You will probably wondering why I made that example or on what television show you have seen the same. Well it is quite simple. Person B is the internet, and person A is a masqueraded client and person C is the masqueraded server.
For understanding it I'll first give a short introduction to TCP/IP".
TCP/IP stands for Transmission Control Protocol / Internet Protocol. It
is widely used for data communication among computers (before TCP/IP, everybody
used UUCP = Unix to Unix Copy Protocol). TCP/IP is literally a protocol
that controls your communication, it also uses IP numbers. IP-numbers consist
out of 12 numbers grouped by 3 (123.456.789.123). Every computer attached
to a network (and to the internet) have their own unique IP number. TCP/IP
works like the following.
=> I am 184.108.40.206 and i want to contact 220.127.116.11
-> I am 18.104.22.168 did you call me ?
=> I am 22.214.171.124 and I contacted you
-> I am 126.96.36.199 and ready
=> I am 188.8.131.52 and I want that file
-> I am 184.108.40.206 and I am sending the first part to 220.127.116.11
=> I am 18.104.22.168 and I have received it.
-> I am 22.214.171.124 and I am sending the second part to 126.96.36.199
=> I am 188.8.131.52 and I haven't received anything
-> I am 184.108.40.206 and I am sending again
=> I am 220.127.116.11 and I have received it.
-> I am 18.104.22.168 and I am waiting.
=> I am 22.214.171.124 and I am ready, bye
-> I am 126.96.36.199 Bye
I know this may seem a little childish but data communication (and TCP/IP) are working like that.
Now you should be able to understand the image. You see a computer with
local IP 10.0.0.1 who is connected to the internet by a telephone line
and has achieved an IP number by this ISP (Internet Service Provider) that
IP is 188.8.131.52. What does this mean ? If someone on the internet tried
to contact 184.108.40.206 they would get a response but if they would try to
contact 10.0.0.1 they would not get a response although it is the same
computer because the IP 10.0.0.1 isn't recognized worldwide. Then we have
10.0.0.2 till 10.0.0.x who are connected to 10.0.0.1. In this case we could
consider 10.0.0.1 as a gateway (a gateway is a sort of exit to another
network, a gateway could be a link between 10.0.1.x and 10.0.0.x, but therefore
that machine must be recognized by 10.0.1.x and 10.0.0.x or with other
words it should have 2 network cards or in this case a modem and a network
card). So we could consider it as a gateway but there is one detail, for
10.0.0.1 being a gateway. But it isn't for the simple reason that the internet
wouldn't recognize it.
=> I'm 10.0.0.2 and I want to contact you
-> I'm 220.127.116.11 and I have now idea how to reach you, go away (this messages isn't really broadcasted because there is no logical route between the two computers, this is logged)
So what does masquerading actually do ? Well, it gives its own IP (18.104.22.168 this is the IP that is attached to the ISP, giving by DHCP by exemple) to the entire network and remembers which computer requested which packet. Something like:
=> I'm 10.0.0.2 and I want to contact 22.214.171.124
-> I'm 10.0.0.1 and I will be processing your request
-> I'm 126.96.36.199 and I want to contact 188.8.131.52
_> I'm 184.108.40.206 and awaiting your command
I hope this cleared out a lot. So a masqueraded server gives its IP ( in facts it masks the ip's of the network) in order for the other pc's to get on the internet. And the incoming data is being filtered under the 10.0.0.x network.
=> Prompt for development and or incomplete code / drivers
=>Enable loadable module support
=>IP:ipportfw masq support
=>IP:ipautofw masq support
=>Dummy net driver support
=>IP:ip fwmark masq-forwarding support
Note that the above options are required for ip masquerading so you
still need other codes in your kernel. When you are finished you will be
prompted to save changes. The following commands do the actual compiling
and may take a from 10 - 40 minutes and will show many characters which
you may not understand on your screen, don't worry it is normal.
[[email protected] linux]$ make dep
[[email protected] linux]$ make clean
[[email protected] linux]$ make bzImage
[[email protected] linux]$ cp /usr/src/linux/arch/i386/boot/bzImage /boot/kernel
[[email protected] linux]$ make modules
[[email protected] linux]$ make modules_install
At this point you should edit your /etc/lilo.conf file. You should add something like
root=/dev/hdax (replace this by your root filesystem, harddisk, partition, ..)
This makes your boot manager find your new kernel at boot. So if your see the lilo prompt the next time you should type masqkernel
[[email protected] linux]$ lilo
added linux-2.2.5-15 *
Now you should edit your /etc/rc.d/rc.local file so the modules needed are automatically loaded at boot
These modules are needed for ftp, real audio and irc. There is only one thing to do besides rebooting and that is enabling your IPV4 forwarding.
[[email protected] linux] echo "1" > /proc/sys/net/ip_forward(ing) Now you should reboot your system with your newly made kernel, see if everything boots properly, if not you should redo the above steps. Until you have a properly working kernel.
For any further questions, you can mail GoMoRRaH, a member of Black Sun Research Facility