If we want to connect multiple computers to the Internet using single public IP Address, Masquerading (A form of NATing) helps us.
NAT describes the process of modifying the network addresses contained with datagram headers while they are in transit. IP masquerade is the name given to one type of network address translation that allows all of the hosts on a private network to use the Internet at the price of a single IP address.
IP masquerading allows you to use a private (reserved) IP network address on your LAN and have your Linux-based router perform some clever, real-time translation of IP addresses and ports. When it receives a datagram from a computer on the LAN, it takes note of the type of datagram it is, “TCP,” “UDP,” “ICMP,” etc., and modifies the datagram so that it looks like it was generated by the router machine itself (and remembers that it has done so). It then transmits the datagram onto the Internet with its single connected IP address. When the destination host receives this datagram, it believes the datagram has come from the routing host and sends any reply datagrams back to that address. When the Linux masquerade router receives a datagram from its Internet connection, it looks in its table of established masqueraded connections to see if this datagram actually belongs to a computer on the LAN, and if it does, it reverses the modification it did on the forward path and transmits the datagram to the LAN computer.
I have written a shell script, which converts a Linux box into a router. The script is written as:
#!/bin/bash
## Output interface: connected to Internet
out_iface=ppp0
## Run as root always
user_id=`whoami`
if [[ "$user_id" != "root" ]]
then
echo "$0: please run this script as root user."
exit
fi
## Checking existance of iptables
IPTABLES=`which iptables`
if [[ "$IPTABLES" == "" ]]
then
echo "$0: please install iptables."
exit
fi
if [ $# -ge 1 ]
then
case "$1" in
status)
$IPTABLES -t nat -L
exit 0
;;
stop)
## Disabling Packet forwarding in kernel
echo 0 > /proc/sys/net/ipv4/ip_forward
echo "Flushing NAT MASQUERADE Entries"
$IPTABLES -t nat -F
exit 0
;;
restart)
$0 stop
if [ $# -ge 2 ]
then
$0 start $2
else
$0 start
fi
;;
start)
if [ $# -ge 2 ]
then
out_iface=$2
fi
## Enabling Packet forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
## Enabling NAT Masquerade, if not enabled
if [ -z "`$IPTABLES -t nat -L | grep MASQUERADE`" ]
then
$IPTABLES -t nat -A POSTROUTING -o $out_iface -j MASQUERADE
fi
;;
*)
echo "USAGE: $0 <start|status|restart|stop> [internet_interface]"
exit 1
;;
esac
else
echo "USAGE: $0 <start|status|restart|stop> [internet_interface]"
exit 1
fi
exit 0
Sample Runs:
$ ./NAT_Masquerade.sh
./NAT_Masquerade.sh: please run this script as root user.
$ sudo ./NAT_Masquerade.sh
USAGE: ./NAT_Masquerade.sh [internet_interface]
$
Here, internet_interface is the interface which is connected to internet.
By default, ppp0 (Dial up) interface is taken.
$ sudo ./NAT_Masquerade.sh status
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
$
Since Masquerade is not yet applied, Chain POSTROUTING rule is empty.
Applying IP Masquerade to internet_interface eth0.
$ sudo ./NAT_Masquerade.sh start eth0
$ sudo ./NAT_Masquerade.sh status
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
$ sudo ./NAT_Masquerade.sh stop
Flushing NAT MASQUERADE Entries
$
No comments:
Post a Comment