With the World Wide Web now a mainstream phenomenon and computer prices dropping by the minute, there are more machines than ever connected to the Internet. All of this activity has created a bit of a real estate problem for the classic TCP/IPv4 addressing system and those of us who are beholden to it. Assigning a TCP/ IP address to each and every machine on your network today can be tricky -- either because of the cost, or because your network has simply run out of addresses. But don't despair, Linux IP Masquerade is ready and able to come to your rescue.

Figure 1: Ready for IP Masq -- typical network topology.

Linux IP Masquerade or "IP Masq" is a Linux kernel feature that's been available since the old 1.2.x kernel days. It allows a single Linux machine to act as a translator between a single IP address and an entire internal network. In technical terms this is called 1:Many (read as "One to Many") NAT (Network Address Translation). This means "1" TCP/IP address is translated into "Many" internal hosts. The internal network you use with IP Masq can include any assortment of TCP/ IP-enabled machines using an entirely different addressing scheme, and running over a totally different LAN infrastructure like Ethernet and FDDI. IP Masq lets you do all of this without purchasing additional IP addresses or expensive network routers. It supports a number of Internet protocols including SMTP, HTTP, FTP, IRC, RealAudio, and even gaming protocols.

So how does IP Masq work? What happens is this: IP Masq takes a TCP/ IP packet from the internal network and analyzes it against its own tables. Linux determines whether or not the packet is bound for the Internet, and IP Masq records where this packet originated and where it's heading. It then re-writes the packet's original source IP address, giving it the Linux server's own -- external -- IP address, and forwards it out to the Internet. When the remote server receives the packet and replies, the Linux IP Masqserver is able to recognize this Masqed packet and re-route it.

One of the benefits of IP Masquerade is that it lets you implement a secure TCP/IP packet firewall using the stan-dard Linux ipfwadm or ipchains tools.

Both ipfwadm and ipchains can be used to configure the Linux IP Masquerade kernel code. Since the user has to use a simple script to turn on IP Masq anyway, why not use a strong firewall ruleset instead? There are many examples of strong rulesets, including ones in the IP-MASQ-HOWTO and even stronger ones in the TrinityOS document. None of these rulesets are the end-all be all for firewall security, but they make a great start.

These firewalling mechanisms also provide extensive logging facilities so that administrators can find out when external intruders are trying to break into their machines.

Another powerful IP Masq feature, called IP port forwarding, lets you forward external Internet traffic into your internal LAN, giving remote Internet users access to internal computers.

Figure 2: IP Masq at work -- a Masq Telnet session.

There aren't a lot of drawbacks to IP Masq, but a few limitations are worth mentioning. Once Linux IP Masq is functioning, the majority of network applications will work fine but some applications need special help. To aid these difficult applications, Linux IP Masquerade utilizes special kernel modules. As of today, Linux modules have been written for the most common applications -- CuSeeMe (video conferencing), FTP (file transfer), IRC (for DCC file transfers), Quake (for multiple internal game players), Real Audio (video/ sound streaming), and IRCVdoLive (video conferencing) -- there is not a long list of modules, but very few applications need a special module. For a number of other network applications out there, configuring TCP/IP port forwarders for your network application's TCP/UDP ports, will get things running without a hitch.

Modules are lacking for a very few network applications that won't work with IP port forwards. For example, Microsoft's NetMeeting video conferencing program uses the industry standard H.323 protocol, but until a kernel module is written, NetMeeting won't work properly.

So who doesn't need IP Masq? Well,if you don't have LAN, you don't needit. Also, if you're lucky enough to haveyour very own TCP/IP subnet (a group of TCP/IP addresses), you're probably okay too. If you should happen to belong to this latter class of privileged users, you can simply setup TCP/IP routing using your plenitude of addresses and be done with it.

Alternatives

There are a number of alternatives to IP Masq. On the Microsoft Windows 9x/NT front, you can use programs like Wingate, WinRoute, NAT32, and several others. On the DOS front, there is IProute, and on the network router side, almost all router vendors provide similar services. Now, almost all of these solutions cost money; and they may not do everything you want. It is important to note that some of these are proxy servers, while others, like IP Masq, are NAT servers.

Proxy servers are essentially stopping points for network traffic. In somerespects, proxy servers provide greater security than conventional servers since internal traffic doesn't pass directly to an outside machine. Instead, packets are terminated locally and then re-created on the proxy server which sends them to the final destination.

One of the great benefits of proxies is that you can use them for caching. For example, imagine that you have several internal users going to the same Web sites. A caching proxy server will take the first downloads of the more popular Web pages and store them on its hard drive. When other internal computers try to load that same page, the caching proxy server will realize that it has this information and serve the pages from its local hard drive. This system can both reduce the load on the external Internet connection and speed up Web access.

But proxy servers aren't perfect. To use them, all of your internal hosts must be "proxy savvy." This means that all of the network applications on all of your internal machines must be reconfigured to use the proxy server.

A NAT, or Network Address Translation server, is more of a packet re-writing and routing service than a stopping point for network traffic. A NAT server will examine packets from the internal network and route them to the Internet if need be. To do this, the NAT server edits each TCP/IP packet, changing the source TCP/IP addresses and port numbers. As it does this, it records this "translation" in a table so that when the packets return, it knows where to redirect them. Though it's commonly believed that NAT serving is a bandwidth-intensive process, the truth of the matter is that the slowest 486-class machines can saturate a 1.54 Mb/s T1 connection.

Typically, a NAT server maps one external IP address for one internal IP address providing 1:1 NAT. With NAT, you'll need sev-eral external TCP/IP addresses for several internal hosts. As I mentioned earlier, IP Masq is 1:Many NAT, which means that it needs only one external IP address, no matter how many internal machines it happens to be hosting.

One problem with commercial solutions is that they tend to sacrifice security for ease of use. Many of these solutions will expose your internal machines to packets from the Internet. Older versions of WinGate, for example, had some bad default settings, designed tomake it easier to use. But they let spammers use WinGate's SMTP proxy server as a spam relay. This default relaying mode has since been fixed.

Another issue is application support. While most of these solutions support basic services like FTP, POP3, and FTP, some of them don't work with games or provide external access to internal servers. I've found that this last issue is the most critical for first-time NAT or proxy users. Unless it works for them, they won't have much interest in the solution.