Masquerading Basics - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual
Hide thumbs
Also See for LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009:
- Administration manual (338 pages) ,
- Deployment manual (246 pages) ,
- Application manual (364 pages)
Table of Contents
Advertisement
15.2 Masquerading Basics
Masquerading is the Linux-specific form of NAT (network address translation). It can
be used to connect a small LAN (where hosts use IP addresses from the private
range—see Section "Netmasks and Routing" (Chapter 19, Basic Networking, ↑Admin-
istration Guide)) with the Internet (where official IP addresses are used). For the LAN
hosts to be able to connect to the Internet, their private addresses are translated to an
official one. This is done on the router, which acts as the gateway between the LAN
and the Internet. The underlying principle is a simple one: The router has more than
one network interface, typically a network card and a separate interface connecting
with the Internet. While the latter links the router with the outside world, one or several
others link it with the LAN hosts. With these hosts in the local network connected to
the network card (such as eth0) of the router, they can send any packets not destined
for the local network to their default gateway or router.
IMPORTANT: Using the Correct Network Mask
When configuring your network, make sure both the broadcast address and
the netmask are the same for all local hosts. Failing to do so prevents packets
from being routed properly.
As mentioned, whenever one of the LAN hosts sends a packet destined for an Internet
address, it goes to the default router. However, the router must be configured before it
can forward such packets. For security reasons, this is not enabled in a default installa-
tion. To enable it, set the variable IP_FORWARD in the file /etc/sysconfig/
sysctl to IP_FORWARD=yes.
The target host of the connection can see your router, but knows nothing about the host
in your internal network where the packets originated. This is why the technique is
called masquerading. Because of the address translation, the router is the first destination
of any reply packets. The router must identify these incoming packets and translate
their target addresses, so packets can be forwarded to the correct host in the local net-
work.
With the routing of inbound traffic depending on the masquerading table, there is no
way to open a connection to an internal host from the outside. For such a connection,
there would be no entry in the table. In addition, any connection already established
has a status entry assigned to it in the table, so the entry cannot be used by another
connection.
134
Security Guide
Advertisement
Table of Contents
