Setup Masquerading for Linux Security
This has relevance when you want to hide several computers behind one IP address so
they can all access the Internet, both for convenience and security. The machine that does this can
be configured as a simple packet filter, which rewrites packets coming from the original machine on
the network so they look like they come from the Linux box (the reverse happens when the packets
come back) or a masquerading firewall, or Proxy Server) which is much more secure and provides more
facilities.
The former works just at the IP level, while the latter works at the TCP level or
higher, and therefore understands protocols, hence the better security, as it tends to use a
completely separate connection for both ends, fooling the machines concerned into thinking they are
actually talking to the right machines. As there is no direct connection between the two networks,
more powerful machinery is required to keep things going, and you need two IP numbers for the
router (i.e. ipchains) to play with.
You don't need a powerful machine for packet filtering - a 486 will do, up to about
10 machines. It needs a network card, naturally, as do all the other machines in the network, but
you knew that already. At this stage, the Linux box should be talking to the Internet correctly,
and each machine should be pingable from each other, that is, the network should be fully working.
Here is a full list of the private IP number ranges:
10.0.0.0 - 10.255.255.255 172.16.0.0
- 172.31.255.255 192.168.0.0 - 192.168.255.255
The Linux box will therefore sit at
10.0.0.254 if you take the first one on the list.
Stuff like X isn't needed for this, so you
can also use a relatively small hard drive. When installing, make sure you select the following:
pppd
(dial-up Internet access) diald (dial-on-demand) apache/httpd (Web server) squid (cacheing
proxy server) sendmail (message transfer agent) fetchmail (POP3 mail retrieval) ipop3d
(POP3 server) imapd (IMAP4 server) samba (Windows networking - see below) webmin (remote
administration) bind (name server)
You will notice that many of these include the letter
d at the end, which means they are daemons and therefore lurk around in memory while the machine is
on.
This is an article from
Phil Croucher,
author
of Communications and Networks. Phil
has a way of explaining in "plain" English. The information is well presented and is
well above A+ standard.
|