===================================================================== Pseud IP Masquerade on Win32 http://www.kobore.net/soft/pipmasq/pseud-ip-masquerade.txt ver 0.40 2001/03/23 ver 0.32 2001/12/11 ver 0.31 2001/12/06 ver 0.3 2001/11/21 ver 0.2 2001/11/20 ver 0.1 2001/11/01 Tomoichi Ebata E-mail:See http://www.kobore.net/mailAddress.gif http://www.kobore.net/ This product includes software developed by the Politecnico di Torino, and its contributors. http://netgroup-serv.polito.it/winpcap/ ===================================================================== Attention !! If you know the way to make winsock ignore the specific TCP ports (for example, from 60000 to 65000), could you please tell me about it ? If you tell me, I think I can release the updated version that might be more useful for us sooner. ===================================================================== This software "Pseud IP Masquerade on Win32" uses "WinPcap: the Free Packet Capture Architecture for Windows" http://netgroup-serv.polito.it/winpcap/ developed by developed by the Politecnico di Torino, and its contributors. I really appriciate the effort of WinPcap developers and supporters. History ~~~~~~~ ver 0.40 2002/03/23 Bug fixed for NOT getting NIC information in case that the NIC gets IP address from DHCP server. Getting PSUED IP address from DHCP server is available. Changed the format of pipmasq.cfg ver 0.32 2001/12/11 Mr.Jun Kitawaki changed some codes in order to stop more than two PIPMasq simultaneously, and to disable the console window's terminate button [x]. Bug fixed about the reuse of Masquerade ports. ver 0.31 2001/12/07 Mr.Jun Kitawaki changed tablemgr.cpp in order to display the table entries in expire time order ver 0.3 2001/11/21 FTP(active mode) is available. ver 0.2 2001/11/20 Bug fixed for wrong MAC address that is included in IP packet. ver 0.0 2001/11/01 The first release Table of contents 1. License 2. Background and Motivation 2.1 What is IP Masquerade ? 2.2 Countermeasure by TCPTunnel 2.3 Where is IP Masquerade on Windows NT ? 2.4 Encounter with WinPcap 2.5 Many difficulties 2.6 Nimda attacked TCPTunnel ! 2.7 Shut up! winsock!! 2.8 Naming 2.9 Accomplishment 3. Pseud IP Masquerade on Win32 Internal 4. Network system 4.1 Network system and configuration file 4.2 Setting up the network configurations for the private network host 5. How to use Pseud IP Masquerade on Win32 5.1 NT/2000 service version 5.2 Executable version 5.3 Floppy Disk Version 6. User Interface 7. What the present PIPMasq can do and will do 7.1 What it can do 7.2 What it will do in the near future 8. Gratitude 9. References 1. License Copyright (c) 2001,2002,2003,2004,2005 Tomoichi Ebata. All rights reserved. "Pseud IP Masquerade on Win32" is free software; You can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. "Pseud IP Masquerade on Win32" is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. 2. Background and Motivation 2.1 What is IP Masquerade ? IP Masquerade is the most excellent networking function in the Linux communication kernel. The only one host that loads the IP masqurade enables all hosts on private network to connect with the internet. For example, a company has one thousand employees, and each of them has their own personal computer. If the company tries to give all of them the official IP address, it needs one thousand official IP address. The exhaustion of IP address is one of the severe problem, so this luxury use of IP address is never allowed. Nowadays, it becomes more hard and expensive to get only one official IP address. IP Masquerade can be a proxy for these one thousand PC with only one official IP address. The one thousand PCs can use private IP addresses (or appropriate IP addresses). They never bother any host on the internet, because the IP addresses don't conflict with the other official IP address. However, the one thousand PCs can not use any services (Web, Mail and others) on the internet. So, when a IP packet that is output from a PC on the private network goes to the internet, a IP Masquerade host becomes like a gateway host. At this time, the IP Masquerade host exchanges the private IP address with the official IP address. After that, the IP Masquerade host restores the private address in the returned IP packet, and finally it sends the IP packet to the source PC. So, one thousand PCs can use the only official IP address, and you can add more PCs in the private network, for example, from one thousand to two thousands and more. This is the official explanation about IP Masquerade mechanism. However, I have another reason why I want IP Masquerade. 2.2 Countermeasure by TCPTunnel 192.168.0.9 +--------+ +----------- ===== | Visual | | WinNT | Studio | |(zenzen)| | +--------+ | 192.168.0.1 | 192.168.0.8 +-----------+ +---+--+ +--------+ | ===== ------| HUB |-------- ===== | | NT | +------+ | Linux | English | (zen2) ===== ---+ 10BaseT |(erukan)| translators +-----------+ | +--------+ 133.144.10.10| | To the office network | Figure 1-1 My PC environment in my office. The figure 1-1 shows that my PC environment in my office. However I has been provided only one PC(zen2) from my company. Other PCs are my private properties, and the most important point is My company doesn't know the existence of the two other PCs. I want to use a translation server software ( that is called "Honyaku Damashii"), so I made the following software. TCPTunnel for Win32 http://www.kobore.net/soft/tcptunnel/tcptunnel2.txt (Sorry, it is written in Japanese now) Hereby, my colleagues and I can use the server softwares in the Linux box from the hosts in the office network. We can use the host in the private network as a server host with this TCPTunnel, however we cannot use it as a client host. In order to use it as a client host, I have to reset the TCPTunnel configuration to enable the TCPTunnel to sends IP packets to the servers(e.g, web server, mail server) in the office network and the kinds of the service should be limited. 2.3 Where is IP Masquerade on Windows NT ? In short, I wanted to access the internet servers from the private network. I started investigating about the similar application and/or tool software. According to 7.41 in http://www.e-infomax.com/ipmasq/ I could find several software. However they were not satisfied with me. Because .... - I don't want to use the software that use their original protocols I always check IP packet content with a packet monitor when something wrong happens in the software. - I don't want to use the port forwarding software. I don't want to be limited to use some specific services. In my laboratory, I always use irresponsible port numbers when I make a prototype software. Other reasons were .... - If the client number is limited, the network test environment also will be limited. It is useless for me. - The software that is based on Windows NT is out of question. I don't care if the software is free of charge. However I hope the code of the software should be opened. I have to study about the IP Masquerade mechanism and I try to modify the code if possible. Finally I could not find any software that was passed through this severe filter. 2.4 Encounter with WinPcap "WinPcap: the Free Packet Capture Architecture for Windows" http://netgroup-serv.polito.it/winpcap/ is a packet capture library and used for the packet monitor "ethereal", for example. This packet capture library has not only the packet capture function but also the packet release function, and their API. I came to think that it might be possible to make IP Masquerade as a windows application with this packet capture library. 2.5 Many difficulties When I started working this software, I thought it might be just a TCPTunnel extension. However I came to understand it was just optimism. " This is the same task to implement TCP/IP protocol in NT box..." The first, there was no ARP API in the winsock library. It meant that I had to make ARP client library by myself. http://www.kobore.net/soft/soft.html#WinPcapArp (Sorry, it is written in Japanese.) In order to understand how to use the WinPcap API, I made at least thirty sample programs, and examined them. After that, I started to design the software objects. However it was tough, and I had to change the designs three times for two months. (Finally, this toil of this design phase paid, I believe ) The most important problem was that I could not find some useful books and material. In general, "network programming" means socket API programming. I could not find ARP and ICMP implementations based on raw socket. >From the technical viewpoint, the checksum calculation was a big and obstacle. I could understand the basic principles, however I didn't know how to and implement them. With some internet search engines, I tried to search thoroughly the information about them, however I didn't. During the trial, I met this book by accident. "TCP/IP Illustrated, Volume 2 The Implementation" Gary R. Wright W.Richard Stevens Less that twelve line's sample program, many figures, explicit English explanation... these were absolutely great! It might be the first experiment to read English technical book with impression. I could not get the accurate results even with several checksum calculation trials, so I checked each packet with "ethereal". Finally I knew about "Trailer" that was added at the tail of each ethernet packet. I also could not know the internal implementation about IP Masquerade. About the algorism behavior, I could get the picture by the section 2.2 in the following page, http://www.ep.sci.hokudai.ac.jp/~epnetfan/zagaku/1999/0317/MARUNET.html (Sorry, it is written in Japanese) However, I could not know the detailed implementation, for example, timeout values, and port numbers that should be used. Finally I gave up thinking deeply about them, and started my selfish implementation with saying " I am in the center of the world !". 2.6 Nimda attacked TCPTunnel ! A half year passed, when I began to feel tired of these endless difficulties and to think that I wanted to abandon this software development, the vicious computer virus "RedCode" and "Nimda" disordered the computer environment in the world. One day, I got the warning from my company's network management section. It was that my PC was infected by the computer virus (It was faked information). I made a trap in my computer in order to find the infected packet before I went back home. When I looked at the log file in the next morning, I was really surprised to find that twenty three hosts in my office attacked my PC with more than 4600 packets. The twenty three hosts that were infected by Nimda (or some virus, maybe) tried to attack and invade my host computer. Needless to say, the TCPTunnel is not a server software, and the attacks failed in vain. Anyway, I have to decide to close the well-known ports that the TCPTunnel always handled, and I thought that I never stopped developing this software. 2.7 Shut up! winsock!! About at the beginning of the last month, I finished the ninety percents of the implementation. I tried the UDP communication test with the NTP client software that is called "Sakura watch", and I was glad to confirm that my software could get the time information from the time server in the internet. But I noticed soon that .... TCP doesn't work at all. After I came home, I concentrated the program list, and I tried to find bugs in it. To begin with, I confirmed the success of TCP connection with telnet operation, however the telnet server requested to close the session, and the telnet client could not reach the user authentication step. After analysis of the packets with the "ethereal" for three days, I was really surprised to know the unexpected results. Simplicity speaking, the software mechanism was as follows. (Step.1) WinPcap gets the packet from the private network,and this software remakes this packet for the internet, and release it to the target server host. (Step.2) After the reply packet arrival, this software remakes this packet for the private network, and release it to the client host. In the above Step.2, there was the terrible unexpected. When the TCP replies packet arrived from the server, the "winsock" could not understand what the packet is. Because the identity the request packet sends is Not winsock library, But WipPcap library. The winsock not only abandon the unreasonable packet, but also it replies to the server with the following message, "You sent me a funny packet" With this reply message, the server decides to ignore any messages from the client host, and closes the TCP connection. On the other hand, this software transmits the packet to the host on the private network, and it tries to transmit the next request packet to the server. However, the server that have already closed the TCP session no longer says anything. The host on the private network tries to sends the next request packet to the server again and again, but in vain. The conclusion was that winsock's uninvited message spoiled the software's management perfectly. At this time, absolutely I could hear the sound that my efforts for several months were going to be collapsed. I began to search the methods to stop this winsock's chat, for example, with using TCPWrapper mechanism. Though I got some packets with the "ethereal", TCPWrapper executed at least three handshake communication. Finally I had to give up. The day that I knew the tragedy was Friday, and I had to stay in bed all week end ( It was true! ) . ===================================================================== Attention !! If you know the way to make winsock ignore the specific TCP ports (for example, from 60000 to 65000), could you please tell me about it ? ===================================================================== 2.8 Naming I made several free software, however they are small size and I could finish them about two weeks. Meanwhile, as far as this software concerned, I had to face tremendous troubles, and I spent several months. As a matter of fact, this software included ARP server and client, PING server and client, checksum calculators, table manager, time manager and network interface manager. # First I had the optimistic estimations, but I noticed soon the # necessary functions during implementation. I thought I spent too much time for the study and the development to throw it away. The week end, in my bed, I kept thinking the resolution about this winsock problem, and finally, I came out the terrific ... and reckless solution. "Make a virtual ethernet NIC that the winsock can never reply !" It was the somehow illogical (because the original purpose of IP Masquerade is to save IP address) method, however I thought the virtual card could transmit packets without the winsock's bad effect. However, I also believed that this way was worth trial for more than two hosts on the private network, At this time, the software was decided to have the name formally as follows Pseud IP Masquerade on Win32 PIPMasq 2.9 Accomplishment In order to use the pseud ethernet NIC effectively, the MAC address that the real ethernet NIC had should be used. If not, the reply packet never returns to the NIC. First, I examined if the pseud NIC works well with unused IP address. I was afraid that the ARP mechanism perceived the conflicted MAC address. However, I confirmed that this method was available and safe. After I finished nuisance thread coding, and when I confirmed that the telnet connection with host name (this test could check if both TCP and UDP are available ) succeed, I gave a shout of triumph. 3. Pseud IP Masquerade on Win32 Internal After this chapter, I will call the networks that are for example, the internet and the office network, and are not the private network the general term "outer network". As mentioned in the chapter 2, I told that this program "PIPMasq" needs two IP address for the outer network. One is for a real ethernet NIC(*1), and other is for a pseud ethernet NIC that has no bad influence from winsock. (*1) The real ethernet NIC should be set from Windows menu [Start] -> [Setting] -> [Control Panel] -> [Network]. The following Figure 3-1 shows the relationship among the objects in PIPMasq. +------+ |Client| OuterNet Side +----------->| Arp | Private Net Side Ethernet NIC | +------+ Ethernet NIC || | ^ || || | |(3) || || V V || || (6) +---------+ (5) +---------------+ (1) || ||<----| PseudIF |<-----| COutward |<-------------|| || +---------+ +---------------+ || || ^ ^ ^ ^ || || | | | | || || | +----------+ | +-------+ || || +---+ | |(2) |(4) || || | | V V || || +------+ +------+ +-------+ +------+ || || |Ping | | Arp | | Table | | Port | || || |Server| |Server| | Mgr | | Mgr | || || +------+ +------+ +-------+ +------+ || || ^ ^ ^ ^ ^ || || | | | | | || || | +------+ | | +------+ || || +-----------+ | | +---| Time | || || | | | | Mgr | || || | | | (8) +------+ || || | | V || || (7) +---------------+ (9) || ||---------------------->| CInward |------------>|| || +---------------+ || || || Figure 3-1 Objects relationships in PIPMasq PIPmasq has the above nine instances, and COutward, CInward, TimeMgr can work themselves as autonomous instances. (Thread for console CUI, Ftp Mgr, Dhcpcd Mgr are omitted .) The summarized algorism is as follows. (1) WinPcap that is set as INDIRECT mode can capture all IP packets from the hosts on the private network, and sends them to COutward. (2)(3) COutward refers the table entries that TableMgr manages, and If it confirms that the IP packet is a newcomer, it searches the MAC address of the packet. (4) If the IP packet is confirmed to be a newcomer, PortMgr adds a new port number's entry for the pseud NIC. (5) After recalculation of the IP packet's checksum, and the setting the pseud IP address, COutward sends this packet to PseudIF. (6) PseudIF sends the IP packet from the psued NIC. (7) WinPcap that is set as PROMISCUS mode can capture all IP packets from the hosts on the outer network, and sends them to CInward. (8) CInward refers the table entries that TableMgr manages, and If it confirms that TableMgr has the entry for the IP packet, it reconstructs the IP packet for the private network, and finally release it. Besides, TimeMgr keeps the entries of TableMgr and PortMgr, and erases the expired entries. PingServer replies the ping request to PsuedIF, ArpMgr replies the MAC address of PseudIF (that is same as the real ethernet's MAC address) 4. Network system 4.1 Network system and configuration file With the following figure, I would like to explain about the assumption of network system, and the content of the configuration file. ( ) ( ) ( ) ( The Internet ) ( ) ( ) ( ) | +----+-----+ | Router | +----+-----+ 133.144.10.254 |(3) | 133.144.10.99 ( ) 133.144.10.10 192.168.0.1 ( ) ( ) +-------+ ( ) ( Outer ) (2)| |(1) ( Private ) ( ) ----=== ===-------- ( ) ( Network ) | | ( Network ) ( ) +-------+ ( ) ( ) PIPMasq ( ) 133.144.10.0 host 192.168.0.0 /255.255.255.0 /255.255.255.0 Figure 3-1 PIPMasq host means that Windows NT/2000 box has two ethernet NICs and is installed PIPMasq software. It is common to use the private address spaces that are recommended to use by RFC1918 for the host address on the private network, as follows. 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 You can use any IP address for the hosts on the private network. The above figure shows that "192.168.0.0/255.255.255.0" is used as the private address space, and the ethernet NIC IP address on the PIPMasq host for the private network is (1)"192.168.0.1". The other ethernet NIC IP address for the outer network is (2)"133.144.10.10" and the pseud ethernet NIC IP address is "133.144.10.99", and the netmask is "255.255.255.0", and the default gateway IP address is "133.144.10.254". But the above information have already registed in the Windows registory. So there are enough to start PIPMasq with the following just three. In short, "The pseud ethernet NIC IP address for outer network" (PSEUD) "The (real) ehternet NIC name for outer network" (OUTERDEV) "The ethernet NIC name for private network" (INTRADEV) The content of "pipmasq.cfg" that is the configuration file for PIPMasq is as follow. PSEUD=133.144.10.99 OUTERDEV=\Device\Packet_E100B1 INTRADEV=\Device\Packet_GE2000 In case that the PSEUD IP address is able to be got from DHCP server, PSEUD=dhcp OUTERDEV=\Device\Packet_E100B1 INTRADEV=\Device\Packet_GE2000 Anyway, you can make "pipmasq.cfg" with "pipconfig.exe" easily http://www.kobore.net/soft/pipmasq/pipconfig.exe 4.2 Setting up the network configurations for the private network host Please take care of the following issues when you set the network configuration for the host on the private network. When you use a DHCP server for the private network, you also take care of the following. (1)The IP address should be adapted to the netmask for the private network (2)The default gateway IP address should be same as the above INTRA's IP address (it is "192.168.0.1" in the figure 3-1) (3)Confirm to set accurately the IP address for DNS server. (In most case, DNS server might be in the outer network.) Especially, please don't forget the above (2) and (3) items. 5. How to use Pseud IP Masquerade on Win32 5.1 NT/2000 service version (Step.1) Installation of WinPcap # Click "WinPcap auto-installer (driver+DLLs)" in # http://netgroup-serv.polito.it/winpcap/install/Default.htm # to get "WinPcap.exe", and execute it. Pipmasq doesn't work well with the latest version of WinPcap. Please try to use the version 2.1. packet.dll and others will be installed automatically. (Step.2) Installation of PIPMasqService Click "PIPMasqService.exe" in http://www.kobore.net/soft/pipmasq/pipmasq.html to get it, and locate it at the appropriate directory (for example, "c:\bin\PIPMasq") The next, make "pipmasq.cfg" in %SystemRoot%system32(for example, "c:\WINNT\system32") The following is sample pipmasq.cfg PSEUD=dhcp OUTERDEV=\Device\Packet_E100B1 INTRADEV=\Device\Packet_GE2000 (Step.3) Start PIPMasqService.exe Input "PIPMasqService.exe -install" from the command prompt window. You can confirm that there is the service named "PIPMasqService" in "Services" menu, then push "start" button, In order for the uninstall, input "PIPMasqService.exe -remove" from the command prompt window. 5.2 Executable version (Step.1) Installation of WinPcap Same as the (Step.1) in 5.1 WinPcap.exe will be installed immediately. (Step.2) Installation of PIPMasqService Click "PIPMasqService.exe" in http://www.kobore.net/soft/pipmasq/pipmasq.html to get it, and locate it at the appropriate directory (for example, "c:\bin\PIPMasq") The next, make "pipmasq.cfg" in the same directory as above. Refer 4.1 (Step.2) about how to make "pipmasq.cfg" (Step.3) Start PIPMasq.exe Input "PIPMasq.exe" from the command prompt window. (Step.4) Stop PIPMasq.exe Input "exit" from the command prompt window. 5.3 Floppy Disk Version PIPMasq is available with the following three files PIPMasq.exe pipmasq.cfg packet.dll You can get packet.dll in %SystemRoot%system32(for example, "c:\WINNT\system32") if you install "WinPcap" by the way of (Step.1) in 5.1. You can save the above three files in one floppy disk and take it anywhere. So, you can make the ad-hoc private network easily. 6. User Interface You can use the command line user interface with PIPMasq.exe(not PIPMasqService.exe). (1)"conf" | "c" to see the PIPMasq setting information. >conf PSEUD 133.144.10.99 OUTER 133.144.10.10 NETWORK 255.255.255.0 GATEWAY 133.144.10.254 INTRA 192.168.0.1 (2)"list" | "l" to see the masquerade table information. >list Pseud IP masquerading entries prot expire source destination ports ---------------------------------------------------------------------- tcp 18:29:58 192.168.0.1 15.2.117.218 1027(60001)->23 udp 18:29:55 192.168.0.1 15.2.113.86 1037(60001)->53 udp 18:29:50 192.168.0.1 15.15.88.102 1037(60000)->53 tcp 18:29:46 192.168.0.1 15.2.112.10 1026(60000)->23 (3)"exit" to exit PIPMasq 7. What the present PIPMasq can do and will do 7.1 What it can do (1)TCP/UDP's masquerade is available. (2)PING is available (3)to find the IP address conflict If one host release a ping packet to the pseud NIC, PIPMasq halts by itself. Please add the following line to "pipmasq.cfg" PINGDOWN=on (4)is possible to get PSEUD IP as the second IP address fron DHCP server 7.2 What it will do in the near future (1)Removal of the pseud NIC( My dearest wish! ) Now, PIPMasq needs the pseud NIC mechanism. You think I am too insistent.... ===================================================================== Attention !! If you know the way to make winsock ignore the specific TCP ports (for example, from 60000 to 65000), could you please tell me about it ? If you tell me, I think I can release the updated version that might be more useful for us sooner. ===================================================================== (2)Realization of FTP in active mode FTP(active mode) is available from version 0.3. (3)Porting for Windows 9X Now I use only Windows NT and Linux. As far as I am concerned, I don't need this porting. However you need this one, I hope I can help you. 8. Gratitude - This software "Pseud IP Masquerade on Win32" uses "WinPcap: the Free Packet Capture Architecture for Windows" http://netgroup-serv.polito.it/winpcap/ developed by developed by the Politecnico di Torino, and its contributors. I really appreciate the WinPcap developers and supporters. - In order for the PIPMasq development, the packet monitoring tool "ethereal" was indispensable. I really appreciate the "ethereal" developers and supporters. http://www.ethereal.com/introduction.html#authors - I really appreciate the authors of TCP/IP Illustrated, Volume 2 The Implementation Mr. Gary R. Wright and Mr. W. Richard Stevens - Mr. Masayoshi Yamai (at Twise Lab (http://www.twise.co.jp/)) allowed me to reuse and modify his code "PCPCA.EXE V1.1" that was printed in the book of "OpenDesign No.10 "Network management technique". 9. References - WinPcap: the Free Packet Capture Architecture for Windows http://netgroup-serv.polito.it/winpcap/ - TCP/IP Illustrated, Volume 2 The Implementation ISBN 0-201-63354-X - Computing the Internet Checksum RFC1071 - Trailer Encapsulations RFC893 - Computer network (in Japanese) http://pine.ese.yamanashi.ac.jp/~itoyo/lecture/network/Default.htm - How to calculate IP,ICMP,UDP checksum(in Japanese) http://www.fenix.ne.jp/~thomas/memo/ip/checksum.html - CHANMARU-NET Structure planning, the basic policy and outline (in Japanese) http://www.ep.sci.hokudai.ac.jp/~epnetfan/zagaku/1999/0317/MARUNET.html - ARP(Address Resolution Protocol)(in Japanese) http://www12.u-page.so-net.ne.jp/qc4/survive/network/arp.htm - ARP format(in Japanese) http://www12.u-page.so-net.ne.jp/qc4/survive/network/arpheader.htm - Communication Protocol dictionary(in Japanese) ISBN4-7561-0269-7 - UNIX network programming version 2 Vol 1(in Japanese) ISBN4-8101-8612-1 - NAT and IP masquerade(in Japanese) http://www.netsemi.org/report/nat-ipmasq.html - OpenDesign No.10 "Network management technique" (in Japanese) - Dynamic Host Configuration Protocol RFC2131