Date: Thu, 18 Jul 1996 16:34:46 -0700 From: Noel Burton-Krahn <noel@harleystreet.com> To: "'Kenneth Merry'" <ken@ulc199.residence.gatech.edu> Cc: "'freebsd-hackers@freebsd.org'" <freebsd-hackers@freebsd.org> Subject: RE: Retake .. Re: IP masquerading over tunel device Message-ID: <01BB74C7.6554F0C0@mcduck.harleystreet.com>
next in thread | raw e-mail | index | archive | help
Here's how Linux does IP masquerading 1) a local client (in your network) wants to talk TCP or UDP to a remote host (outside you network) 2) the local client makes an IP with a destination address remote.host:345 and a return address local.client:100 and sends the packet to its router linux.box. The number after the colon is the TCP port number. 3) linux.box gets this packet, changes the return address to linux.box:7000, and sends it along to remote.host 4) remote.host gets the edited packet, compses a reply and sends it back to the packet's return address which was changed to linux.box:7000 5) when linux.box receives any packets bound for port 7000, it knows that they're really supposed to go to local.client:100, so it changes the packet's destination address and sends it to local.host. Here are the problems with this method: 1) The linux box has to keep a cache of masquerade ports (7000 in the above example) alive for the duration of any masqueraded connection. Linux uses a fixed length timer for this, which is why people behind a masqueraded connection can find that their FTP sessions will mysteriously stop after a couple of hours. After that time, the Linux box assumes the connection is closed and shuts down the masqueraded port 2) This only works for protocols which use port numbers like TCP and UDP. ping(1) and traceroute(1) can't work through a masqueraded connection, because they use a different protocol. 3) Some protocols like FTP and RelAudio put return address information in places other than the packet header. If you look at the Linux code, you'll see a bunch of hacks to take care of these protocols specially. I currently use a Linux box with masquerading to route all of my office's traffic (15 machines) through a demand dial PPP connection to our provider. It's not fast (!) but it works. --Noel On Thursday, July 18, 1996 11:45 AM, Kenneth Merry[SMTP:ken@ulc199.residence.gatech.edu] wrote: > > I do have a couple of questions about the way IP masquerading > works, though. I'll admit I haven't seen the Linux implementation, but I > have (I think) seen it in action on a network here at GaTech. It appears > that it uses two different hardware (ethernet) addresses for the same IP > address to distinguish between packets going to the different machines. > One will be the real address of the ethernet card, e.g. 00:40:05:bb:11:22, > and the other one will be something like 1:2:3:4:5:6. > > Does anyone know if that is indeed how it works? Is that the way > the FreeBSD implementation will work? Would the tunnel implementation of > something like that be any different from running it on a local ethernet? > People here use IP masquerading under Linux so they don't have to buy a > second IP address for a second machine, usually. (Well, that's not the > only reason, there are some more complex, stupid bugs in the Cabletron hubs > at work here..:) ) >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01BB74C7.6554F0C0>