Specifications

ManualsBrandsCabletron Systems ManualsNetwork CardE2100

191

192

193

194

195

196

197

198

199

200

Network Security

Note

Make sure that both the broadcast addresses and the network masks

are the same for all the hosts when conﬁguring your network.

Note

As soon as one of the hosts sends a packet destined for an Internet address,

this packet is sent to the network’s default router. The router needs to be

conﬁgured to actually forward such packets. SuSE Linux does not enable this

with a default installation for security reasons. Set the variable IP_FORWARD,

deﬁned in the ﬁle /etc/rc.config, to IP_FORWARD=yes. The forwarding

mechanism is enabled after rebooting or issuing this command:

earth:~ # echo 1 > /proc/sys/net/ipv4/ip_forward

This is where masquerading begins. The router has only one IP address vis-

ible from the outside (in our example the address of the ISDN interface after

dial-up). The source address of an outgoing packet must be replaced with

the router’s own address before sending it out over the external network in-

terface. If the router did not replace the source address, the receiving end

would have no means to reply. This is especially the case if you are using

the 192.168.x.x address range. Although it represents a valid set of IP ad-

dresses, they are not forwarded at all by any of the Internet’s routers.

The target host at the other end of the link only knows your router, but not

the host in your internal network that sent the packet. Your internal host dis-

guises itself behind the router, which is why the technique is called “mas-

querading”. The router will consequently be the destination of any reply

packets. Therefore, it has to identify the incoming packets, change the tar-

get address to the intended recipient, and forward it to that host in the local

network.

The identiﬁcation of packets belonging to a connection handled by a mas-

querading router is done with the help of a table that is kept in the kernel of

your router as long as the connection is active. By using the ipchains and

the iptables commands, the superuser (root) can view these tables. Read

the man pages for these commands for detailed instructions. For the iden-

tiﬁcation of single masqueraded connections not only the source and target

addresses are relevant, but also the port numbers and the protocols involved.

With this method, your router is capable of hiding many thousand connec-

tions per internal host simultaneously.

With the routing of inbound trafﬁc depending on the masquerading table,

there is no way to open a connection to some internal host from the outside.

185SuSE Linux – Firewall on CD2