Re: [expert] IP Masquerading, The ABCs of

Sun, 16 Apr 2000 13:22:24 -0700 

David Nordlund wrote:
> 
> ...An alias IP?  Sounds like that might do the trick.  How does one create
> an alias IP?
> 
> On Sat, 15 Apr 2000, Lisa Mountjoy wrote:
> > John:
> >
> > I have the same setup as you, somewhat.  I have a hub, 2 computers and a DSL
> > modem.  Computer A is my mandrake server, B is a win98 client, and the DSL
> > modem connected to the hub.  Computer A is setup with the static ip address i
> > was assigned for my net connection, with an alias ip of 192.168.0.1.  The win98
> > client connects to the net through ip masquerading i set up on the linux
> > server.  So far everything runs smoothly...originally i had the win98 machine
> > being the one directly connected to the net, but that was a pain in the neck.
> >
> > Lisa Mountjoy

Is anybody listening?

This is really bad, folks -- if I understand you correctly, you're
(both) sending private IP packets onto the local subnet!

Even if masquerading works in this situation, you STILL have packets
with 192.168.0 headers going out onto the local subnet, and if your ISP
notices this, you're going to get your wrists slapped.

The fact remains --

if you are only getting one IP from your ISP, whether it be static or
dynamic, your DSL or cable device  CANNOT be connected to the hub (at
least not a hub to which other devices with private IP addresses are
connected), or you violate RFC 1918.

To recap: if you want to have many machines connected to the net and you
have only one static or dynamic IP, the network terminal device must
physically connect to a gateway machine *first*.

Just in case anybody has any doubts, here is a relevant section of RFC
1918:

"Because private addresses have no global meaning, routing information
about private networks shall not be propagated on inter-enterprise
links, and packets with private source or destination addresses
should not be forwarded across such links. Routers in networks not
using private address space, especially those of Internet service
providers, are expected to be configured to reject (filter out)
routing information about private networks. If such a router receives
such information the rejection shall not be treated as a routing
protocol error.

Indirect references to such addresses should be contained within the
enterprise."
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If you need help with this, I've already offered it.

-Stephen-

Reply via email to