[SUMMARY] One interface, multiple hosts...

From: Paul H. Yoshimune (pauly@katana.com)
Date: Fri Nov 07 1997 - 15:29:13 CST


My original message:

> Managers:
>
> I've searched the archives, and have found numerous references about how to
> associate multiple IP addresses with a single ethernet interface. What I'm
> trying to do, however, is have a small network running behind a SPARCstation 2,
> where all the machines talk "through" the SPARC, which has an ethernet
> connection to the Net. Unfortunately, there is only one IP address given for
> this setup.
>
> The gory details are: I've got a LanCity (Bay Networks) cable modem, which has
> an ethernet interface, but can only handle one IP address (must be artificially
> limited). I had this running straight into a Mac, which worked great. But,
> I also have a PC I'd like to hook up via the same connection. While there
> exists software for the Mac for doing this, I wanted to host a mailing list,
> web server, etc., and so bought the aforementioned SS2.
>
> So, I've got the Mac, PC, and SS2 all plugged into a 10baseT hub, which the
> cable modem is also plugged into. The IP address is static. So, whichever
> machine with the given IP address that talks to the "modem" first retains
> control over the modem.
>
> What I'd like to do is have each machine be able to access the Net through
> the SS2, but the SS2 has only the one IP address. I've heard mention of IP
> masquerading, IP forwarding, and IP spoofing - some of all of these can be
> used somehow to achieve what I'm after, apparently. Help? Thanks...I'll
> summarize of course.
> --
> Paul H. Yoshimune
> pauly@katana.com

### Deepak D Wilson <Deepak_D_Wilson@notes.seagate.com>

Hi ,

You can create mutlple ip addresses on the same interface. They however should
be of a differant network.

eg . your mc name is sun and ip addr is 10.20.55.1 and you need to add a
virtual ip addr 165.180.99 and name is sun_1

edit /etc/hostname.le0:1 and add the entry
sun_1

edit etc/hosts and add entry
165.5.180.99 sun_1

Hope thsi helps

Deepak

### "Scott D. Yelich" <scott@spy.org>

this is just a quick note... but I did what you wanted back in like
'93 or so -- it just requires 3 things:

(1) You have the uphost (server side) ARP for your remote (remote side)
IPs. (2) Then just do the routing through the uphost (ie: (3) It has=20
to have IP forwarding enabled).

Simple.

Scott

### Jeff Jost <jeff@trax.gcc.saci.org>

Paul Could you foward me any response you might get on this topic...I'm working
with the same issue myself.
Thanks !
Jeff

### Chris Phillips <chris@scooter.Canada.Sun.COM>

Check out the ipfilter (ipnat is the actual bit).
Its at :
  ftp://coombs.anu.edu.au/pub/net/firewall/ip-filter/

Using NAT you can map from 1 ip to many...

Chris

--
 | Chris Phillips       Sun Canada - OpCom SOS Java/JVM support  |
 | mailto:Chris@Loon.Canada.Sun.Com            (905)477-0437x331 |
 | http://loon.canada.sun.com:8888/chris/index.html              |
 | mailto:ChrisPhi@Pc-11701.On.Rogers.Wave.Ca      (416)733-3841 |
 | http://24.112.38.133:8081/www/Chris.Phillips FAX(416)733-3861 |
--

### "Scott F. Woods" <sfw@adc.idt.com>

Hi,

We have several isdn routers (zyxel and ascend) which will do Net Address Translation (NAT) which means that they will connect to a remote host which assigns them a single ip (this can be static or dynamic) and in turn the routers will translate the data from the hosts attached to it (these are the local hosts attached through ethernet, each of which has it's own abritrary ip address) so that it appears to the dialup host as if it came from a single host which has the static or dynamic ip of the dial-up account. Of course this is usually limited to around five local hosts max (I think the translation bogs the router down).

I have seen programs for win95 which do this type of translation also. I think one of them is called wingate. I have never seen anything like this for unix though (other than a proxy for netscape). If you find anything please let me know.

Good Luck!!

Scott Woods

PS. You might want to make sure that your baynetworks router does not support NAT. We had a few Ascend Pipeline 50's which originally did not support NAT, but later versions of the firmware did.

### John D Groenveld <groenvel@cse.psu.edu>

IP Filter: http://coombs.anu.edu.au/~avalon/ "Address Allocation for Private Internets" http://info.internet.isi.edu:80/in-n otes/rfc/files/rfc1918.txt

### Jim Harmon <jharmon@telecnnct.com>

IP "maquerading" is the same as "spoofing", and both are considered BAD Things.

Spoofing is the assumption that the remote system is one you know when it really isn't. It's a way for a bad person to break into your network.

The concept of "IP Forwarding" is simply "routing."

A Router, which is what you are trying to set up your SS2 as is simply a machine that knows multiple LANs and will transfer packets between them.

Your SS2 CAN host multiple lans, making it a good solution for your problem.

Here's what you need to do:

the Cable Modem needs to be part of "LAN A"

All the rest of your systems need to be "LAN B"

The SS2 needs to have a VIRTUAL port on "LAN A" and a REAL port on "LAN B".

This way, ONLY the SS2 and modem will talk directly, everything else will talk to the modem via the SS2, even though all of them may be on the same physical wire.

You set up a virtual port on Sun by adding a file to the /etc directory that is basically identical to /etc/hostname.le0, except you add a subscript to the device like this:

/etc/hostname.le0:1

You'll need to give it a unique name, and add it to the DNS and NIS server tables, then you need to create the virtual route with "ifconfig".

Read the man page for ifconfig, routes, and netstat on the SS2.

They should give you the rest of the answer you want.

By the way, this setup is called a "firewall" if you set it up so you can get OUT of your site, but others outsided can't get INSIDE your net.

It's an inherant feature of dual-porting (Single host on two nets) a system that can do more than route.

### Simon Wagstaff <wagstaff@tellabs.com>

Can you use DHCP? Like isp's (internet service providers) do, where you are given an ip on a dynamic basis. Perhaps each of your "client" machines could request an ip # (the same one) from the Sparc, and use this ip# to pass through the modem. They would then relinquish the ip# when finished.

I have not set this up, this is just stream of conciousness. Good luck.

Simon

-- *&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*& Simon Wagstaff Systems Administration/Engineering Tools Tellabs Operations Inc. Phn. 512-218-5826 601 Jeffery Way Fax. 512-255-0736 Round Rock, TX email. wagstaff@tellabs.com

"Some people can tell what time it is by looking at the Sun. But I have never been able to make out the numbers."

*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&

### fpardo@tisny.com (Frank Pardo)

I think what you're looking for is a technique known as NAT: network address translation. It's usually done by firewalls, to hide the individual hosts on private networks from the Internet. You should probably have a look at some books and websites that talk about how firewalls work. The FAQ on the Gauntlet firewall product, from Trusted Information Systems, is pretty informative; visit http://www.tis.com/ and look around for a page entitled "Gauntlet Firewall FAQ".

A little note on terminology: IP masquerading and NAT are pretty much the same thing; one IP address internally, and a different one in the outside (Internet) world. You don't want IP forwarding or IP spoofing. IP forwarding is a routing technique, and IP spoofing means using falsified IP addresses (e.g. when hacking in to a network to vandalize or rob it).

-- Frank Pardo <fpardo@tisny.com> Transaction Information Systems New York City

Chi fila ha una camicia e chi non fila ne ha due. -- Italian proverb

### " Rogerio Rocha - BVL - Lisbon Stock Exchange -I.S." <rogerio@bvl.pt>

<fixed>Paul,

Look for the TIA tool kit, that allows you to do that, using

proxy programs.

Some people use it as a firewall system.

HTH

</fixed>Best regards,

Rogerio Rocha

rogerio_rocha@bvl.pt

BVL - Lisbon Stock Exchange

Information Systems

### Harald Fricke <Fricke.Harald@mh-hannover.de>

You actually might want to use an old PC running Linux or FreeBSD as they are supposed to support IP masquerading without much fuss. SunSoft Firewall also can do this, but comes with a rather hefty price tag.

Harald Fricke

### David Wolfskill (SunPS) <david@stmarys-ca.edu>

If you can use client applications on the machines "behind" the SS2 that can cope with certain forms of proxy services, you might be able to accomplish what you want to do.

For example, a fairly general-purpose proxy is the SOCKS package (sorry, I don't recall where to find it); it comes with (UNIX) clients for whois, telnet, finger, & ftp.

The chimera Web browser may be compiled to support SOCKS.

A more special-purpose proxy may be set up by running an Apache Web server on the SS2; then a Netscape client (for example) may be set up on one of the "behind" machines that points to the SS2 as a "proxy server".

david -- David Wolfskill (SunPS) (510) 376-0824 dwolfskill@stmarys-ca.edu

### "Brion Leary" <brion@dia.state.ma.us>

Paul,

One, of many, solutions ... use a "Proxy Firewall".

TIS has written and provides for free the firewall toolkit (fwtk). If you know UNIX and a minimum of C you can probably get it up and running.

http://www.tis.com/docs/products/fwtk/index.html

Brion Leary <brion@dia.state.ma.us>

### Glenn Satchell - Uniq Professional Services <Glenn.Satchell@uniq.com.au>

Basically you need to run proxy services on the SS2, much like a firewall would, then get the PC and Mac to only access the net via the proxy services on the SS2.

For example, if you run a www proxy such as squid (excellent public domain s/w) on the SS2 and the browsers on the other systems use that proxy then the only system sending packets out will be the SS2 and all will work fine.

Same for email, specify the SS2 as the mail relay host on the PC and Mac and it should work.

regards, -- Glenn Satchell glenn@uniq.com.au www.uniq.com.au | Uniq Professional Services Pty Ltd ACN 056 279 335 | In a world with PO Box 70, Paddington, NSW 2021, (Sydney) Australia | no fences who Phone 02 9380 6360 Pager 016 287 000 Fax 02 9380 6416 | needs Gates? VISIT OUR WEB SITE http://www.uniq.com.au

### John Birtley <>

Let's suppose that your valid IP address is w.x.y.z and the hostname of = your machine is 'sparc2'. You will have an entry in /etc/hosts that = looks like:

w.x.y.z sparc2

Keep this as is. What you want to do is take an IP address as defined = in RFC1597 (reserved addresses) and assign it to the PC client (for = example). Let's call this address a.b.c.d for the sake of argument. = First thing you do is add an entry to /etc/hosts for the PC:

a.b.c.d pcclient

The two machines now have valid IP addresses (alhtough one of them = cannot communicate directly with the Internet) but are on separate = networks. This is where we get a bit clever. Grab another IP address = from RFC1597 (let's call it a.b.c.e) and add an entry to /etc/hosts like = this: =09 a.b.c.e sparc2-secondary

Now, this machine (sparc2-secondary) and the PC client are on the same = network according to the hosts file. What you need to do now is = associate this address with the network interface, and you do this with = the file /etc/hostname.le0:1. Create the file /etc/hostname.le0:1 with = the following content:

sparc2-secondary

And your SPARC will now have 2 IP addresses - one connected to the = internet and the other connected to the 'internal' network.

At boot time, the /etc/hostname.le0 files are read and the host names to = be associated with each network interface are determined. The IP = address is then determined from /etc/hosts and assigned to the = interface. I think you can have 128 addresses per interface.

A word of warning - once you take a 'reserved' address you cant connect = it to the Internet so all traffic will have to go through the sun. = Also, the sun *is not* a firewall and you can't use it as such (at least = not with any real level of functionality). The PC and Mac will have to = be told that the IP address of the sun (i.e. the 'internal' address) is = the default gateway.

Good luck.

John.

### Gregory M Polanski <greg_polanski@adc.com>

Look at the command

ifconfig le0:1 xxx.xxx.xxx.xxx netmask + broadcast + up

--

_______________________________________________________________ Greg Polanski greg_polanski@adc.com ADC Telecommunications, Inc. MS 254 612-946-2270 PO Box 1101 612-946-3910 FAX Minneapolis, MN 55440-1101 612-580-6873 Pager _______________________________________________________________

### merk@faw.uni-ulm.de

Hello,

Try to use an ipfilter program called ip-fil3.1.11. You can obtain it i. e. from ftp://coombs.anu.edu.au/pub/net/kernel/ip-fil3.1.11.tar.gz This package is able to do network address translation. I havn't tryed yet so i cannot say how stable it is.

Roland

### Benjamin Cline <benji@hnt.com>

Want you want is IP maquerading. IP forwarding is the ability of a host to forward packets from one interface to another. So in the following example, you'd want to have IP forwarding on so the Lan could reach the internet via the PPP link (don't worry, I know you have a PPP link, I'm just using it to illustrate the example):

to internet ----------- <-- PPP --- | SPARC 2 | ----- LAN -----------

If IP forwarding was off, hosts on the lan could talk to the SPARC 2, and hosts on the Internet could talk to the SPARC 2, but hosts on the Internet couldn't talk to the lan (and vice versa). This is often used as a simple form of firewalling.

IP spoofing is the act of forging IP packets that look like the came from one host, when they're actually from other. Because so much of unix security is still based on the idea trusted/untrusted hosts (rather than something reasonable, like, say, strong cryptography) pretending to be someone else can be very useful when trying to bypass someones security.

IP masquerading is the ability to have multiple hosts hide behind one host, and all use that one host's IP address. Unfortunately, I'm not aware of cheap solution for SunOS/Solaris, but I understand that Linux (and possibly NetBSD?) has this functionality, and there is a port a Linux for the SPARCstation.

hope this helps,

benji

-- Benjamin R. Cline Harrison & Troxell, Inc. benji@hnt.com Quis Custodiet Ipsos Custodes?

### Diego Circelli <diego@iie.edu.uy>

Hi Paul.

I think what you need is called a "proxy". It's a piece of software you run in a machine that your hosts use as a gateway (in your case it would run on the SS2). It's typically used when your network has a permanent connection to Internet, you want all your hosts to have access, but you just have one valid IP address. (you might have seen the proxy option in Netscape or IE). It works like this: a host needs to communicate to some address. It connects to the proxy and requests a conection to the destination. The proxy makes this conection, using for the connection packet and for all the ones to follow its own IP address as origin so he gets the replies, which are then sent to your host. What I don't know is where to find a proxy for solaris. Try searching in the web ... maybe you're lucky.

Diego Circelli

### David Thorburn-Gundlach <david@bae.uga.edu>

Paul --

If you're truly going through the SS2, then you're routing. It might be easiest for you to drop another card into the SS2 and go ahead and set it up as a router; let it be the default route/gateway for the internal machines.

:-D -- David Thorburn-Gundlach * It's easier to fight for one's principles (play) david@bae.uga.edu * than to live up to them. -- fortune cookie http://www.bae.uga.edu/other/david/

### "Mike Salehi" <mrs@cadem.mc.xerox.com>

Paul,

There is a shareware utility called wingate that does that on the PC. But I am not sure of the others. I like to know your solution.

Mike (Mehran) Salehi mrs@cadem.mc.xerox.com (716)422-2725 -- Paul H. Yoshimune pauly@katana.com



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:08 CDT