. This Linux system camouflage
It is ABOX, BBOX, and CBOX internal network machines connected to the Internet of Package. internal
The network uses the specified private (private) network address, in this case, Class C
Online 192.168.1.0, Linux machine has a site 192.168.1.1 and 'other'
The system also has a location on this network.
These three machines ABOX, BBOX, and CBOX (they can perform any job system -
Like Windows95, Macintosh Mactcp or even another Linux machine
As long as they can understand IP) can be connected to other machines on the Internet, however
This camouflage system is converting all of them, so these connectors look like it.
That is, from the camouflage gate itself, but also arranges the information transferred by the camouflage wiring to turn back.
System - So the system on the internal network sees that the delivery directly to the internet network
Path and don't know their information being disguised.
2.6. Using IP Masquerade on Linux 2.x
. The original program code of the core 2.0.x can be obtained from here
ftp://ftp.funet.fi/pub/linux/kernel/src/v2.0/
(Yes, you will have to join some support to compile your core ...
Recommended the latest stable version)
. The core module can be loaded, preferably 2.0.0 or updated version, can be obtained from here
http://www.pi.se/blox/modules/modules-2.0.0.tar.gz
(At least Modules-1.3.57)
. Set good TCP / IP network
Covered with Linux Net-2 Howto
. Your Linux host internet connection
Covered with Linux ISP Hookup HOWTO
Linux PPP HOWTO
LINUX PPP-over-Isdn Mini-HOWTO
. IPFWADM 2.3 or updated version can be obtained from here
ftp://ftp.xos.nl/pub/linux/ipfwadm/ipfwadm-2.3.tar.gz
There are more information about the version on the Linux IPFWADM page.
. You can selectively apply some IP MasqueraDe repair to open other features.
For more information from here, IP Masquerade Resources
All 2.0.x cores)
3. Setting IP Masquerade
If you have any important information in your private network, use IP Masquerade
Please think twice before. This may become a gateway to the Internet, and vice versa, too
It may become the way to enter your private network in the world.
3.1. Compiling the core to join the support of IP Masquerade
. First, you need the core of the original code (preferably a stable version 2.0.0 or more
Core)
. If this is your first compilation core, don't be afraid. In fact, this is very easy and
Covered with Linux Kernel HOWTO
. Use instructions: TAR ZXVF Linux-2.0.x.tar.gz -c / usr / src puts the core
The original program is solved to / usr / src /, where X is the fix level after 2.0
(Determine a directory or symbolic link called Linux)
. Add appropriate fixes. Because the new fix files continue, the details will not be included
Here. For the latest information, please refer to IP Masquerade Resources
. For further introductions about compilation core, please refer to Kernel HOWTO and the core original
Readme file in program code catalog
. Here is the option you want to compile:
The following options To answer Yes
* Prompt for development and / or ibptomplete code / drivers
Config_experimental
- This will allow you to choose to compile the experimental ip_masq code code to the core
* Enable loadable module support
Config_Modules
- Let you load the module
* NetWorking Support
CONFIG_NET
* NetWork FireWallsconfig_FireWall
* TCP / IP Networking
CONFIG_INET
* IP: Forwarding / Gatewaying
Config_ip_forward
* IP: firewalling
Config_ip_firewall
* IP: MasqueRading (Experimental)
Config_ip_masquerade
- Although it is experimental, it is * must *
* IP: ALWAYS DEFRAGMENT
Config_ip_always_defrag
- High recommendation
* Dummy Net Driver Support
Config_dummy
- Recommended
Note: These are just IP_MASQs, you also need to choose any other settings.
The options needed.
. After compiling the core, you should compile and install the module:
Make Modules; Make Modules_Install
. Then you should be in /etc/rc.d/rc.local (or any profile you think)
Plus a few lines to automatically load /Lib/modules/2.0.x/iPv4/ each time startup
The module required:
.
.
.
/ sbin / depmod -a
/ sbin / modprobe ip_masq_ftp
/ sbin / modprobe ip_masq_raudio
/ sbin / modprobe ip_masq_irc
(And other modules such as IP_MASQ_CUSEEME, IP_MASQ_VDOLIVE, if
You have appropriate fixes)
.
.
.
Note: You can also manually load it manually before using IP_MASQ, but don't use
Kerneld is loaded, this is not!
3.2. Specifies the IP address of the private network
Because all 'other' machines are not officially specified, there must be a correct way
To assign the address to these machines.
Since IP Masquerade FAQ:
There is a copy of the RFC (# 1597) is what IP address is related to the use of online connection with the external connection
. There are three digits that are particularly reserved for this purpose. One of them used it is
192.168.1.N to 255 Class-C subnets between 192.168.255.n.
Self-RFC 1597:
Section III: Space of private sites
Internet Address Specify Authority (IANA: Internet Assigned Numbers Authority)
The IP address space of the following three blocks has been retained to the private network:
10.0.0.0 - 10.255.255.255
172.16.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
We will call the first block as "24-bit block", the second is "20-bit block block"
", And the third is called" 16-bit block ". Notice that the first block is just
Class A network number, the second block is a continuous 16 Class B
Online numbers, and the third block is a set of 255 consecutive Class C networks
number.
So, if you want to use a Class C network, then your machine should
192.168.1.1, 192.168.1.2, 192.168.1.3, ..., 192.168.1.x
.
192.168.1.1 is usually a gate of the gate, that is, you even connect to the Internet's Linux.
Host. Note 192.168.1.0 and 192.168.1.x are networks and broadcasts, respectively.
Address, it is reserved. Avoid using these sites on your machine.
3.3. Configure "Other" machines
In addition to setting the appropriate IP address for each machine, you should also set the appropriate gateway.
. Generally speaking, this is very straightforward. You only need to simply enter the Linux host
The location (usually 192.168.1.1) is used as a gate site.
About the domain name service, you can join any DNS system. The most likely you should be you
The one used by Linux. You can also selectively add any domain word (Domain)
SUFFIX.
After you reconfigure these IP addresses, remember to restart the appropriate service or re-
Boot.
The following configuration □ Case assumes that you use a Class C network and 192.168.1.1
As the address of the Linux host. Please note 192.168.1.0 and 192.168.1.255
It is reserved.
3.3.1. Configuring Windows 95
1. If you haven't installed a network card and interface driver, do it now.
2. Go to 'Console / Network'.
3. If there is no 'TCP / IP Agreement in your online configuration, add it.
4. In 'TCP / IP content', select 'IP address' and set the IP address to
192.168.1.x, (1 5. Join 192.168.1.x in 'Communication Gate' as your gateway. 6. Add your Linux host using your Linux host under 'DNS Configuration' / 'DNS Server' DNS (usually available in /etc/resolv.co