[Gllug] IP Masquerading / Proxy servers / default routes

Tue Aug 28 13:50:06 UTC 2001

On Tue, Aug 28, 2001 at 02:14:04PM +0100, Andy McGarty wrote:
> Masquerading allows PCs behind the firewall to access the service directly,
> but pretends to be the firewall (ie use its IP address).
> Proxying forces your PCs to ask the firewall to perform the service (ie get
> the web page) and then pass it on to you.

To extend: Linux Masquerading is generally Port Address Translation -
all outgoing connections appear to be from the same IP address, but from
different source ports.

NAT is Network Address Translation, and the term is often used
inconsistently. With NAT you can translate n addresses from one range
into n addresses in a different range (normally used to translate from a
private IP range such as 10.n.n.n into an ISP's provided block of real
addresses). NAT screws up software that includes IP addresses in it's
protocol data, for example FTP. Use FTP in passive mode to avoid this if
you are using NAT.

Proxys are *very useful* in big production environments, where you know
exactly what should be happening. For example, you have a download-only
FTP service ... to prevent people uploading stuff, you need to make sure
that none of your directories have write permission ... you could also
ask your FTP proxy to disallow the PUT command, so that the server never
actually gets asked to try writing anything ...

PAT/NAT/Masquerading don't need to know what protocols/software you are
using. Proxies do. Hence, as soon as the latest, greatest net-based
service gets created, people stuck behind proxy firewalls have to start
circumventing it, or do without. There are benefits to both/all :-)

-jim

> Of Paul Brazier
> Sent: 28 August 2001 13:54
> To: Gllug (E-mail)
> Subject: [Gllug] IP Masquerading / Proxy servers / default routes
> 
> 
> I'm just battling at the moment with IP masquerading:
> 
> What is the essential difference between IP masquerading and
> (transparent or otherwise) proxies?
> Do they basically do the same thing, because surely the need for LANs to
> access the internet via a gateway machine has always been around but IP
> masquerading in Linux is a fairly new thing?
> Is it that IP masquerading is in the kernel and proxies aren't?
> Or is IP masquerading happening at a "lower level" i.e. individual IP
> packets, whereas proxies are needed for each protocol on top of TCP/IP
> e.g http, ftp, telnet etc?
> e.g. at work I access the internet via a proxy server (WinNT) - with IP
> masquerading I wouldn't need this?
> 
> I'm also unsure about setting default routes and gateways:
> 
> For my "internal" machine, is the gateway my "dial-up" machine or the
> gateway at my ISP (Demon)?
> For my dial up machine, is the gateway nothing at all or the gateway at
> my ISP?
> If I set it to itself, my pppd "dies unexpectedly" until I do "route del
> default". Then "route -n" indicates the default route is Demon's
> gateway.
> Are there "two levels" of gateway e.g. my internal machines use my
> dial-up machine as a gateway but my dial-up machine uses Demon as a
> "second level" gateway?
> With a simple home LAN do I need a default route at all or should I let
> pppd set one for me?
> 
> --
> Paul Brazier
> Cosmos UK
> 
> 
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the originator.
> 
> This footnote also confirms that this email message has been checked
> for the presence of computer viruses.
> 
> **********************************************************************
> 
> --
> Gllug mailing list  -  Gllug at linux.co.uk
> http://list.ftech.net/mailman/listinfo/gllug
> 
> 
> -- 
> Gllug mailing list  -  Gllug at linux.co.uk
> http://list.ftech.net/mailman/listinfo/gllug

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug