IP Addresses, NAT/proxy, IP masquerading SPAM and blacklisting.

Written by Ian and Tom on Tuesday 01/05/07


Our ISP providers out here on the edge of the Internet in Pakistan are stingy with their IP addresses. They as many providers do, use a NAT/masquerading proxy to conserve on IP addresses as they cost money.


A problem that occurs when sharing IP addresses is that you can be sharing with Spammers, if this happens then you can get blacklisted without even knowing. It is estimated that we are loosing between 5-15 percent of emails and most of the time don't even know its happening.


Let check out some definitions first.


Network Address Translation (NAT, also known as network masquerading or IP-masquerading) is a technique in which the source and/or destination addresses of IP packets are rewritten as they pass through a router or firewall. It is most commonly used to enable multiple hosts on a private network to access the Internet using a single public IP address.

Source: en.wikipedia.org/wiki/NAT


Proxy. A firewall mechanism that replaces the IP address of a host on the internal (protected) network with its own IP address for all traffic passing through it. A software agent that acts on behalf of a user, typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination.

Source: www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html


From the above we can get a clear idea what is going on. NAT/proxy are closely related in what they do and interaction between them.


When my ISP employs NAT, the connection diagram might look like:


Local Network <--> Gateway <--> ISP <--> NAT/proxy <--> (The Internet)


I have a local private IP address 10.0.0.xxx on the network any packets of information (email, TCP/IP, etc) that head for the gateway pass through the router to the ISP and then through the ISP NAT/proxy, at this point the IP address in the headers of the packets are changed, from the local IP address to the ISP allocated IP address.


Solution to Spamming backlist.


The solution is to request a public IP address from your ISP. I did this but still have a problem. When I use whatismyip.com I do not get the IP address allocated to me, instead I get the NAT/proxy IP address. Why is this? Because incorporated into the proxy is the fire wall. The rules of the firewall determine how the NAT takes place. My assumption is that the fire wall is set up to NAT all traffic. To allow our IP address to get through the fire wall un-NAT-ed an exception will have to be added to the firewall rules.


I have asked for this...... here's hoping.


If I have multiple computers hanging off my own gateway, then I'm probably also using NAT for these. In fact, if I have a single dedicated IP address given to me by the ISP then there's no choice, I have to get NAT going. Luckily this is really easy using a Linux gateway with the IP tables facility (google for it, there are hundreds of IP tables tutorials).


So now we might have something like this:


PC1 -\\\\

PC2 --+== LAN === Gateway ---- ISP ===== NAT/proxy ===== (The Internet)

PC3 -/


My IP addresses might be:


PC1: 192.168.1.100

PC2: 192.168.1.101

PC3: 192.168.1.102


Or in fact any 192.168 number allocated by DHCP if I want.


The gateway machine LAN interface has IP address 192.168.1.1

The gateway machine ISP interface has IP address as allocated by my

ISP, maybe something like 200.55.101.23, and this runs straight through my
ISPs NAT/proxy machine, to be visible to the outside world.


So the important thing in this case is that I have to make sure my connection to the
ISP uses the new IP address. I can NOT leave DHCP enabled - I have to specify this
address myself.