IP Masquerading

Download Report

Transcript IP Masquerading 

IP Masquerading
Homes and Businesses:
When you only have one IP
but you have LOTS of machines
The problem
• Extra IPs are an additional cost of you
internet service.
– Masquerading lets you hook up multiple
machines to the same IP
• Some companies want TCP/IP services and
set up a network not connected to the
internet to use internal services such as
www.
– Eventually they want to connect and don’t want
to have to reconfigure the entire network.
Unconnected Network
• If the network is configured with IPs
defined for unconnected service (like
192.168.x.x), masquerading lets you
connect with minimal changes.
• Those special IPs should never directly use
the internet as others might also be using
the same numbers.
• Masquerading maps the numbers
Multiple machine to ONE IP
• Basically the same problem as
unconnected networks.
• Use the special IPs and have a program
translate your special IPs into real IPs.
How does it work?
Focus on FROM (not TO) of request
TO is same for both sides of the request
From 137.155.37.33:34567
Router
137.155.37.33
From 192.168.1.2:100
192.168.1.2:100 -> 137.155.37.33:34567
(use same entry for reverse traffic)
To 137.155.37.33:34567
Internal
Machine
192.168.1.2
Internal
Machine
192.168.1.3
To 192.168.1.2:100
OUTSIDE NEVER SEES NET 192.168.1.x, only 137.155.37.33!
Problem/Considerations
Internal machine
65536
ports
Router
Ports range
0-65536
Ports range
0-65536
2*65536
ports
Internal machine
Not a problem only because
the internal machines seldom use
a large number of the available ports
Ports range
0-65536
Problem/Considerations
Internal SERVER
(www)
To 137.155.37.33:80
-> NO SUCH SERVICE
Gateway
To 192.168.1.2:80
-> ILLEGAL ADDRESS
137.155.37.33
Waiting on
port 80
192.168.1.2
No way to access the service.
-> Can’t provide external services from the inside.
(you can but it requires some extra effort
and another software package … more later)
How do you set it up?
• It’s actually packaged in a firewall solution
which effectively does
– packet level filtering AND
– masquerading
• This will be explained in the section
concerning setting up a firewall.
• In linux
– ipchains or
– iptables