Home > Articles > Operating Systems, Server > Linux/UNIX/Open Source

IP Masquerading Concepts Under LINUX 2.2

Feb 2, 2001

␡

IP Masquerading Concepts Under LINUX 2.2
Configuring IP Masquerading
Using IP Masquerading Every Day

⎙ Print

< Back Page 2 of 3 Next >

Configuring IP Masquerading

Now that you know what masquerading can do, and have an idea about how it does it, you need to know how to go about enabling support for it and configuring masquerading rules. As with other kernel facilities, you must select it during the kernel configuration process, compile a new kernel, and then reboot to be able to use IP masquerading.⁴

The generic IP masquerading code is in /usr/src/linux/net/ipv4/ip masq.c, and handles the straightforward TCP, UDP, and ICMP protocols. When you compile a kernel only with IP: Masquerading, you will have support for TCP and UDP. You should set IP: ICMP masquerading if you also want ICMP packets to be masqueraded. (This enables some conditional parts of the code in ip masq.c.)

In either case, be sure to set IP: always defragment whenever using masquerading. This has the effect of coalescing any packet fragments into the original (larger, unfragmented) packet before handing them to the kernel's forwarding code. This is necessary because the masquerading code in the kernel won't be able to recognize fragments from masqueraded connections without knowing the source and destination IP and ports. Additional protocol support is automatically built as modules when you build a kernel with masquerading support. (Just don't forget to load these modules into the running kernel before using them.) Listing 1 shows the full set of options.

Listing 1 Compiling Support for IP Masquerading into the 2.2.x Kernel

Networking options --->
    <*> Packet socket
+   [*] Network firewalls
    <*> Unix domain sockets
    [*] TCP/IP networking
    [*] IP: advanced router
+   [*] IP: firewalling
+   [*] IP: always defragment (required for masquerading)
+   [*] IP: masquerading
    --- Protocol-specific masquerading support will be built as modules.
+   [*] IP: ICMP masquerading	
Filesystems --->
    [*] /proc filesystem support

Configuring IP Masquerading with ipchains

As with IP accounting and firewalling, once you have a kernel with masquerading support, you use ipchains (for 2.2.x kernels) to configure rules. In this case, the rules are part of the packet-forwarding mechanism (as compared to the input, output, or accounting mechanisms). Masquerading with ipchains uses the same syntax as with other ipchains functions, such as configuring IP accounting and establishing packet filters, but with different arguments to indicate that we're masquerading. (See the man page for ipchains for more information about the general syntax.)

Managing rules consists of entering them, viewing them, editing them, and removing them. Entering them involves specifying pattern-matching criteria along with the option(s) to tell the kernel to perform masquerading when a match occurs. Recall that ipchains uses the concept of targets, so masquerading occurs when a packet matches a rule with a target of MASQ. Furthermore, only packets that are being forwarded can be masqueraded.

Adding IP Masquerading Rules with ipchains

All packets being forwarded automatically traverse the built-in forward chain. To masquerade them, add a rule to the forward chain with a target of MASQ. Alternatively, you can add a rule to the forward chain that has a user-defined chain as its target, and somewhere along this chain is a rule with the built-in target MASQ. Perhaps a few examples will clear this up:

#  masquerade EVERYTHING
###  insert a rule that masquerades everything that the
###  kernel forwards, using the built-in "forward" chain
###
### (note that not specifying any matching criteria means
### that all packets will be matched)
erbium:/root> ipchains -I forward 1 -j MASQ
#  masquerade packets forward out over ppp0
###  create a user-defined chain named "ipmasq" and append it to
###  the built-in "forward" chain, and then add a rule to masquerade
###  packets that will be forwarded over the ppp0 interface
erbium:/root> ipchains -N ipmasq
erbium:/root> ipchains -A forward -j ipmasq
erbium:/root> ipchains -A ipmasq -i ppp0 -j MASQ

You may want to masquerade traffic only from certain subnets or traffic destined for a particular subnet. To do this, use the -s and -d switches (among others) to specify packet-matching criteria. For example, in contrast to the rules above, we might find it conceptually simplest to masquerade only traffic bound for the client's network instead of trying to figure out what interface is forwarding the traffic. So we would use rules such as these:

#  masquerade packets destined for host 10.10.34.216
###  use the /maskbits notation for the subnet mask
erbium:/root> ipchains -A forward -d 10.10.34.216/32 -j MASQ
### is equivalent to:
erbium:/root> ipchains -A forward -d 10.10.34.216/255.255.255.255 -j MASQ
### is equivalent to:
erbium:/root> ipchains -A forward -d 10.10.34.216 -j MASQ

Sometimes it's easier to specify what it is that you don't want to masquerade. For example, you may have a topology where the firewall is performing masquerading, but several machines located outside the firewall have routes for your internal networks. You don't want connections to these machines from internal machines to be masqueraded, because any meaningful information about the source IP address is lost. If the internal network you need to masquerade is 192.168.0.0/255.255.0.0, and the external network is 210.56.12.64/255.255.255.192, you can set the rules as follows:

#  masquerade everything from the internal network
#  to everywhere except the perimeter net
###  masquerade for almost all destinations
erbium:/root> ipchains -I forward -s 192.168.0.0/16                  -d ! 210.56.12.64/25 -j MASQ
#  OR, an alternative solution
###  masquerade for all destinations
erbium:/root> ipchains -A forward -s 192.168.0.0/16 -j MASQ
### forward _without_ masquerading to the perimeter net
erbium:/root> ipchains -I forward -d 210.56.12.64/25

By using user-defined chains and the special targets MASQ and RETURN, you can create very intricate rulesets that masquerade only certain types of connections and provide accounting for different aspects of the process. Refer to the man page for more information about managing rules using ipchains.

Modifying IP Masquerading Rules with ipchains

A little time spent with the ipchains man page, and you'll be familiar with methods of manipulating existing rules. Being able to make modifications to chains (such as inserting rules into chains at arbitrary locations) is quite handy because, unlike IP accounting, masquerading rules are sensitive to order. Here's a synopsis of useful command forms:

`ipchains -R`	`chain n rule`	Replaces the n^th rule for chain `chain` with the new rule specified by `rule`. (Rules are numbered starting at 1.)
`ipchains -D`	`chain n`	Deletes the n^th rule from chain `chain`. If you'd rather specify the rule explicitly, just use it in place of the number.
`ipchains -I`	`chain n rule`	Inserts the `rule` given into the n^th position for chain `chain`, moving each of the existing rules down. (Rules are numbered starting at 1.) Omitting the position argument defaults to the first position in the list.

Viewing IP Masquerading Rules with ipchains

You can view the counters associated with rules by listing (-L) the rules on a chain, along with some switches to increase the amount of detail (normally -v, -n, and -x):

###  list masquerading rules
###  (headers/output split into two lines)
erbium:/root> ipchains -L forward -n -v
Chain forward (policy ACCEPT: 33 packets, 1686 bytes):
 pkts  bytes  target   prot   opt     tosa  tosx   ifname      mark    outsize
   33   1686  MASQ     all    ------  0xFF  0x00   eth1
                     source     destination    ports
                     0.0.0.0/0  0.0.0.0/0      n/a

Some additional notes about viewing the rules:

-n prevents name resolution from occurring.
-v makes the output more verbose, adding the packet (pkts) and byte (bytes) counter fields, the interface field (ifname), the TOS masks (tosa and tosx), and the mark and outsize fields.
-x is useful only in combination with -n. It prevents conversion of the byte and packet counters into larger units of K, M, or G.
If you don't specify a chain name, all chains will be listed. If you only want to see rules that result in masquerading, grep the output for MASQ.
If you don't specify the verbose switch, you won't see the interface field (an oversight, in my opinion), which is important unless you do all your masquerading based solely on source or destination address.

Viewing Active Masqueraded Connections

You can view the current list of masqueraded connections with ipchains. This is the syntax:

ipchains -M -L [-n] [-v]

-n prevents hostname and portname lookups. Its use is optional.
-v (verbose) includes the initseq, delta, and prevd fields in the output:

initseq shows the initial sequence number.
delta shows the difference between the client's opinion of the current sequence number (read from its most recent packet) and the server's opinion of the current sequence number.
prevd shows the previous delta value.

Listing 2 shows ipchains in action:

Listing 2 Viewing Active Masqueraded Connections

#  ipchains -M -L
IP masquerading entries
prot  expire   source               destination     ports
TCP   03:57.   94 192.168.107.223   195.20.227.241  3160 (62041) -> 80
TCP   01:22.   40 192.168.104.221   193.71.196.106  1185 (62057) -> 80
TCP 01:22.46   192.168.104.221      193.71.196.106  1182 (62054) -> 80
TCP 14:27.44   192.168.104.221      193.71.196.101  1184 (62056) -> 80
TCP 11:58.10   192.168.108.220      204.71.200.55   1099 (63099) -> 5050
UDP 01:57.29   192.168.101.14       24.112.240.60   1076 (62219) -> 53

Each line of the output represents a masqueraded connection; there are five actively masqueraded connections at this time. For the 192.168.104.221 client, notice that a masqueraded connection refers to every unique port pair between a client and server; there are two active connections from this client to the same server.

The expire field shows the time remaining before the masquerading is taken down for this connection, in minutes:seconds.hundredths. The ports field is in the format client (router) server. The router port is the port to which the server will reply to a client request. After unmasquerading the packet, the router sends it back to the client at the client port.

Why is the expire field necessary? If someone initiates a TCP connection, but then some evil occurs and he or she is unable to take down the connection gracefully, the masquerading router will sit forever waiting for more packets because it never saw the stream taken down properly. Since UDP is stateless, the situation is even more dire; the router is never able to intercept any information about the final packet in a UDP sequence. During their normal operation, both types of masquerading use ports on the router. If the masquerading never timed out, some of these ports would linger forever… or until the next reboot, which would probably have to occur when all 65535 ports on the system were exhausted. The expire timer is reset each time the connection is used, and starts counting down. If the clock reaches zero before another packet is sent or received via the connection, the masquerading for that session is torn down.

Modifying Masquerade Expiration Timeouts with ipchains

You can modify the expire timeout values to something other than the defaults set in ip masq.h. Those defaults are 15, 2, and 5 minutes for TCP sessions, TCP in the FIN WAIT state (after receiving a FIN packet), and UDP packets, respectively. There is also a default for ICMP (about two minutes), which can be set only by modifying the header file and recompiling the kernel. The syntax to modify the TCP and UDP values is as follows:

ipfwadm -M -S tcp tcpfin udp

Note that you must specify all three of the timeout parameters, which measure in seconds. If you want to leave a setting at its current value, specify a timeout of 0. You may find tuning this useful if you have the habit of logging into a remote site over a masqueraded connection and don't want to be logged out after 15 minutes of inactivity.

IP Masquerading Information in /proc

Another way to view rules, counters, and expire timeouts is to poke around in the /proc filesystem. The amount of information you can find here has been increased with the 2.2.x kernel. Some highlights are listed in the following table; all pathnames are relative to /proc/net.

File	Description
`ip fwnames`	Lists all chains, including the chain name, default policy, reference count, packet count watermarks (high and low), and byte count watermarks (high and low).
`ip fwchains`	Contains all rules from all chains (the chain's name is the first field). This is merely a quick way to list all active rules.
`ip masquerade`	Lists the current masqueraded connections in raw format, along with the number of free ports available for UDP, TCP, and ICMP masquerading. (See the sample output after this list for more information.)
`ip masq/app`	Contains the active reference counts for the kernel built-in masquerading protocol modules. It has four fields:
	`prot`—one of `TCP`, `UDP`, or `ICMP`.
	`port`—the port that needs to be monitored to properly masquerade the protocol
	`n attach`—the number of active masquerading connections using the module and port
	`name`—the protocol name; that is, the protocol module's name sans `ip masq`
`ip masq/icmp`	Available when `CONFIG IP MASQUERADE MOD` is enabled in the kernel—provides support for special modules that can modify the rewriting rules used when masquerading. It gives the user-space program `ipmasqadm` access to the kernel data structures.
`ip masq/tcp`	See `ip masq/icmp`.
`ip masq/udp`	See `ip masq/icmp`.

Probably the most interesting of these for day-to-day use is /proc/net/ip masquerade. Besides displaying the actively masqueraded connections in raw format, it shows the number of ports available for masquerading each type of connection:

erbium:/root>  cat  /proc/net/ip_masquerade
Prc  FromIP  FPrt  ToIP   TPrt   Masq  Init-seq  Delta  Pdelta  Expires
(free=40959,40956,40960)
TCP  C0A80102:0464 D08C7063:006E F658  00000000     0       0       479
TCP  C0A80102:0466 1801F046:006E F65A  00000000     0       0      1145
UDP  C0A80102:0434 1801F021:0035 F30B  00000000     0       0     18839
TCP  C0A80102:0448 D0EDB215:0050 F65B  00000000     0       0     88925
TCP  C0A80102:0465 D11E0216:006E F659  00000000     0       0       847

This output shows that 40959 ports are available for masquerading UDP connections, 40956 for TCP connections, and 40960 for ICMP connections. Five connections are currently masqueraded, and the number of clicks remaining for their expire timers are expressed in hundredths of seconds.

If you suspect that you're low on ports for masquerading, you may just have a busy site. On the other hand, you may want to check here to see what the kernel thinks, and you may need to compile a new kernel to adjust the number of ports available. The values to change are PORT MASQ BEGIN and PORT MASQ END in /usr/src/linux/include/net/ip masq.h. After modifying the source, you have to recompile the kernel and reboot for the change to take effect. (If you worked with the 2.0 kernel, notice that the number of free ports assigned to masquerading by default is increased by a factor of 10 for the 2.2.x kernel versions.)

One last note about using ipchains to configure your rules. Store the rules in a script once you get them the way you want them, or they'll be lost during the next reboot. You may even want to save a hard copy of the forwarding/masquerading rules. If you don't like the idea of configuring these rules by hand, check the next section for information about configuration tools.

IP Masquerading Configuration Tools

IP masquerading is a very commonly performed task. As such, a lot of work has been put into making it easier to configure. Now that you know what lies beneath, here are some packages that might aid you in configuring it for your system.

ipmasq is a native Debian package based on the scripts in the LDP's IP Masquerade mini-HOWTO. If you want to use the package without running Debian, you can retrieve the source from any Debian mirror site. The following is taken from the description that accompanies the package:

By default, this package configures the system as a basic forwarding firewall, with IP spoofing and stuffed routing protection. The firewall will allow hosts behind the firewall to get to the Internet, but not allow connections from the Internet to reach the hosts behind the firewall. However, ipmasq now features a very flexible framework where you can override any of the predefined rules if you so choose. It also allows you to control if the rules are reinterpreted when pppd brings a link up or down. This package should be installed on the firewall host and not on the hosts behind the firewall.
dotfile-ipfwadm is a module for dotfile. This package uses a Tcl/Tk interface to allow you to graphically build your own accounting, forwarding, input, output, and masquerading rules. It can be very helpful for quickly developing a set of rules, which it outputs to a file. You can then tweak the rules as needed. It allows you to select just the options that are applicable to your running kernel. For non-Debian systems, check to see whether dotfile is available; otherwise visit http://www.imada.ou.dk/~blackie/dotfile/. (Note: This currently supports only ipfwadm commands for the 2.0 kernel.)
netbase contains a command called ipfwadm-wrapper. This package will be installed on your system in any event, but it's nice to be aware of ipfwadm-wrapper when converting to ipchains.
MasqDialer (Debian package masqdialer) is suited to replace a great deal of scripting that you would end up doing by hand on a dial-out router.

The masqdialer system is designed to provide easily accessible control of multiple dial-out modem connections to the members of a LAN using IP masquerade for their Internet connectivity. The system is a client/server design, so as long as a client can be written for a particular platform, that platform can take advantage of masqdialer's offerings. The masqdialer daemon runs on the Linux machine, and upon an authorized client request, carries out the user's request.

MasqDialer's home Web site is http://freshmeat.net/projects/masqdialer/. There is a GUI front end for managing the server available in the Debian package tkmasqdialer. You'll also need the mclient package, which is a command-line client used to communicate with the server.

< Back Page 2 of 3 Next >

🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Privacy Notice

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
Such marketing is consistent with applicable law and Pearson's legal obligations.
Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

As required by law.
With the consent of the individual (or their parent, if the individual is a minor)
In response to a subpoena, court order or legal process, to the extent permitted or required by law
To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
To investigate or address actual or suspected fraud or other illegal activities
To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020

Email Address