Mastering IP Masquerading on Red Hat-Based Systems: A Comprehensive Guide to Enhancing Network Privacy and Control

Masquerading

In today’s interconnected world, managing network traffic and maintaining security are more crucial than ever. Whether you’re running a small business network or managing a complex system of virtual machines, understanding how to control and mask IP addresses can significantly enhance both privacy and efficiency. One powerful tool at your disposal is IP masquerading, a technique that allows you to disguise the internal IP addresses of devices behind a single, external IP address.

In this article, we dive into the world of IP masquerading on RHEL based systems, a popular and robust Linux distribution. Through a practical project involving virtual machines (VMs), we’ll explore how to set up IP masquerading, its benefits, and the impact it can have on your network management. Whether you’re a network administrator looking to streamline operations or a Linux enthusiast keen on expanding your skill set, this guide will provide you with the knowledge and hands-on experience needed to leverage IP masquerading effectively. Join us as we unravel the steps to secure and optimize your network with this essential technique.

I-/What’s IP Masquerading ?

IP masquerading is a network technique where a single device, often referred to as a gateway or router, manages traffic for multiple devices on a local network. This gateway acts as an intermediary between the internal network and the broader internet.

IP masquerading is often referred to as Source NAT (SNAT).

When devices on the internal network send data packets to the internet, the gateway replaces the source IP address of each packet with its own public IP address.

This process effectively masks the internal IP addresses of the devices, making all external communications appear as though they originate from the gateway itself. IP masquerading not only helps in conserving IP addresses but also enhances security by concealing the internal network structure from external observers.

Source network address translation

In this article, we will delve into a hands-on demonstration of configuring IP masquerading in a Red Hat-based Linux environment. We will explore each step of the setup process, providing practical insights and tips to help you effectively manage network traffic and enhance security.

II-/Setting up the environment

Network Architecture of the IP Masquerading Setup

This image details the configuration of virtual machines, highlighting the NAT router and the flow of traffic between internal and external networks.

IP masquerading is effectively implemented through the configuration of firewall zones within the network architecture. To achieve this, we will partition our network into distinct zones, each identified by static IP addresses. These zones are managed by firewall rules tailored to control the flow of traffic between them.

1. Network Segmentation: The network is divided into multiple zones, each serving a specific function or role. This segmentation helps in organizing and managing network resources more efficiently.
2. Static IP Address Assignment: Each zone is assigned a static IP address, which ensures consistent and predictable addressing within the network. This facilitates easier management and troubleshooting of network communications.
3. Firewall Zones and Rules: Different firewall zones are established to regulate traffic between the segments. The firewall rules applied to these zones govern both inbound and outbound traffic.

Based on the previous explanation, we have three machines in the setup:

• Machines A and B will be placed in a private zone that is isolated from external networks. These two machines will communicate with each other, each equipped with two network interfaces: one connected to the private zone and the other to the internal network. The internal interface allows them to reach the gateway or NAT device, which is Machine C.
• Machine C will handle network address translation (NAT) tasks. It has two network interfaces: one connected to the external (public) network and the other to the internal network. The internal interface enables communication with Machines A and B in the private zone, allowing Machine C to perform NAT functions.

Note that each network interface is assigned to a specific zone, and appropriate firewall rules are configured accordingly. For a practical understanding of zone configuration in a Linux environment, I recommend the book Linux Cookbook by Carla Schroder.

III-/From Theory to Practice: Configuring IP Masquerading in Your Linux Environment

1. Create the Machines

• Set up three separate virtual machines (VMs) for the environment. In this setup, we will use CentOS as our operating system, which is a Red Hat-based distribution.

2. Establish a private network between machine A and B

• The machines created do not have any network interfaces configured yet; they currently only have the loopback address interface. Our task now is to set up a network so that the two machines can communicate with each other.

Network configuration(loopback address)

• The first step is to create a private virtual network with the subnet 192.168.224.0/24. We have disabled DHCP settings on this network to assign static IP addresses to the machines, ensuring that these addresses remain consistent over time.

Private network 192.168.224.0/24

• Connect VMs A and B to the Network: Next, connect VM A and VM B to the private network and assign them IP addresses. You can achieve this using either the nmtui utility or by configuring network scripts directly.
• we will be using nmtuiutility which is the simplest method which provides an easy-to-use text-based interface for network configuration.

Adding Network adapters for internal network

• Add Network Adapters: We added a network adapter (VMnet10, Host-only) to both Machine A and Machine B.
• Start and Configure the Machines: Next, start both machines and configure their network settings.
• Machine A: Assign the following network address to Machine A: 192.168.224.5.
• Machine B: Assign the following network address to Machine B: 192.168.224.6.
• Using The command nmtui you’ll access a simple graphical interface that facilitates the necessary network configurations. Here is the private network config of Machine A .

nmtui UI utility for machine A

We set the IPv4 configuration to ‘Manual’ and assigned the desired IP address to Machine A. The same process was followed for Machine B,Now we are able to ping the two machines with each other.

Ping from machine 192.168.224.6 to 192.168.224.5

As you can see the ping is succesful .

3. Configure Firewall Rules for machine A and B

After configuring the private network, the next question is: What will be the default zone assigned to our network interface? Is this zone suitable for our setup?

Note that Red Hat-based systems manage their firewall rules using firewalld, not ufw.

As a best practice for an internal network, it is advisable to use the ‘block’ or ‘drop’ zone. This approach helps ensure that any added network interface is not exposed to the internet, which is considered an untrusted network,we’ll use the following command on both machines.

sudo firewall-cmd --set-default-zone=block

The changes must take effect immediately.

Setting default firewall zone

With the ‘block’ or ‘drop’ zone applied, any interaction between the two machines will be prohibited. Basic requests, such as ping requests, will be blocked by default, as this zone blocks all incoming traffic to the machines.

Ping request failure

So now any added network interface will be assigned to the block zone by default. Given that Machines A and B trust each other, we can assign them to the ‘public’ or ‘internal’ zone without any issues.

sudo firewall-cmd --add-interface=ens35 --zone=public --permanent

Public zone for machine A

We made changes immediately by adding — permanent flag, and you should consider using the right network interface for me it was ens35.

The same process was done to machine B.

Let’s consider a scenario where we install a PostgreSQL database on Machine B and want to make it accessible from Machine A. In this setup, we will install the PostgreSQL server on Machine B and the PostgreSQL client on Machine A.

For detailed instructions on how to install PostgreSQL, please refer to the official PostgreSQL documentation.

PostgreSQL: Linux downloads (Red Hat family)

After doing the necessary installation we should do the following:

1/Enable Remote Access: It is mandatory to enable remote access at the database level by editing two configuration files: pg_hba.conf and postgresql.conf. We will not delve into the details of these configurations here.

2/ Configure Firewall on Machine B: On Machine B, add the PostgreSQL service to the public zone to allow communication with Machine A. This configuration will enable TCP port 5432, allowing remote access to the PostgreSQL service.

sudo firewall-cmd --add-service=postgresql --zone=public --permanent

Adding PostgreSQL service to firewall rules

It’s practical to manage Firewall rules through services rather than managing them using individual ports

After doing this we will be able to access the database remotely from machine A or any machine from the private zone.

psql -h 192.168.224.6 -U alfresco -d alfresco

Accessing Database remotely

Note that we have created a user with their own database. This is a good practice because it limits remote access to specific users and their associated databases, enhancing security.

4. Set Up Machine C as a gateway

After configuring the internal network, it’s time to set up external access to the network, we will add an additional network interface to connect machines A and B with C.

The challenge lies in configuring firewall zones, such as those from the internal network to C, and from C to the external network.

Now what we’re going to do is to create an internal network that connects machine A and B and C, so they can ping each other first.

Adding Network adapters for network translation task

As usual, we will add the internal network VMnet13 to machines A and B so that they can ping machine C.

• The internal network has the following subnet: 192.168.214.0/24.
• We will assign machine C the address: 192.168.214.1.
• Machine A will have the address: 192.168.214.2.
• Machine B will have the address: 192.168.214.3.
• We will configure these static IP addresses using the nmtui utility, as before.

Now, we need to configure firewall rules for communication between the machines in the internal network and the gateway.

For machine A and B we should modify the zone associated with the new added interface. and set it to internal.

Another important aspect to consider is the management of unnecessary services:

• It’s good practice to configure the firewall to only allow the services that are needed. This approach reduces the attack surface and enhances system security.
• For example, we can disable services such as Samba, DHCP, and SSH in the firewall if they are not required for this operation.

we can list firewall rules for a specific zone using the following command: sudo firewall-cmd --zone=internal --list-all

Listing details about the internal zone

We will remove unnecessary services such as SSH, DHCP, and Samba client from the internal network.

sudo firewall-cmd --remove-service=ssh --zone=internal --permanent
sudo firewall-cmd --remove-service=dhcp --zone=internal --permanent
sudo firewall-cmd --remove-service=dhcpv6-client --zone=internal --permanent
sudo firewall-cmd --remove-service=samba-client --zone=internal --permanent
sudo firewall-cmd --reload

Removing unnecessary services from the internal zone

The same process should be applied to machine B.

Before configuring IP masquerading, we need to expose the gateway to external networks. To achieve this, we will add another network adapter and use a bridged adapter for this purpose.

Adding bridged adapter ro the gateway

The machine C will obtain an Ip address, that can access external networks.

The Machine C now have the following config:

• use the ifconfigcommand

Network configuration of the Gateway

We need to enable IP forwarding on this machine. To give you an idea, IP forwarding (or routing) allows a device, such as a router or gateway, to pass network packets from one network interface to another.

we should modify the file sysctl.conf .

sudo nano /etc/sysctl.conf

And then define the following variable: `net.ipv4.ip_forward = 1`

After setting this, we need to: enable IP Masquerading on the machine, configure Routing Rules as required and define the Zone associated with this machine for proper firewall configuration.

Configuring zone for machine C :

The default zone of machine C is configured as public. We need to change the zones associated with the network interfaces to meet our requirements.

sudo firewall-cmd --zone=external --add-interface=ens36 --permanent
sudo firewall-cmd --zone=internal --add-interface=ens35 --permanent
sudo firewall-cmd --reload

And also we need to add masquerading to our machine in order to perform address translation.

sudo firewall-cmd --zone=external --add-masquerade --permanent
sudo firewall-cmd --reload

Add forwarding rules to the machine

sudo firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o ens36 -j MASQUERADE

sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens35 -o ens36 -j ACCEPT

sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens36 -o ens35 -m state --state RELATED,ESTABLISHED -j ACCEPT

- These commands are used to set up a Linux machine as a router that forwards traffic between two network interfaces (`ens35` and `ens36`).

• 1. First Command : Sets up NAT on the output interface `ens36` so that all outgoing packets have their source IP address changed to the IP address of `ens36`. This is necessary for routing internet traffic from one network to another.
• 2. Second Command: Allows packets to be forwarded from `ens35` to `ens36`.
• 3. Third Command: Allows packets that are part of an established connection or are related to an existing connection to be forwarded from `ens36` to `ens35`.

This will allow us to provide internet access to a network behind the `ens35` interface by routing traffic through the `ens36` interface, which is connected to the internet.

in the end we need to configure the default gateway for machine A and B to so they can reach the public internet.

Configuring default gateway for machine A and B

We need to configure the default gateway in machine A and B to: 192.168.214.1

using the following command:

ip route add default via 192.168.214.1

we can see available routes using the following command:

ip route

Listing default routes

Now we will be able to reach the internet.

pinging google.cm from machine A

The traceroute command is used to trace the path that packets take from your computer to a destination host across a network. It provides information about each hop (router or gateway) that the packets pass through, as well as the time taken to reach each hop.

IV- Conclusion

In this article, we explored IP masquerading, its benefits for network address translation, and its role in enhancing security and efficiency. We proposed an architecture using interconnected VMs with virtualized networks to implement network translation tasks effectively. By outlining best practices for configuring firewall rules and zones on Red Hat-based systems, and including a practical exercise with configurations and screenshots, we demonstrated how to manage and secure network environments efficiently. This approach helps optimize network performance and safeguard against potential threats.

Equipped with this understanding, you’ll be able now to enhance your network configurations and optimize your NAT setups!

We invite you to share your experiences and insights in the comments below.

We’re eager to hear your feedback and thoughts. Happy networking!