Masquerading means that local addresses are hidden. To the outside there is
only one address; the one of your masquerade machine. This serves for hiding
the LAN's architecture or for simply assigning internet access to machines
without official IP address. Setting up masquerading is similar to setting
up a firewall in both the kernle and the /etc/rc.config file.
Even masquerading needs to be supported by the kernel. Be sure to have these features set, when you build your own kernel. All S.u.S.E. Linux kernels are preconfigured with firewall and masquerading features enabled, therefor it is not necessary to rebuild the kernel.
Code maturity level options --->
[*] Prompt for development and/or incomplete code/drivers
Networking options --->
[ ] Network firewalls
[ ] Network aliasing
[*] TCP/IP networking
[*] IP: forwarding/gatewaying
[ ] IP: multicasting
[ ] IP: syn cookies
[ ] IP: rst cookies
[ ] IP: firewalling
[ ] IP: firewall packet logging
[*] IP: masquerading
[ ] IP: transparent proxy support (EXPERIMENTAL)
[*] IP: always defragment
[*] IP: accounting
[*] IP: optimize as router not host
< > IP: tunneling
--- (it is safe to leave these untouched)
[ ] IP: PC/TCP compatibility mode
< > IP: Reverse ARP
[ ] IP: Disable Path MTU Discovery (normally enabled)
[*] IP: Drop source routed frames
[*] IP: Allow large windows (not recommended if <16Mb of
memory)
Masquerading is controlled by a set of variables, very similar to the
firewall setup. The variables that need to be configured are in
/etc/rc.config and have the MSQ_ prefix:
MSQ_START Masquerading is only started if this is
set to "yes"
MSQ_DEV Device where masquerading takes place.
MSQ_NETWORKS List of local networks that should be
masqueraded.
MSQ_MODULES Modules that are needed for masquerading
(see section below).
Not all of the protocols accept the replacement of IP addresses in the
packages. So, if the server tries to connect to the client this is not
possible via a masqueraded router. This is why you may include certain modules
for certain protocols. All modules given in MSQ_MODULES are
loaded into the kernel during the start of the masquerading.
With kernel version 2.0.33 these modules are available:
Modul Protokoll --------------------------------- ip_masq_cuseeme CU-See-Me ip_masq_ftp FTP ip_masq_irc IRC ip_masq_quake Quake ip_masq_raudio Real Audio ip_masq_vdolive VDO Live
Masquerading is set up by the script /sbin/init.d/masquerade.
It accepts three parameters:
start Activate masquerading stop Deactivate masquerading list Display masquerading rules
Here we give an example network. The IP addresses used internally are from a class C network 192.168.100.0. There is only on official IP address available 193.141.17.1. FTP as well as IRC should be possible.
I N T E R N E T
^
|
| 193.141.17.1
MSQ router
| ..1 local network (192.168.100.0/24)
<---+--------+--------+--------+------->
| ..65 |..66 |..67 |..68
Host A Host B Host C Host D
Now you need to set the masquerading variables in /etc/rc.config as
given here:
MSQ_START="yes" MSQ_DEV="isdn0" MSQ_NETWORKS="192.168.0.0/255.255.255.0" MSQ_MODULES="ip_masq_ftp ip_masq_irc"
Now you may activate the masquerading by entering:
/sbin/init.d/masquerade start