“MASQ” or “IPMASQ”, short for IP Masquerading, helps machines with non-routable IP addresses to access the Internet via the machine that is actually masquerading. It is a form of NAT (Network Address Translation). IPMASQ works perfectly with LAN technologies like Token Ring, Ethernet, FDDI and dial-up connections.
In case of IPMASQ, a gateway machine acts as the mediator between the machines on your network and the Internet. Connection Tracking (conntrack) feature of Linux is used to keep track of connections and their source. This helps in rerouting the packets accordingly. Henceforth, packets leaving the private network are masqueraded as if they originated from the mediator machine. Microsoft calls this feature as Internet Connection Sharing.
How can IP masquerading be achieved?
IPMASQ can be achieved with the help of a single command:
sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE
This command works when your private IP address range is 192.168.0.0/16 and the Internet-facing machine is ppp0. Below we break the syntax so as to clear all attributes:
- -t nat – this helps you enter the nat table.
- -A POSTROUTING – this will append ‘–A’ to POSTROUTING chain.
- -s 192.168.0.0/16 – this specifies the address space being used within the network.
- -o ppp0 – this applies to traffic that is being routed via a specific device in the network.
- -j MASQUERADE – this masquerades the traffic via the gateway described above.
NOTE: If your network has a firewall in front of your gateway machine then you will have to FORWARD your traffic so as to complete the network connection.
sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT
sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT
In above case, the connection is ESTABLISHED even if your firewall policies are set to REJECT or DROP.
Comparing IP Masquerading with Proxy and NAT
NAT (Network Address Translation) is a collection of public IP addresses. Whenever a machine in a network wants to connect to the external network then it would use one public IP address from the pool available in the NAT box. Moving forward, all the traffic will seem to originate from the respective public IP address thus masking the originating machine. The public IP address will be returned to a free pool of NAT whenever the source machine is idle.
NAT services are compatible with Solaris, Linux, Windows 95, NT, etc.
- Multiple configuration options.
- Requires no application software.
- Requires a subnet mask from the ISP end which could be costly.
- Once the free public IP address pool dries up then a new machine won’t be able to access external network unless a public IP is available again.
IPMASQ can be tagged as 1:Many form of NAT. Basically, IPMASQ acts as the originating machine for requests thus masking the original source from the external public network.
IPMASQ is compatible with Linux and couple of ISDN routers.
- Requires only one IP address henceforth it is cheap.
- Does not require special configuration at application level thus reducing configuration maintenance load.
- Uses a firewall to provide an extra level of security.
- Cannot work without a Linux machine. In case Linux machine is not available then IPMASQ compatible router must be available.
- Firewall might at times create problems for specific protocols. In such cases, an extra functionality namely “firewall redirectors” is used.
Proxy is based on single IP address functionality just like IP MASQ. Basically, the proxy acts as a translator in a local area network. A proxy server is designed to receive requests from various peers within a network and to push the request to the destination location. During this process, the proxy server acts as a source while sending the request to the destination location thus masking the original source. Lastly, the proxy server routes the received reply back to originating machine without revealing the originating machine to the public network.
Proxy services are compatible with Solaris, Linux, Windows 95, NT, etc.
- Uses just one IP address henceforth it is cheap.
- Gives the option of caching for enhanced performance in a network.
- Could end up mixing packets thus generating confusing statistics at the network level.
- All applications within the network must be configured to use proxy servers in order to access external network via the proxy server. Slight miss in configuration will break the link between the application and proxy server. This is where IPMASQ takes lead over Proxy as in case of IPMASQ no configuration settings are required at the peer level.
Who requires IP masquerading and who must ignore it?
After our discussion on IPMASQ, we moved on to gauge the differences between IPMASQ, Proxy, and NAT. If you haven’t been through those articles then I will suggest you do so otherwise the below text will be useless for you.
Though IPMASQ and proxy are almost similar technologies yet there will be times where IPMASQ takes control over proxy servers. For a network administrator to use all the features of IP MASQ he/she must satisfy the below conditions:
- For starters, the network administrator must have Linux boxes within the network which will use IPMASQ.
- To expand the above point, all the Linux boxes within the network must themselves connect to a central Linux box which acts as a mediator between the Internet and the local area network.
- Linux machine must have more than one modem. This machine will act as SLIP or PPP server that is connected to rest of the boxes. Remember that all such boxes within the local area network will have a private IP.
- There will be a case where the network administrator would want other servers to try and connect to the Internet. Either an external router will be required for such a setup or otherwise, Linux will have to be used as the router.
Who should stay away from IPMASQ?
- Machines that directly connects to the Internet. The concept of a mediator will have no meaning in such a small network.
- If other machines already have an assigned public IP address. IPMASQ is an old technology but, it has recently gained considerable recognition due to its usage.
Hiding local IP Addresses
Can private local area network addresses be hidden and allow employees to access the Internet anonymously? This is especially important if you want to avoid external users from initiating conversation with employees or users located on the internal network while still allowing Internet access. This is where masquerade NAT comes to the rescue. Masquerade NAT enables multiple IP addresses to be identified as a single IP address on an internal network.
How to masquerade NAT?
To use masquerade NAT, you need to specify the range of addresses that need to be translated by NAT. The translated IP addresses replace the source IP addresses on the IP header on all IP packets. A temporary port number replaces the IP source port number if it is available.
Set the MAXCON high enough to accommodate multiple conversations for each PC. The default is usually 128 but it can be set to any preferred value.
Set a HIDE rule statement by specifying the TIMEOUT which determines the time for conversations between the server and the personal computer located on the network. This value determines the waiting period before a response is received and is set to the default value of 16.
Enable IP forwarding
Always enable IP forwarding when using NAT by setting the IP datagram verification to YES under the TCP/IP attributes.
In masqueraded networks, only the PCs located inside the network can initiate a conversation or request. For example, a web browser on a PC can access a website while a web browser outside the masqueraded network cannot access a resource located inside the network. To enable 2-way communication, a feature called port forwarding or static NAT is used where administrators configure the translation tables to allow permanent access to resources located inside the masqueraded network.
Give careful attention to the details when implementing a network address translation (NAT) since it can have serious drawbacks on the quality of an Internet connection.