Note: If you're interested in setting up cable modems, or seeing some
example linux commands, see my cable modems page.
This is my current understanding of IP masquerading. First, here's
why you'd want it.
At home you have a small network of machines. One of the machines
is connected to the internet, either by a 28.8 modem, cable modem,
or whatever.
You want to be able to run 'ftp' or 'netscape' from any of the
machines on your LAN, to access the internet. You decide to make
the internet machine a packet forwarder, and setup all the other
machines to use it as a gateway, in the hopes that will work.
But it doesn't work, because your ISP only assigns you one IP address
at a time. So all your other machines are using unassigned ip addresses
like 192.168.10.2, and therefore all hang when they try to access the
internet.
Usually your ISP assigns that machine an IP number which it deems
a 'legal ip number' that is guaranteed to be valid on the Internet.
All your other hosts are using 'unassigned IP numbers' like 192.168.10.2
which are not valid on the Internet.
This is why you can only use the one machine to connect to the internet;
even though all your other machines are networked together, only the
machine with the valid internet address can directly access the net.
Before diving into an example of why this is so, you need to understand
first what a 'packet' is:
All computer networking uses 'packets'. They are much like
paper envelopes in many ways; they have a To: and From: address,
and the envelopes can contain just about anything, as long as it
fits in the envelope.
Any kind of data can be broken up into 'pieces' small enough to
fit into one packet (envelope), and each is individually addressed
with a 'To' and 'From' address.
Nuff said.
PING EXAMPLE
------------
Here's why things don't work if you try to 'ping' yahoo.com from one
of your other LAN hosts, attempting to use a 'simple gateway'. Then
we'll show later what happens when you USE ip masquerade to fix it.
Let's assume the LAN host in question has the IP number 192.168.10.2,
and it is connected to your internet gateway host via ethernet.
In this case, the gateway is configured to just copy packets
between your LAN and the Internet.
When you ping yahoo.com from your LAN host, it creates a packet
whose From and To addresses look like:
From: 192.168.10.2
To: 204.71.177.35 (yahoo.com)
The packet hits your LAN's ethernet cable, where it is picked off
the gateway's ethernet card by the gateway operating system, and
is then forwarded out to the internet through the gateway's modem,
and on out to yahoo.com. Sounds good so far; we're reaching yahoo.
yahoo.com sees the packet, and attempts to respond with an
'echo packet'.
To do this, it just swaps the To and From addresses, and sends
the packet back on to the Internet as a packet that looks like:
From: 204.71.177.35 (yahoo.com)
To: 192.168.10.2
..but as soon as that packet hits the net, it has no where to go,
because 192.168.10.2 is illegal; no machine on the internet knows where
192.168.10.2 is, because it's an unassigned address. So the packet is
dropped because it can't be routed back.
This is sort of like sending someone a letter with a fake return
address, and telling them to respond to your letter. Can't be done.
Although it seems as if the Post Office should be able to help them
with the reply (the Post Office did after all deliver the original
letter), the Post Office doesn't keep track of where the letter came
from. If the return address on the letter is wrong, the Post Office
won't know or care; they've got too many other things to do.
IP masquerading fixes this problem. Consider the same example, but where
the gateway does IP masquerading:
When you ping yahoo.com, your LAN host creates a packet whose
From and To addresses look the same as our previous example:
From: 192.168.10.2
To: 204.71.177.35 (yahoo.com)
The packet hits your LAN's ethernet, where it is again picked off
by your gateway machine's ethernet card, and here's where things are
different.
The gateway, when configured for IP masquerade, knows to do the
following to any packets bound for the internet that arrive on the
ethernet interface.
It strips off the 'From' address from the packet, and replaces it
with the gateway's own 'legal' ip address, so the packet now looks
like:
From: 200.0.0.1 (gateway's own ip address)
To: 204.71.177.35 (yahoo.com)
..the packet now looks like it's something eminating from the
gateway machine itself. The gateway then sends this modified
packet out to the internet, where it reaches yahoo.com.
Now, yahoo responds with an echo packet that looks like:
From: 204.71.177.35 (yahoo.com)
To: 200.0.0.1 (your gateway)
This packet will arrive at your gateway. The gateway, having
previously made note of the fact one of your LAN hosts is using
'ping', realizes the packet should be re-addressed to the LAN host.
So it strips off the 'To' ip address, and replaces it with the
LAN host's ip address '192.168.10.2', so now the packet looks like:
From: 204.71.177.35 (yahoo.com)
To: 192.168.10.2
..the gateway then forwards the packet to your LAN's network,
where it's picked up by your LAN host as a ping response packet
from yahoo.com. Neither yahoo.com nor your LAN host are aware
of the fact your gateway is doing all this re-addressing.
A pretty neat trick. Basically, with a little extra book keeping, your
gateway is making your entire LAN look like a single busy host.
|
Comments? Send me mail.
Back to my home page. © Copyright 1997, Greg Ercolano. All rights reserved. |