Practical Networking - The Router

Refering to the previous Generic Network Configuration: 


	  =============Internet BackBone(s)==========
       	       	       	     ^
		       	     |
		       	  ___v____
WAN			 |    	  |
   			 |  ISP	  |
   			 | Router |
   			 |________|
   			     ^
   			     |
.............................|......................................
   			     |
   			     |
   			_____v_____ .... ___________________
   		       |      	   |	|                   |
   		       | Fire Wall |	| Network Server(s) |
Network		       |___________|....|___________________|
Services		     ^                    ^
			     |                    .
			     |                    .
.............................|.....................................
			     |                    .
			     v                    v
	 --------------------+-----------------------
       	       	    ^  	      	       ^
	   	    |	      	       |
LAN	   	    |	      	       |
192.168.0.0	____v___	   ____v___
	       |     	|	  |        |
	       | User 1 |  o o o  | User n |
	       |________|	  |________|

...................................................................

The entire LAN hides behind the IP masquerading firewall machine. The firewall machine usually has two interfaces, one for the LAN and the other (possibly a modem) for WAN access. The WAN access interface has the only registered address with the LAN addresses allocated from a private class C net as specified in RFC1597 Private Network Allocations. None of the machines on the LAN are accessible from the WAN (internet) because these addresses will not even be routed to the firewall.

The router replaces the source information of an IP packet from a LAN system with its own address and dynamically assigned port number and then sends the packet to its destination via the WAN interface. Packets returned from these destinations are re-routed to the proper LAN system based on the port number. From the WAN, the LAN is indistinguishable from a single system.

IP masquerading resources can be found at: http://ipmasq.cjb.net/

For the impatient (find the WANIF using ifconfig): 


    # ipchains -P forward DENY
    # ipchains -A forward -i WANIF -j MASQ
    # echo 1 > /proc/sys/net/ipv4/ip_forward

Installing and configuring IP masquerading:

  1. Make sure the kernel is configured for IP masquerading. The IP masquerading flag is under Network Options. If necessary, enable IP masquerading, rebuild the kernel and restart the system before proceeding.
  2. Use these commands to configure a queue to route all LAN traffic to the WAN: 
          # create chain lanwan_masq
      /sbin/ipchains -N lanwan_masq
      /sbin/ipchains -A lanwan_masq -s 0/0 -d 0/0 -j MASQ

      # forward packages to this chain 
      /sbin/ipchains -A forward -s 192.168.0.0/24 -d 0/0 -i wanifdev -j lanwan_masq
      # load modules to handle special protocols
      /sbin/insmod ip_masq_cuseeme
      /sbin/insmod ip_masq_irc
      /sbin/insmod ip_masq_raudio
      /sbin/insmod ip_masq_vdolive
      /sbin/insmod ip_masq_ftp
      /sbin/insmod ip_masq_quake
      #

See Also: ipchains.

Ken Thompson<thompson@milestonesolutions.com>
Last modified: Tue Aug 17 12:12:16 EDT 1999