[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Routing and setup questions for IPMasq and real IPs

To: luci-discuss@luci.org
Subject: Re: Routing and setup questions for IPMasq and real IPs
From: Danny Sauer <sauer@cloudmaster.com>
Date: Wed, 13 Mar 2002 07:52:15 -0600
In-Reply-To: <20020313025320.81747.qmail@web21210.mail.yahoo.com>; from eibwen_xunil@yahoo.com on Tue, Mar 12, 2002 at 06:53:20PM -0800
Organization: Linux Users of Central Illinois
References: <20020313025320.81747.qmail@web21210.mail.yahoo.com>
Reply-To: luci-discuss@luci.org
Sender: luci-discuss-owner@luci.org

Lots o' text follows...

On Tue, Mar 12, 2002 at 06:53:20PM -0800, Joe Newbie wrote:
[... trimming a lot ...]
[Danny said]
> > This is how my home network is set up, BTW.  I have
> 2 real IPs and one fake
> > IP (my ISP masqs my connection).  The real IPs are
> routed to my fake IP, and
> > the machine listening there forwards those IPs to
> virtual interfaces inside
> > my house.  My router can't be directly reached from
> the internet.  The drawback

> How will the dubious Insight (cable folks) (who NEVER
> answer their email) ISP's router know to forward a
> real IP number they never assigned though one I 'own'
> without doing the nasty - the evil spoof? Your

I think you may be drawing a tighter bond between IP addresses
and DNS names than is healthy. :)  Domain names are mapped to
IP addresses by the dns system.  IPs are mapped to their owners
through big routing tables and netmasks in a sort of trickle
down system - the big IP range owners have a list of IP ranges
that have been sold to their clients, who then have a list of
the IPS or ranges sold to *their* clients, and so on until the
lowest-level ISP's router keeps track of the individual IP
addresses to MAC address mappings that they maintain.

So, an IP not in insight's block or otherwise specifically routed
to insight would probably never get to insight for them to route.

> explanation needs more for me to grasp an
> understanding. I have a similar situation, a cable
> modem connection to Insight, my linux box has two
> NICs, one side connecting to the CabModem and bound to
> the ISP's DHCP - so no 'real' static IP. The other NIC
> is connected to my switch which has numerous boxes,
> all having 192.168.x.x IPs.

> What do you mean when you
> said - the Real IPs are routed to your fake IP? Am I
> confusing what you are calling real and fake?

My ISP is running a masquerading box to connect all of their
wireless uers to the internet.  So, my router is behind their
masq box, and is using a fake IP.  Therefore, my router can
not be reached from the internet directly (ignoring possible
bugs in the current ipchains implementation).  My ISP also
has a block of real IPs that are routed to them.  They have
broken that block up such that 2 of those IPs are routed to
my fake IP.  When their router gets packets with a destination
that's one of my real IPs, it sends them along to my fake IP.
It can do that, because it's both on the "real" internet and
on the ISP's "fake" network for wireless users.  So, I guess
that it's a bridge and router combination, if you like using
marketing terms. :)  Anyway, my router, which has one interface
set up on the ISP's fake network and another address set up on
my fake network (which are different fake blocks - 172.10 and
192.168 respectively) has static routes set up for those 2 real
IPs, and two of my internal machines have their interfaces
bound to both a 192.168 address and one of the real IPs.  That
lets them participate on the local network without any hassles,
while still handling requests coming to the real IPs without
the overhead of address rewriting.

> I have a
> couple of registered IP address names that are in
> limbo and I haven't determined how to bind them so I
> can host my own stuff - since Insight won't give me
> anything resembling a static IP so I can register DNS
> proper.

Essentially, you use a service that sets a very short TTL (time
to live) on the entries in your domain's dns, and update the
entried every time you get a new IP.  There are a bunch of these
dynamic dns providers that usually provide a script or something
to take care of the updating automatically.  Some places have
local DNS caches that ignore the TTL on the information that
they're caching, but those places are stupid and you don't want
them at your site anyway. :)

When I had an insight cable modem, though, my IP remained pretty
constant.  I don't remember if I'd requested that or not, though,
so YMMV...

> My router is directly connecting to my cable
> modem - so how is it yours can't be reached directly.
> How is it you can broadcast (or do you) and resolve?
> The IPMasq How-To confuses me... perhaps, therein lies
> the wall...

As I mentioned, traffic originating from my internal machines
uses the 192.168 address (bound to eth0) and is masqueraded as
one would expect, but traffic originating elsewhere that's
sent to the "real" ip (bound to eth0:1) just passes through
the router (which is a linux box, btw) untouched.  I suppose
that I could put the real ips on the primary interfaces, but
that just seems less logical to me.  It'd get rid of the masq
overhead and problems associated (passive ftp? sigh), but it
just doesn't seem as appropriate.

--Danny, trying to throw security through obscurity out the window :)

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.

References:
- Re: Routing and setup questions for IPMasq and real IPs
  - From: Joe Newbie <eibwen_xunil@yahoo.com>

Prev by Date: Re: Routing and setup questions for IPMasq and real IPs
Next by Date: snmp segfault
Prev by thread: Re: Routing and setup questions for IPMasq and real IPs
Next by thread: WOW Linux Boxes, Events, Etc.
Index(es):
- Date
- Thread