10/8 (10.0.0.0 - 10.255.255.255) 172.16/12 (172.16.0.0 - 172.31.255.255) 192.168/16 (192.168.0.0 - 192.168.255.255)You can be sure that none of these numbers are in use on the Internet.
PPP link | a.b.c.d +-------+ |gateway| PC PC PC +-------+ 192.168.0.4 192.168.0.3 192.168.0.2 192.168.0.1 | | | | +-------------+-------------+--------------+ 192.168.0/24 ethernetSet up ppp on the gateway so that it can connect to the Internet, and point the other machines' defaultroute to the gateway (192.168.0.1 in the example above)
However there are two solutions you can use so that machines on the LAN can still access Internet services:
When a gateway is performing IP masquerading, all TCP and UDP datagrams which pass from your LAN to the Internet have their Source IP number changed to the gateway's IP number. Datagrams which arrive in the opposite direction have the Destination IP number changed to the original host's (private) IP number. To keep track of which datagrams are for which hosts, the gateway substitutes the source port numbers in the TCP/UDP datagrams with locally-generated ones, and builds a table which maps the 'new' source port number to the 'old' IP and source port numbers.
The result is that all your hosts appear to have full Internet connectivity, without any special changes on the hosts themselves, and yet using only the one IP number from your service provider.
To configure IP masquerading on Linux, you must compile a new kernel with IP masquerading and IP forwarding enabled - at the moment you must enable CONFIG_EXPERIMENTAL to be presented with IP masquerading - and get hold of the 'ipfwadm' program if you don't have it already (or 'ipfw' for 1.3.x kernels). After rebooting with the new kernel, enable IP masquerading like this:
[new] ipfwadm -F -a accept -S 192.168.0.0/16 -m [old] ipfw add m all from 192.168.0.0/16 to 0.0.0.0/0This command says that all datagrams originating from 192.168/16 addresses which pass through the gateway will be "masqueraded" to use the gateway's own IP number. Put this line in /etc/rc.d/rc.local if you want it to be enabled every time you boot up.
Because IP masquerading only affects TCP and UDP data, you should be aware that you won't be able to use 'ping' to test connectivity to the Internet (since ping datagrams are ICMP)
Also note that with 2.0.x kernels, you must 'insmod' additional modules to handle masquerading of certain protocols such as ftp and realaudio; this is because the data in the streams themselves has to be modified for masquerading to work properly.
In this case, when a host wants to contact a machine on the Internet, it instead connects to the proxy server, and asks the proxy server to make the connection on its behalf. A common "general-purpose" proxy server is called SOCKS; alternatively you can run separate proxy servers for each of the services you want to make available (http, ftp, telnet etc)
The proxy server is installed in the same way as any other server on the gateway - obtain and compile the server program (e.g. sockd) and add an entry into /etc/inetd.conf so that inetd will start it running when it is required.
With proxy servers, you must configure each of your clients to use it. This makes it more complex to set up, and will be different for different hosts. For example, Trumpet Winsock has a dialog box where you can configure the IP address of the SOCKS host, but to get a Unix box to use a proxy you may need to install new versions of telnet, ftp etc. However there is one advantage of this approach: it is possible to set up a caching proxy server for http, which can improve response times and reduce traffic from your LAN to the outside world for Web access.
Dial-on-demand with IP masquerading currently works best if your service provider gives you a fixed IP number. Your users must remember that there will also be a delay of usually 30-60 seconds for the gateway to dial up to the ISP and connect.
For Linux, the package you require is called "diald" - look on a mirror of sunsite.unc.edu in directory system/Network/serial. For FreeBSD, the user-level 'ppp' driver has a dial-on-demand feature.