Penguin

Stealth Packet Shaping involves adding a machine to a network to act as a firewall/packet-shaper without the rest of the network really being aware of it. This can be used for good (avoiding hassle of reconfiguring network settings) or evil (prioritising your traffic above everyone elses).

It is assumed that no other configuration can be done to the network. This means that we cant play with the existing WAN router or firewall, change the DHCP server, change the IP addresses of devices etc. This is often the case in corporate networks, where layers of approvals, procedures and clueless PHBs prevent any real changes being made.

For the juicy details on how to do it, see http://www.sjdjweis.com/linux/proxyarp/.

In the meantime, here is a brief explanation:

ARP is the protocol which resolves IP addresses to Ethernet MAC addresses. Linux 2.4 supports Proxy ARP, which effectively makes one machine appear as another on the network. (More on this later)

Let's say you had a corporate LAN in a branch office which connects to head office via a Cisco router and a 256kbps link. Let's also imagine that a lot of work gets done over telnet and SSH across the 256k link, but some people also like to make large FTP and SMB file transfers which grind telnet to a halt.

The network currently looks like this: LAN (172.22.0.0/22) ---- Cisco (172.22.0.1) ---- WAN

All the machines on the LAN have the Cisco as their default gateway. Simply adding the new box to the network wont do anything. What we need is to divide the network into 2 segments, with the stealth packet shaper machine inbetween.

LAN (172.22.0.0/22) ---- Stealth Box (172.22.0.2) ---- Cisco (172.22.0.1) ---- WAN

Here's the tricky bit:

  • Install 2 NICs in the machine (eth0 and eth1).
  • eth0 will be on the LAN side, eth1 will connect to the Cisco with a crossover cable.
  • Give both NICs the same IP (172.22.0.2).
  • Modify the routing table so that the Cisco gets a static route down eth1 and the rest of 172.22.0.0/22 goes to eth0.
  • Enable proxy-arp on both NICs.
  • Enable IP forwarding.
  • Do any firewalling, transparent proxying or traffic shaping.

All done. Here's what's happening:

  • 172.22.0.100 wants to send a packet to a machine outside the LAN, so it looks up its default gateway (172.22.0.1)
  • 172.22.0.100 sends an ARP who-has 172.22.0.1 tell 172.22.0.100
  • The Stealth Box (172.22.0.2) picks up the ARP, replies: 172.22.0.1 is at my eth0 MAC address
  • 172.22.0.100 sends the packet to 172.22.0.2, thinking it to be 172.22.0.1
  • 172.22.0.2 routes the packet to 172.22.0.1 on the other Ethernet segment.
  • A return packet comes back to the Cisco router for 172.22.0.100
  • The Cisco sends an ARP who-has 172.22.0.100 tell 172.22.0.1
  • The Stealth Box (172.22.0.2) picks up the ARP, replies: 172.22.0.100 is at my eth1 MAC address
  • The Cisco sends the packet to 172.22.0.2, which routes it through to 172.22.0.100

The beauty is that none of the other machines knows that they are routing through the new machine. The only way to see what's really happening is via traceroute (the new machine shows up before the default gateway) or by listing the ARP table (several IPs will have the same MAC address).

If you are wondering about the practicalities of this, it's currently running very well in a medium business branch with about 40-50 Windows PCs. The box was configured before plugging into the network. It was plugged in and the Cisco was rebooted to clear its ARP cache. Once the Windows machines' ARP caches expired, it worked like a charm.