- IP Masquerading Concepts Under LINUX 2.2
- Configuring IP Masquerading
- Using IP Masquerading Every Day
Configuring IP Masquerading
Now that you know what masquerading can do, and have an idea about how it does it, you need to know how to go about enabling support for it and configuring masquerading rules. As with other kernel facilities, you must select it during the kernel configuration process, compile a new kernel, and then reboot to be able to use IP masquerading.4
The generic IP masquerading code is in /usr/src/linux/net/ipv4/ip masq.c, and handles the straightforward TCP, UDP, and ICMP protocols. When you compile a kernel only with IP: Masquerading, you will have support for TCP and UDP. You should set IP: ICMP masquerading if you also want ICMP packets to be masqueraded. (This enables some conditional parts of the code in ip masq.c.)
In either case, be sure to set IP: always defragment whenever using masquerading. This has the effect of coalescing any packet fragments into the original (larger, unfragmented) packet before handing them to the kernel's forwarding code. This is necessary because the masquerading code in the kernel won't be able to recognize fragments from masqueraded connections without knowing the source and destination IP and ports. Additional protocol support is automatically built as modules when you build a kernel with masquerading support. (Just don't forget to load these modules into the running kernel before using them.) Listing 1 shows the full set of options.
Listing 1 Compiling Support for IP Masquerading into the 2.2.x Kernel
Networking options ---> <*> Packet socket + [*] Network firewalls <*> Unix domain sockets [*] TCP/IP networking [*] IP: advanced router + [*] IP: firewalling + [*] IP: always defragment (required for masquerading) + [*] IP: masquerading --- Protocol-specific masquerading support will be built as modules. + [*] IP: ICMP masquerading Filesystems ---> [*] /proc filesystem support
Configuring IP Masquerading with ipchains
As with IP accounting and firewalling, once you have a kernel with masquerading support, you use ipchains (for 2.2.x kernels) to configure rules. In this case, the rules are part of the packet-forwarding mechanism (as compared to the input, output, or accounting mechanisms). Masquerading with ipchains uses the same syntax as with other ipchains functions, such as configuring IP accounting and establishing packet filters, but with different arguments to indicate that we're masquerading. (See the man page for ipchains for more information about the general syntax.)
Managing rules consists of entering them, viewing them, editing them, and removing them. Entering them involves specifying pattern-matching criteria along with the option(s) to tell the kernel to perform masquerading when a match occurs. Recall that ipchains uses the concept of targets, so masquerading occurs when a packet matches a rule with a target of MASQ. Furthermore, only packets that are being forwarded can be masqueraded.
Adding IP Masquerading Rules with ipchains
All packets being forwarded automatically traverse the built-in forward chain. To masquerade them, add a rule to the forward chain with a target of MASQ. Alternatively, you can add a rule to the forward chain that has a user-defined chain as its target, and somewhere along this chain is a rule with the built-in target MASQ. Perhaps a few examples will clear this up:
# masquerade EVERYTHING ### insert a rule that masquerades everything that the ### kernel forwards, using the built-in "forward" chain ### ### (note that not specifying any matching criteria means ### that all packets will be matched) erbium:/root> ipchains -I forward 1 -j MASQ # masquerade packets forward out over ppp0 ### create a user-defined chain named "ipmasq" and append it to ### the built-in "forward" chain, and then add a rule to masquerade ### packets that will be forwarded over the ppp0 interface erbium:/root> ipchains -N ipmasq erbium:/root> ipchains -A forward -j ipmasq erbium:/root> ipchains -A ipmasq -i ppp0 -j MASQ
You may want to masquerade traffic only from certain subnets or traffic destined for a particular subnet. To do this, use the -s and -d switches (among others) to specify packet-matching criteria. For example, in contrast to the rules above, we might find it conceptually simplest to masquerade only traffic bound for the client's network instead of trying to figure out what interface is forwarding the traffic. So we would use rules such as these:
# masquerade packets destined for host 10.10.34.216 ### use the /maskbits notation for the subnet mask erbium:/root> ipchains -A forward -d 10.10.34.216/32 -j MASQ ### is equivalent to: erbium:/root> ipchains -A forward -d 10.10.34.216/255.255.255.255 -j MASQ ### is equivalent to: erbium:/root> ipchains -A forward -d 10.10.34.216 -j MASQ
Sometimes it's easier to specify what it is that you don't want to masquerade. For example, you may have a topology where the firewall is performing masquerading, but several machines located outside the firewall have routes for your internal networks. You don't want connections to these machines from internal machines to be masqueraded, because any meaningful information about the source IP address is lost. If the internal network you need to masquerade is 192.168.0.0/255.255.0.0, and the external network is 210.56.12.64/255.255.255.192, you can set the rules as follows:
# masquerade everything from the internal network # to everywhere except the perimeter net ### masquerade for almost all destinations erbium:/root> ipchains -I forward -s 192.168.0.0/16 -d ! 210.56.12.64/25 -j MASQ # OR, an alternative solution ### masquerade for all destinations erbium:/root> ipchains -A forward -s 192.168.0.0/16 -j MASQ ### forward _without_ masquerading to the perimeter net erbium:/root> ipchains -I forward -d 210.56.12.64/25
By using user-defined chains and the special targets MASQ and RETURN, you can create very intricate rulesets that masquerade only certain types of connections and provide accounting for different aspects of the process. Refer to the man page for more information about managing rules using ipchains.
Modifying IP Masquerading Rules with ipchains
A little time spent with the ipchains man page, and you'll be familiar with methods of manipulating existing rules. Being able to make modifications to chains (such as inserting rules into chains at arbitrary locations) is quite handy because, unlike IP accounting, masquerading rules are sensitive to order. Here's a synopsis of useful command forms:
ipchains -R |
chain n rule |
Replaces the nth rule for chain chain with the new rule specified by rule. (Rules are numbered starting at 1.) |
ipchains -D |
chain n |
Deletes the nth rule from chain chain. If you'd rather specify the rule explicitly, just use it in place of the number. |
ipchains -I |
chain n rule |
Inserts the rule given into the nth position for chain chain, moving each of the existing rules down. (Rules are numbered starting at 1.) Omitting the position argument defaults to the first position in the list. |
Viewing IP Masquerading Rules with ipchains
You can view the counters associated with rules by listing (-L) the rules on a chain, along with some switches to increase the amount of detail (normally -v, -n, and -x):
### list masquerading rules ### (headers/output split into two lines) erbium:/root> ipchains -L forward -n -v Chain forward (policy ACCEPT: 33 packets, 1686 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize 33 1686 MASQ all ------ 0xFF 0x00 eth1 source destination ports 0.0.0.0/0 0.0.0.0/0 n/a
Some additional notes about viewing the rules:
-
-n prevents name resolution from occurring.
-
-v makes the output more verbose, adding the packet (pkts) and byte (bytes) counter fields, the interface field (ifname), the TOS masks (tosa and tosx), and the mark and outsize fields.
-
-x is useful only in combination with -n. It prevents conversion of the byte and packet counters into larger units of K, M, or G.
-
If you don't specify a chain name, all chains will be listed. If you only want to see rules that result in masquerading, grep the output for MASQ.
-
If you don't specify the verbose switch, you won't see the interface field (an oversight, in my opinion), which is important unless you do all your masquerading based solely on source or destination address.
Viewing Active Masqueraded Connections
You can view the current list of masqueraded connections with ipchains. This is the syntax:
ipchains -M -L [-n] [-v]
-
-n prevents hostname and portname lookups. Its use is optional.
-
-v (verbose) includes the initseq, delta, and prevd fields in the output:
-
initseq shows the initial sequence number.
-
delta shows the difference between the client's opinion of the current sequence number (read from its most recent packet) and the server's opinion of the current sequence number.
-
prevd shows the previous delta value.
Listing 2 shows ipchains in action:
Listing 2 Viewing Active Masqueraded Connections
# ipchains -M -L IP masquerading entries prot expire source destination ports TCP 03:57. 94 192.168.107.223 195.20.227.241 3160 (62041) -> 80 TCP 01:22. 40 192.168.104.221 193.71.196.106 1185 (62057) -> 80 TCP 01:22.46 192.168.104.221 193.71.196.106 1182 (62054) -> 80 TCP 14:27.44 192.168.104.221 193.71.196.101 1184 (62056) -> 80 TCP 11:58.10 192.168.108.220 204.71.200.55 1099 (63099) -> 5050 UDP 01:57.29 192.168.101.14 24.112.240.60 1076 (62219) -> 53
Each line of the output represents a masqueraded connection; there are five actively masqueraded connections at this time. For the 192.168.104.221 client, notice that a masqueraded connection refers to every unique port pair between a client and server; there are two active connections from this client to the same server.
The expire field shows the time remaining before the masquerading is taken down for this connection, in minutes:seconds.hundredths. The ports field is in the format client (router) server. The router port is the port to which the server will reply to a client request. After unmasquerading the packet, the router sends it back to the client at the client port.
Why is the expire field necessary? If someone initiates a TCP connection, but then some evil occurs and he or she is unable to take down the connection gracefully, the masquerading router will sit forever waiting for more packets because it never saw the stream taken down properly. Since UDP is stateless, the situation is even more dire; the router is never able to intercept any information about the final packet in a UDP sequence. During their normal operation, both types of masquerading use ports on the router. If the masquerading never timed out, some of these ports would linger forever… or until the next reboot, which would probably have to occur when all 65535 ports on the system were exhausted. The expire timer is reset each time the connection is used, and starts counting down. If the clock reaches zero before another packet is sent or received via the connection, the masquerading for that session is torn down.
Modifying Masquerade Expiration Timeouts with ipchains
You can modify the expire timeout values to something other than the defaults set in ip masq.h. Those defaults are 15, 2, and 5 minutes for TCP sessions, TCP in the FIN WAIT state (after receiving a FIN packet), and UDP packets, respectively. There is also a default for ICMP (about two minutes), which can be set only by modifying the header file and recompiling the kernel. The syntax to modify the TCP and UDP values is as follows:
ipfwadm -M -S tcp tcpfin udp
Note that you must specify all three of the timeout parameters, which measure in seconds. If you want to leave a setting at its current value, specify a timeout of 0. You may find tuning this useful if you have the habit of logging into a remote site over a masqueraded connection and don't want to be logged out after 15 minutes of inactivity.
IP Masquerading Information in /proc
Another way to view rules, counters, and expire timeouts is to poke around in the /proc filesystem. The amount of information you can find here has been increased with the 2.2.x kernel. Some highlights are listed in the following table; all pathnames are relative to /proc/net.
File |
Description |
ip fwnames |
Lists all chains, including the chain name, default policy, reference count, packet count watermarks (high and low), and byte count watermarks (high and low). |
ip fwchains |
Contains all rules from all chains (the chain's name is the first field). This is merely a quick way to list all active rules. |
ip masquerade |
Lists the current masqueraded connections in raw format, along with the number of free ports available for UDP, TCP, and ICMP masquerading. (See the sample output after this list for more information.) |
ip masq/app |
Contains the active reference counts for the kernel built-in masquerading protocol modules. It has four fields: |
|
|
|
|
|
|
|
|
ip masq/icmp |
Available when CONFIG IP MASQUERADE MOD is enabled in the kernel—provides support for special modules that can modify the rewriting rules used when masquerading. It gives the user-space program ipmasqadm access to the kernel data structures. |
ip masq/tcp |
See ip masq/icmp. |
ip masq/udp |
See ip masq/icmp. |
Probably the most interesting of these for day-to-day use is /proc/net/ip masquerade. Besides displaying the actively masqueraded connections in raw format, it shows the number of ports available for masquerading each type of connection:
erbium:/root> cat /proc/net/ip_masquerade Prc FromIP FPrt ToIP TPrt Masq Init-seq Delta Pdelta Expires (free=40959,40956,40960) TCP C0A80102:0464 D08C7063:006E F658 00000000 0 0 479 TCP C0A80102:0466 1801F046:006E F65A 00000000 0 0 1145 UDP C0A80102:0434 1801F021:0035 F30B 00000000 0 0 18839 TCP C0A80102:0448 D0EDB215:0050 F65B 00000000 0 0 88925 TCP C0A80102:0465 D11E0216:006E F659 00000000 0 0 847
This output shows that 40959 ports are available for masquerading UDP connections, 40956 for TCP connections, and 40960 for ICMP connections. Five connections are currently masqueraded, and the number of clicks remaining for their expire timers are expressed in hundredths of seconds.
If you suspect that you're low on ports for masquerading, you may just have a busy site. On the other hand, you may want to check here to see what the kernel thinks, and you may need to compile a new kernel to adjust the number of ports available. The values to change are PORT MASQ BEGIN and PORT MASQ END in /usr/src/linux/include/net/ip masq.h. After modifying the source, you have to recompile the kernel and reboot for the change to take effect. (If you worked with the 2.0 kernel, notice that the number of free ports assigned to masquerading by default is increased by a factor of 10 for the 2.2.x kernel versions.)
One last note about using ipchains to configure your rules. Store the rules in a script once you get them the way you want them, or they'll be lost during the next reboot. You may even want to save a hard copy of the forwarding/masquerading rules. If you don't like the idea of configuring these rules by hand, check the next section for information about configuration tools.
IP Masquerading Configuration Tools
IP masquerading is a very commonly performed task. As such, a lot of work has been put into making it easier to configure. Now that you know what lies beneath, here are some packages that might aid you in configuring it for your system.
-
ipmasq is a native Debian package based on the scripts in the LDP's IP Masquerade mini-HOWTO. If you want to use the package without running Debian, you can retrieve the source from any Debian mirror site. The following is taken from the description that accompanies the package:
By default, this package configures the system as a basic forwarding firewall, with IP spoofing and stuffed routing protection. The firewall will allow hosts behind the firewall to get to the Internet, but not allow connections from the Internet to reach the hosts behind the firewall. However, ipmasq now features a very flexible framework where you can override any of the predefined rules if you so choose. It also allows you to control if the rules are reinterpreted when pppd brings a link up or down. This package should be installed on the firewall host and not on the hosts behind the firewall.
-
dotfile-ipfwadm is a module for dotfile. This package uses a Tcl/Tk interface to allow you to graphically build your own accounting, forwarding, input, output, and masquerading rules. It can be very helpful for quickly developing a set of rules, which it outputs to a file. You can then tweak the rules as needed. It allows you to select just the options that are applicable to your running kernel. For non-Debian systems, check to see whether dotfile is available; otherwise visit http://www.imada.ou.dk/~blackie/dotfile/. (Note: This currently supports only ipfwadm commands for the 2.0 kernel.)
-
netbase contains a command called ipfwadm-wrapper. This package will be installed on your system in any event, but it's nice to be aware of ipfwadm-wrapper when converting to ipchains.
-
MasqDialer (Debian package masqdialer) is suited to replace a great deal of scripting that you would end up doing by hand on a dial-out router.
The masqdialer system is designed to provide easily accessible control of multiple dial-out modem connections to the members of a LAN using IP masquerade for their Internet connectivity. The system is a client/server design, so as long as a client can be written for a particular platform, that platform can take advantage of masqdialer's offerings. The masqdialer daemon runs on the Linux machine, and upon an authorized client request, carries out the user's request.
MasqDialer's home Web site is http://freshmeat.net/projects/masqdialer/. There is a GUI front end for managing the server available in the Debian package tkmasqdialer. You'll also need the mclient package, which is a command-line client used to communicate with the server.