The Firewall Masquerade
Also: Choosing Modem Cards; Using Two Dial-Up Lines
By Trevor Marshall
July 19, 1999
Whenever you connect to the Internet, you are establishing a two-way connection between yourself and millions of other computer users. No matter what type of computer you use, there are always potential security holes in the operating system or application code, configurations, etc., that might allow others to compromise your data integrity. But when you implement a firewall, you make it very difficult for anybody to hack into your system and crack it.
A firewall gives you increased safety. In a car, for example, the Firewall protects the occupants from the engine compartment. An Internet Firewall protects the browsing computer(s) from prying eyes on the network itself. It allows you to freely browse the servers on the Internet while making it very difficult for anybody to look back at your computer through the network connection.
Firewalls can be implemented with varying levels of security. With Linux you can implement as much, or as little, security as you need because there is a very wide range of firewall software available. The most complex of these provide an almost impenetrable level of security, but Linux also has a very simple technique called "masquerading" built right into the kernel itself that offers a level of protection that is good enough to deter all but the most concerted cracking attack.
In my May 10th column, Linux Makes It Easy To Build Your Own Internet Server, I explained how IP addresses are used to identify all the computers on the Internet. When we dial onto the Internet, our computer is assigned an IP that allows others to send data back to it. A cracker uses your IP to access the data on your computer. Masquerading is a method Linux uses to hide your IP from the network
There are some blocks of IP addresses reserved for local networks that are not recognized by the Internet Backbone Routers. The IP of my own Windows machine is 192.168.1.127, but if you type that into your browser you will get nothing back. This is because the IP block 192.168.X.X is not recognized by the Internet backbone. There are countless other computers out there on intranets that use this same IP address, but you can't hack or crack them either because you can't access them.
So the solution to Internet security would seem simple. Choose an IP address for your computer that nobody else can access, and everything will be fine. Wrong. When you browse the Internet, you need the servers to be able to send data back to you, or there will be nothing to display on your screen. And they can only send data to valid IP addresses registered as part of the Internet Backbone.
Masquerading is a sophisticated solution to this dilemma. When you have a Linux computer set up to perform IP masquerading, it bridges the two networks, internal and external, and automatically translates the IP addresses from internal to external and vice versa. Consequently, it is often called NAT, Network Address Translation.
But masquerading is actually a little more complex than that. Typically, a Masquerading server is set up with two networks. If you access the Internet using an analog dial-up modem, then this is one of the networks. Your internal network will usually be based on an Ethernet card. This is the second network. If you use a DSL modem or a cable modem, then you will have a second Ethernet card instead of the analog modem. Linux can handle separate IPs for each of these networks.
So, if you use a Windows computer at 192.168.1.25 on the second (Ethernet eth1) network to access a cable modem at 207.176.253.15 on the Internet (Ethernet eth0), the Linux masquerade module intercepts every TCP/IP request packet that comes from your browser and extracts the local address, 192.168.1.25, substituting it with the real address, 207.176.253.15
Then, when the server responds to 207.176.253.15 with the data that you requested, Linux automatically intercepts the incoming packets and re-writes the correct 192.168.1.25 address into them.
Linux can even handle multiple local computers at, for example, 192.168.1.25 and 192.168.1.34, and handle the packets from each without confusion. My old 486 running SlackWare Linux has had four Windows machines sending data to the cable modem through it without any discernable slowing.
Prior to kernel version 2, masquerading used to be handled by the IP forwarding administration module IPFWADM (IP fw adm). Version 2 kernels provide the faster and more sophisticated IPCHAINS, but also provide an IPFWADM wrapper for backward compatibility, so I am going to explain how to set up masquerading using IPFWADM. (A description of how to use IPCHAINS is at this URL and more detailed explanations of masquerading can be found at this URL.)
You will need special masquerading modules to handle the non-standard packets from RealAudio and CU-SeeMe, for example. These can be obtained via the links above.
My server is set up with two Ethernet cards, which are placed at eth0 and eth1 by the kernel bootup process. They are both SN2000 type "jumperless" ISA devices that cost me about $20, and most Linux kernels seem to recognize them. My Ethernet initialization is done in the file rc.inet1, which contains the commands:
IPADDR="207.175.253.15"
# REPLACE with YOUR CABLE MODEM IP address!
NETMASK="255.255.255.0"
# your netmask!
NETWORK="207.175.253.0"
# REPLACE with YOUR network address!
BROADCAST="207.175.253.255"
# REPLACE with YOUR broadcast address
GATEWAY="207.175.253.254"
# REPLACE with YOUR gateway address! # Configure the Cable Modem ethernet card with the above macros
/sbin/ifconfig eth0 ${IPADDR} broadcast $ {BROADCAST} netmask ${NETMASK} # Set up your IP routing table.
/sbin/route add -net ${NETWORK} netmask ${NETMASK} eth0 #Set up the Intranet Ethernet Card eth1 without macro commands
/sbin/ifconfig eth1 192.168.1.254 broadcast 192.168.1.255 netmask 255.255.255.0 /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 eth1
#Now set up the IP fw adm inistration
/sbin/ipfwadm -F -p deny
#deny all accessess other than these below #Turn on the forwarding from 192.168.1.X /sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 /sbin/ipfwadm -M -s 600 30 120
And That's It!
Your Masquerading will now be up and running. For more details please read the HOWTOs referenced above, or the simpler MINI HOWTO at this URL. A detailed explanation of the high-security firewall techniques is available at this URL.
Over the last six months, there has been a precipitate drop in the price of analog 56K modems. But most of these new modems have cut costs by eliminating the control microprocessor from the modem card, which places an extra load on your main Pentium CPU. Linux does not support these "WinModem" cards.
Of course, there are Linux kernel gurus out there capable of writing drivers for WinModem cards. But they are also smart enough to realize that saving $10 on a modem card is not a good idea when the performance from your main CPU is degraded as a result.
Make sure you choose modem cards for Linux that have jumper blocks to select COM1, COM2, COM3, and COM4. These will be self-contained modems and will work fine with Linux. A full list of cards known to be compatible with Linux is maintained at this URL.
Plug-And-Play Modem Problems
While I was researching this article, I spent some time playing with different varieties of modem cards. Linux supports plug-and-play devices, so I bought a jumperless modem manufactured by Amjet (it was cheap -- what can I say?) and found yet another "gotcha" to add to the confusion.
The PC clone I am using on this project is an old 486 machine with an AMI BIOS circa 1994. After plugging in the plug-and-play modem card, the machine refused to boot, announcing "primary hard disk failure". A little more debugging showed the plug-and-play BIOS was allocating interrupt 15 to the modem, an interrupt usually reserved for servicing the hard disk controller. So I gave up the idea of using plug-and-play products on old computers, it isn't worth the hassle. Insist on seeing those jumper blocks for COM1 to COM4 before you buy your modem.
Several questions have been posted on my bulletin board asking if it is possible to use multiple ISPs to improve your Internet connection.
A particular case of this is the so-called 128K ISDN modem that actually uses two 56K channels running at once. When an ISP provides you with an ISDN hookup, you are actually given two separate lines routed to the one IP.
You see, although there are modules for Linux (such as EQL) that let two modem cards be operated simultaneously in your computer, this is only useful for outbound data unless your ISP has provided you with one IP to serve both dial-in connections.
If you call a normal ISP dial-in PPP line, you are given an IP address so that return packets from the servers can find you amongst the millions of other computers out there. Every time you dial into an ISP you get a different IP allocated to that dial-in connection.
When your browser is sending out request packages, it also includes the return IP address for the data from the servers. EQL can distribute these outgoing packages into many ISP lines, but when they return to you they will come to only the one IP address, the one that your browser thinks it is operating at. With an ISDN hook-up, the ISP has anticipated, and provided a fix for, this problem. A few ISPs provide fixed IP multiline dial-up connections, but they are very expensive.
In your quest for speed do not overlook the efficiency of the Linux firewall. At work I have half a dozen users connected through a masquerading firewall to a single 56K analog modem. It works surprisingly well, slowing down only when someone is doing a large download. Before you decide you need multiple ISP connections, first configure up a masquerading server. Windows does not handle packets with multiple IPs very efficiently, and the isolation of your Windows network from your modem may give you a performance increase that will surprise you (read here the usual disclaimers about varying mileage, etc.).
Upcoming Topics
The Linux Router Project has just released a masquerading server that will boot from just a floppy. A slightly larger disk will also carry a small Web server. I will try this out and report my observations.
A wide variety of emulators are becoming available for Linux these days. But just how well do they work? Can you really play Sega GameGear on a Linux box using an emulator? Upcoming columns will look at these emulators, what they do, and what they don't do.
Trevor Marshall is an engineering management consultant, with interests ranging from RF and Hardware design to Linux internals, Internet infrastructure, MPEG, and Digital Video. He started his career in the '70s, designing the Maplin Electronic Music Synthesizers. When the Microcomputer came along, he got sidetracked into computer software, programming the 2650, 8080, Z80, Z8000, 8048, 8306, 6805, 80x86, and Power PC families. Along the way, he also picked up a little expertise in RF system design, biomedical engineering, and the printing industry. His web site is www.trevormarshall.com.
Page 1 of 1
