Linux IP Masquerade mini-HOWTO
David Ranch, dranch@trinnet.net; Ambrose Au,
ambrose@writeme.com
v1.77, 27 July 1999
This document describes how to enable the Linux IP Masquerade feature
on a given Linux host. IP Masq is a form of Network Address Transla
tion or NAT that allows internally connected computers that do not
have one or more registered Internet IP addresses to have the ability
to communicate to the Internet via your Linux box's single Internet IP
address.
______________________________________________________________________
Table of Contents
1. Introduction
1.1 Introduction to IP Masquerading or IP MASQ for short
1.2 Foreword, Feedback & Credits
1.3 Copyright & Disclaimer
2. Background Knowledge
2.1 What is IP Masquerade?
2.2 Current Status
2.3 Who Can Benefit From IP Masquerade?
2.4 Who Doesn't Need IP Masquerade?
2.5 How does IP Masquerade Work?
2.6 Requirements for IP Masquerade on Linux 2.0.x
2.7 Requirements for IP Masquerade on Linux 2.2.x
3. Setting Up IP Masquerade
3.1 Compiling the Kernel for IP Masquerade Support
3.1.1 Linux 2.0.x Kernels
3.1.2 Linux 2.2.x Kernels
3.2 Assigning Private Network IP Addresses to the Internal LAN
3.3 Configuring IP Forwarding Policies
3.3.1 Linux 2.0.x Kernels
3.3.2 Linux 2.2.x Kernels
4. Configuring the other internal to-be MASQed machines
4.1 Configuring Microsoft Windows 95
4.2 Configuring Windows NT
4.3 Configuring Windows for Workgroup 3.11
4.4 Configuring UNIX Based Systems
4.5 Configuring DOS using NCSA Telnet package
4.6 Configuring MacOS Based System Running MacTCP
4.7 Configuring MacOS Based System Running Open Transport
4.8 Configuring Novell network using DNS
4.9 Configuring OS/2 Warp
4.10 Configuring Other Systems
5. Testing IP Masquerade
6. Other IP Masquerade Issues and Software Support
6.1 Problems with IP Masquerade
6.2 Incoming services
6.3 Supported Client Software and Other Setup Notes
6.3.1 Network Clients that -Work- with IP Masquerade
6.3.2 Clients that do not Work:
6.4 Stronger IP Firewall (IPFWADM) Rulesets
6.5 IP Firewalling Chains (ipchains)
6.6 IP Masquerading multiple internal networks
6.7 IP Masquerade and Dial-on-Demand Connections
6.8 IPPORTFW, IPMASQADM, IPAUTOFW, REDIR, UDPRED, and other Port Forwarding tools
6.8.1 IPPORTFW on 2.0.x kernels
6.8.2 IPMASQADM with IPPORTFW support on 2.2.x kernels
6.9 CU-SeeMe and Linux IP-Masquerade
6.10 Mirabilis ICQ
6.11 Gamers: The LooseUDP patch
7. Frequently Asked Questions
7.1 What Linux Distributions support IP Masquerading out of the box?
7.2 What are the minimum hardware requirements and any limitations for IP Masquerade? How well does it perform?
7.3 I've checked all my configurations, I still can't get IP Masquerade to work. What should I do?
7.4 How do I join or view the IP Masquerade and/or IP Masqurade Developers mailing lists and archives?
7.5 How does IP Masquerade differ from Proxy or NAT services?
7.6 Are there any GUI firewall creation/management tools?
7.7 Does IP Masquerade work with dynamically assigned IP addresses?
7.8 Can I use a cable modem (both bi-directional and with modem returns), DSL, satellite link, etc. to connect to the Internet and use IP Masquerade?
7.9 Can I use Diald or the Dial-on-Demand feature of PPPd with IP MASQ?
7.10 What applications are supported with IP Masquerade?
7.11 How can I get IP Masquerade running on Redhat, Debian, Slackware, etc.?
7.12 TELNET connections seem to break if I don't use them often. Why is that?
7.13 When my Internet connection first comes up, nothing works. If I try again, everything then works fine. Why is this?
7.14 IP MASQ seems to be working fine but some sites don't work. This usually happens with WWW and FTP.
7.15 IP Masquerading seems slow
7.16 Now that I have IP Masquerading up, I'm getting all sorts of weird notices and errors in the SYSLOG log files. How do I read the IPFWADM/IPCHAINS firewall errors?
7.17 Can I configure IP MASQ to allow Internet users to directly contact internal MASQed servers?
7.18 I'm getting "kernel: ip_masq_new(proto=UDP): no free ports." in my SYSLOG files. Whats up?
7.19 I'm getting "ipfwadm: setsockopt failed: Protocol not available" when I try to use IPPORTFW!
7.20 Microsoft File and Print Sharing and Microsoft Domain clients (SAMBA) don't work through IP Masq!
7.21 IRC won't work properly for MASQed IRC users. Why?
7.22 mIRC doesn't work with DCC Sends
7.23 Can IP Masquerade work with only ONE Ethernet network card (IP Aliasing)?
7.24 I'm trying to use the NETSTAT command to show my Masqueraded connections but its not working
7.25 I would like to get Microsoft PPTP (GRE tunnels) and/or IPSEC (Linux SWAN) tunnels running through IP MASQ
7.26 I want to get the XYZ network game to work through IP MASQ but it won't work. Help!
7.27 IP MASQ works fine for a while but then it stops working. A reboot seems to fix this for a while. Why?
7.28 Internal MASQed computers cannot send SMTP or POP-3 mail!
7.29 I need different internal MASQed networks to exit on different external IP addresses (IPROUTE2)
7.30 Why do the new 2.1.x and 2.2.x kernels use IPCHAINS instead of IPFWADM?
7.31 I've just upgraded to the 2.2.x kernels, why isn't IP Masquerade working?
7.32 I've just upgraded to a 2.0.36+ kernels later, why isn't IP Masquerade working?
7.33 I need help with EQL connections and IP Masq
7.34 I can't get IP Masquerade to work! What options do I have for Windows Platforms?
7.35 I want to help on IP Masquerade development. What can I do?
7.36 Where can I find more information on IP Masquerade?
7.37 I want to translate this HOWTO to another language, what should I do?
7.38 This HOWTO seems out of date, are you still maintaining it? Can you include more information on ...? Are there any plans for making this better?
7.39 I got IP Masquerade working, it's great! I want to thank you guys, what can I do?
8. Miscellaneous
8.1 Useful Resources
8.2 Linux IP Masquerade Resource
8.3 Thanks to the following people..
8.4 Reference
8.5 Changes
______________________________________________________________________
1. Introduction
1.1. Introduction to IP Masquerading or IP MASQ for short
This document describes how to enable the Linux IP Masquerade feature
on a given Linux host. IP Masq is a form of Network Address
Translation or NAT that allows internally connected computers that do
not have one or more registered Internet IP addresses to have the
ability to communicate to the Internet via your Linux box's single
Internet IP address. It is possible to connect your internal machines
to the Linux host with LAN technologies like Ethernet, TokenRing,
FDDI, as well as other kinds of connections such as dialup PPP or SLIP
links. This document uses Ethernet for the primary example since it is
the most common scenario.
This document is intended for users using either of the sta
ble Linux kernels: 2.0.36+ and 2.2.9+ on a IBM-compatible
PC. Older kernels such as 1.2.x, 1.3.x, and 2.1.x are NOT
covered in this document and, in some kernel versions, can
be considered broken. Please upgrade to one of the stable
Linux kernels before using IP Masquerading.
If you are configuring IP Masq for use on a Macintosh,
please email Taro Fukunaga, tarozax@earthlink.net for a copy
of his short MkLinux version of this HOWTO.
1.2. Foreword, Feedback & Credits
As a new user, I found it very confusing to setup IP masquerade on
Linux kernel, (1.2.x kernel back then). Although there is a FAQ and a
mailing list, there was no document that was dedicated to it. There
were also some requests on the mailing list for such a HOWTO. So, I
decided to write this HOWTO as a starting point for new users and
possibly create a building block for other knowledgeable users to use
add to in the future. If you have any ideas for this document,
corrections, etc., feel free to tell us so that we can make it better.
This document was originally based on the original FAQ by Ken Eves and
numerous helpful messages from the IP Masquerade mailing list. A
special thanks to Mr. Matthew Driver whose mailing list message
inspired me to set up IP Masquerade and eventually writing this.
Recently, David Ranch re-wrote the HOWTO and added a substantial
number of sections to the HOWTO to make this document as complete as
possible.
Please feel free to send any feedback or comments to
ambrose@writeme.com and dranch@trinnet.net if you have any corrections
or if any information/URLs/etc. is missing. Your invaluable feedback
will certainly influence the future of this HOWTO!
This HOWTO is meant to be a fairly comprehensive guide on getting your
Linux IP Masquerading network working in the shortest time possible.
As neither Ambrose nor David are technical writers, you might find the
information in this document not as general and/or objective as it
could be. The latest news and information regarding this HOWTO and
other IP MASQ details can be found at the IP Masquerade Resource
web page that we actively maintain. If you
have any technical questions on IP Masquerade, please join the IP
Masquerade Mailing List instead of sending email to either Ambrose or
David. Most MASQ problems are common for ALL MASQ users and can be
easily solved by someone on the list. In addition to this, the
response time of the IP MASQ email list will be much faster than a
reply from either Ambrose or David.
The latest version of this document can be found at the following
sites which also contains HTML and postscript versions
ˇ http://ipmasq.cjb.net/: The IP Masquerade Resources
ˇ http://ipmasq2.cjb.net/: The IP Masquerade Resources MIRROR
ˇ The Linux Documentation Project
ˇ Dranch's Linux page
ˇ Also refer to IP Masquerade Resource Mirror Sites Listing
for other local mirror
sites.
1.3. Copyright & Disclaimer
This document is copyright(c) 1999 Ambrose Au and David Ranch and it
is a FREE document. You may redistribute it under the terms of the GNU
General Public License.
The information herein this document is, to the best of Ambrose's and
David's knowledge, correct. However, the Linux IP Masquerade feature
is written by humans and thus, there is the chance that mistakes,
bugs, etc. might happen from time to time.
No person, group, or other body is responsible for any damage on your
computer(s) and any other losses by using the information on this
document. i.e.
THE AUTHORS AND ALL MAINTAINERS ARE NOT RESPONSIBLE FOR ANY
DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THE INFORMA
TION IN THIS DOCUMENT.
Ok, with all this behind us... On with the show..
2. Background Knowledge
2.1. What is IP Masquerade?
IP Masquerade is a networking function in Linux similar to one-to-many
NAT (Network Address Translation) found in many commercial firewalls
and network routers. For example, if a Linux host is connected to the
Internet via PPP, Ethernet, etc., the IP Masquerade feature allows
other "internal" computers connected to this Linux box (via PPP,
Ethernet, etc.) to also reach the Internet as well. Linux IP
Masquerading allows for this functionality even though these internal
machines don't have an officially assigned IP addresses.
MASQ allows a set of machines to invisibly access the Internet via the
MASQ gateway. To other machines on the Internet, all this outgoing
traffic will appear to be from the IP MASQ Linux server itself. In
addition to the added functionality, IP Masquerade provides the
foundation to create a VERY secure networking environment. With a
well built firewall, breaking the security of a well configured
masquerading system and internal LAN should be considerably difficult.
2.2. Current Status
IP Masquerade has been out for several years now and is fairly mature
as Linux enters the 2.2.x kernel stage. Kernels since Linux 1.3.x
have had MASQ support built-in. Today many individuals and commercial
businesses are using it with excellent results.
Common network uses like Web browsing, TELNET, FTP, PING, TRACEROUTE,
etc. work well over IP Masquerade. Other communications such as FTP,
IRC, and Real Audio work well with the appropriate IP MASQ modules
loaded. Other network-specific programs like streaming audio (MP3s,
True Speech, etc) work too. Some fellow users on the mailing list
have even had good results with video conferencing software.
Please refer to ``'' section for a more complete listing of software
supported.
IP Masquerade works well as a server to other 'client machines'
running various different OS and hardware platforms. There are
successful cases with internal MASQed systems using :
ˇ Unix: Sun Solaris, *BSD, Linux, Digital UNIX, etc.
ˇ Microsoft Windows 95/98, Windows NT, and Windows for Workgroups
(with the TCP/IP package)
ˇ IBM OS/2
ˇ Apple Macintosh MacOS machines running either MacTCP or Open
Transport
ˇ DOS-based systems with packet drivers and the NCSA Telnet package
ˇ VAXen
ˇ Compaq/Digital Alpha running Linux and NT
ˇ even Amiga computers with AmiTCP or AS225-stack.
The list goes on and on but the point is, if your OS platform talks
TCP/IP, it should work with IP Masquerade!
2.3. Who Can Benefit From IP Masquerade?
ˇ If you have a Linux host connected to the Internet and
ˇ if you have some computers running TCP/IP connected to a Linux box
on a local subnet, and/or
ˇ if your Linux host has more than one modem and acts as a PPP or
SLIP server connecting other computers, which
ˇ those OTHER machines do not have official or public assigned IP
addresses (i.e. addressed with private TCP/IP numbers).
ˇ And of course, if you want those OTHER machines to communicate to
the Internet without spending extra money to get additional Public
/ Official TCP/IP addresses from your ISP and either configure
Linux to be a router or purchase an external router.
2.4. Who Doesn't Need IP Masquerade?
ˇ If your machine is a stand-alone Linux host connected to the
Internet (though setting up a firewall is a good idea), or
ˇ if you already have multiple assigned public addresses for your
OTHER machines, and
ˇ of course, if you don't like the idea of a 'free ride' using Linux
and feel more comfortable using expensive commercial tools to do
the exact same thing.
2.5. How does IP Masquerade Work?
From the original IP Masquerade FAQ by Ken Eves:
Here is a drawing of the most simple setup:
SLIP/PPP +------------+ +-------------+
to ISP provider | Linux | SLIP/PPP | Anybox |
<---------- modem1| #1 |modem2 ----------- modem3| |
111.222.333.444 | | 192.168.0.100 | |
+------------+ +-------------+
In the above drawing, a Linux box with IP_MASQUERADING is installed as
Linux #1 and is connected to the Internet via SLIP/or/PPP using modem1. It has
an assigned public IP address of 111.222.333.444. It also has modem2 connected
to allow callers to dial-in and start a SLIP/or/PPP connection.
The second system (which doesn't have to be running Linux) calls into the
Linux #1 box and starts a SLIP/or/PPP connection. It does NOT have a publicly
assigned IP address from the Internet so it uses the private address
192.168.0.100. (see below for more info)
With IP Masquerade and the routing configured properly, the machine
"Anybox" can interact with the Internet as if it was directly connected to the
Internet (with a few small exceptions).
Quoting Pauline Middelink:
Do not forget to mention that the "ANYBOX" machine should have the
Linux #1 box configured as its gateway (whether is be the default route or just
a subnet is no matter). If the "ANYBOX" machine can not do this, the Linux
machine should be configured to support proxy arp for all routed addresses. But,
the setup and configuration of proxy arp is beyond the scope of the document.
The following is an excerpt from a previous post on comp.os.linux.networking which
has been edited to match the names used in the above example:
o I tell machine ANYBOX that my PPP or SLIPed Linux box is its gateway.
o When a packet comes into the Linux box from ANYBOX, it will assign it
a new TCP/IP source port number and slap its own IP address in the packet
header, saving the originals. The MASQ server will then send the modified
packet out over the SLIP/PPP interface to the Internet.
o When a packet returns from the Internet to the Linux box, Linux examines
if the port number is one of those ports that was assigned above. If so, the
MASQ server will get the original port and IP address, put them back in the
returned packet header, and send the packet to ANYBOX.
o The host that sent the packet will never know the difference.
Another IP Masquerading Example:
A typical example is given in the diagram below:
+----------+
| | Ethernet
| A-box |::::::
| |.2 : 192.168.0.x
+----------+ :
: +----------+ PPP
+----------+ : .1 | Linux | link
| | :::::::| Masq-Gate|:::::::::::::::::::// Internet
| B-box |:::::: | | 111.222.333.444
| |.3 : +----------+
+----------+ :
:
+----------+ :
| | :
| C-box |::::::
| |.4
+----------+
| | |
| <-Internal Network--> | | <- External Network ---->
| | |
In this example, there are (4) computer systems that we are concerned
about. There is also presumably something on the far right that your
PPP connection to the Internet comes through (terminal server, etc.)
and that there is some remote host (very far off to the right of the
page) out on the Internet that you are interested communicating with).
The Linux system Masq-Gate is the IP Masquerading gateway for ALL the
internal network of machines A-box, B-box and C-box to get to the
Internet. The internal network uses one of the several RFC-1918
assigned private network addresses where in this case, the Class-C
network 192.168.0.0. The Linux box having the TCP/IP address
192.168.0.1 while the other systems having the addresses:
ˇ A-Box: 192.168.0.2
ˇ B-Box: 192.168.0.3
ˇ C-Box: 192.168.0.4
The three machines, A-box, B-box and C-box, can be running any
operating system as long as they can speak TCP/IP. OSes such as
Windows 95, Macintosh MacTCP or OpenTransport or even another Linux
box can connect to other machines on the Internet. When running, the
masquerading system or MASQ-gate converts all of these internal
connections so that they appear to originate from masq-gate itself.
MASQ then arranges so that data coming back in to a masqueraded
connection is relayed back to the proper originating system. Because
of this, the systems on the internal network see a direct route to the
internet and are unaware that their data is being masqueraded. This
is called a "Transparent" connection.
NOTE: Please see the ``'' for more details on topics such as:
ˇ The differences between NAT, MASQ, and Proxy servers.
ˇ How packet firewalls work
2.6. Requirements for IP Masquerade on Linux 2.0.x
** Please refer to IP Masquerade Resource
for the latest information. **
ˇ Any decent computer hardware. See the ``'' section for more
details.
ˇ Kernel 2.0.x source available from http://www.kernel.org/
(Most modern Linux ``'' such as Redhat 5.2 have modular kernels
with all the IP Masquerade kernel options compiled in. In such
cases, there is no need to compile a new Linux kernel. If you are
UPGRADING your kernel, you should be aware of what other programs
might be required and/or upgraded (mentioned later in the HOWTO.)
ˇ Loadable kernel modules, preferably 2.1.85 or newer available from
http://www.pi.se/blox/modules/
(modules-1.3.57 is the minimal requirement)
ˇ A running TCP/IP network or LAN covered in Linux NET-3 HOWTO
and the Network
Administrator's Guide
Also check out the TrinityOS
deocument. TrinityOS is a very comprehensive guide on Linux
networking including topics like IP MASQ, security, DNS, DHCP,
Sendmail, PPP, Diald, NFS, IPSEC-based VPNs, and performance
sections just to name a few. Over Fifty sections in all!
ˇ Connectivity to the Internet for your Linux host covered in Linux
ISP Hookup HOWTO , Linux PPP HOWTO , TrinityOS
, Linux
DHCP mini-HOWTO
and Linux Cable Modem mini-HOWTO
ˇ Ipfwadm 2.3 or newer available from
ftp://ftp.xos.nl/pub/linux/ipfwadm/ipfwadm-2.3.tar.gz
More information on version requirement is on the Linux IPFWADM
page
ˇ If you are interested in running IPCHAINS on a 2.0.36+ kernel, see
Willy Tarreau's IPCHAINS enabler for 2.0.36 or Rusty's IPCHAINS for
2.0.x kernels
ˇ Know how to configure, compile, and install a new Linux kernel as
described in the Linux Kernel HOWTO
ˇ You can also apply various optional IP Masquerade patches to enable
other functionality such as:
ˇ TCP/IP port-forwarders or re-directors: With these tools, you can
get some non-MASQ friendly programs to work behind a MASQ server.
In addition to this, you can configure a MASQ server to let
Internet users contact internal WWW, TELNET, SMTP, FTP (with a
patch), etc., servers. See ``'' section of the HOWTO for more
information. Here is a list of IP Masquerading patches for 2.0.x
kernels:
ˇ Steven Clarke's IP PortForwarding (IPPORTFW) - RECOMMENDED
ˇ IP AutoForward and a mirror
(IPAUTOFW)
- NOT Recommended
ˇ REDIR for TCP (REDIR)
- NOT Recommended
ˇ UDP redirector (UDPRED) - NOT Recommended
PORTFWed FTP:
ˇ If you are going to port forward FTP traffic to an internal FTP
server, you need to download Fred Viles's FTP server patch.
Explicit details on this topic can be found in the ``'' section of
the HOWTO.
X-Windows display forwarders:
ˇ X-windows forwarding (DXCP)
ICQ MASQ module
ˇ Andrew Deryabin's ICQ MASQ module
PPTP (GRE) and SWAN (IPSEC) VPNs tunneling forwarders:
ˇ John Hardin's VPN Masquerade forwarders or the old patch for just
PPTP Support .
Game specific patches:
ˇ Glenn Lamb's LooseUDP for 2.0.36+
patch.
Please note that some WWW browsers with automatically uncompress
this .gz file. To download this file, hold down the SHIFT key as
you click on the above URL.
Also check out Dan Kegel's NAT Page
for more
information. Additional information can be found in the ``''
section and the ``'' section.
Please see the IP Masquerade Resource page
for more information available on these patches and possibly others
as well.
2.7. Requirements for IP Masquerade on Linux 2.2.x
** Please refer to IP Masquerade Resource
for the latest information. **
ˇ Kernel 2.2.x source available from http://www.kernel.org/
NOTE: Most of the modern ``'' such as Redhat 5.2 might not be
Linux 2.2.x ready for your setup. Tools like DHCP, NetUtils, etc.
will need to be upgraded. More details can be found in the HOWTO.
ˇ Loadable kernel modules, preferably 2.1.121 or newer available from
http://www.pi.se/blox/modules/
ˇ A running TCP/IP network or LAN covered in Linux NET-3 HOWTO
and the Network
Administrator's Guide
ˇ Connectivity to Internet for your Linux host covered in Linux ISP
Hookup HOWTO , Linux PPP HOWTO , TrinityOS
, Linux
DHCP mini-HOWTO
and Linux Cable Modem mini-HOWTO
ˇ IP Chains 1.3.8 or newer available from
http://www.rustcorp.com/linux/ipchains/
Additional information on version requirements is at the Linux IP
Firewalling Chains page
ˇ Know how to configure, compile, and install a new Linux kernel as
described in the Linux Kernel HOWTO
ˇ You can download and use various optional IP Masquerade tools to
enable other functionality such as:
ˇ TCP/IP port-forwarders or re-directors:
ˇ IP PortForwarding (IPMASQADM) - RECOMMENDED
or his old mirror.
ICQ MASQ module
ˇ Andrew Deryabin's ICQ MASQ module
Please see the IP Masquerade Resource page
for more information available on these patches and possibly others as
well.
3. Setting Up IP Masquerade
If your private network contains any vital information,
think carefully in terms of SECURITY before implementing IP
Masquerade. By default, IP MASQ becomes a GATEWAY for you
to get to the Internet but it also can allow someone on the
Internet to possibly get into your internal network.
Once you have IP MASQ functioning, it is HIGHLY recommended
for the user to implement a STRONG IPFWADM/IPCHAINS firewall
ruleset. Please see the ``'' and ``'' sections below for
more details.
3.1. Compiling the Kernel for IP Masquerade Support
If your Linux distribution already has all the required fea
ture support compiled such as:
ˇ IPFWADM/IPCHAINS
ˇ IP forwarding
ˇ IP masquerading
ˇ IP Firewalling
ˇ etc.
and all MASQ-related modules compiled (most modular
kernels will have all you need), then you will NOT need
to re-compile the kernel. If you aren't sure if you
Linux distribution is MASQ ready, see the ``'' section or
the IP Masquerade Resource for
more details. If you can't find out if your distribution
does support IP Masquerading by default, ASSUME IT
DOESN'T.
Regardless of native support or not, reading this section is
still highly recommended as it contains other useful
information.
3.1.1. Linux 2.0.x Kernels
Please see the ``'' section for any required software, patches, etc.
ˇ First of all, you need the kernel source (preferably the latest
kernel version 2.0.36 or above)
ˇ If this is your first time compiling the kernel, don't be scared.
In fact, it's rather easy and it's covered in several URLs found in
the ``'' section.
ˇ Unpack the kernel source to /usr/src/ with a command: tar xvzf
linux-2.0.x.tar.gz -C /usr/src, where the "x" in 2.0.x is the
current Linux 2.0 kernel. Once finished, make sure there is a
directory or symbolic link to /usr/src/linux/
ˇ Apply any appropriate or optional patches to the kernel source
code. As of 2.0.36, IP Masq does not require any specific patching
to get everything working. Features like IPPORTFW, PPTP, and
Xwindows forwarders are optional. Please refer to the ``'' section
for URLs and the IP Masquerade Resources
for up-to-date information and additional patch URLs.
ˇ Here are the MINIMUM options that are needed to be compiled into
the kernel. You will also need to confi gure the kernel to use
your installed network interfaces as well. Refer to the Linux
Kernel HOWTO
and the README file in the kernel source directory for further
instructions on compiling a kernel
Please note the YES or NO ANSWERS to the following options. Not
all options will be available without the proper kernel patches
described later in this HOWTO:
* Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?]
- YES: this will allow you to later select the IP Masquerade feature code
* Enable loadable module support (CONFIG_MODULES) [Y/n/?]
- YES: allows you to load kernel IP MASQ modules
* Networking support (CONFIG_NET) [Y/n/?]
- YES: Enables the network subsystem
* Network firewalls (CONFIG_FIREWALL) [Y/n/?]
- YES: Enables the IPFWADM firewall tool
* TCP/IP networking (CONFIG_INET)
- YES: Enables the TCP/IP protocol
* IP: forwarding/gatewaying (CONFIG_IP_FORWARD)
- YES: Enables Linux network packet forwarding and routing - Controlled by IPFWADM
* IP: syn cookies (CONFIG_SYN_COOKIES) [Y/n/?]
- YES: HIGHLY recommended for basic network security
* IP: firewalling (CONFIG_IP_FIREWALL) [Y/n/?]
- YES: Enable the firewalling feature
* IP: firewall packet logging (CONFIG_IP_FIREWALL_VERBOSE) [Y/n/?]
- YES: (OPTIONAL but HIGHLY recommended): Allows for the reporting of firewall hits
* IP: masquerading (CONFIG_IP_MASQUERADE [Y/n/?]
- YES: Enable IP MASQ to re-address specific internal to external TCP/IP packets
* IP: ipautofw masquerade support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPAUTOFW) [Y/n/?]
- NO: IPautofw is a legacy method of TCP/IP port forwarding. Though it works, IPPORTFW
is a better way so IPAUTOFW is not recommended.
* IP: ipportfw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPPORTFW) [Y/n/?]
- YES: This option is ONLY AVAILABLE VIA A PATCH for the 2.0.x kernels.
With this option, external computers on the Internet can directly communicate to
specified internal MASQed machines. This feature is typically used to access
internal SMTP, TELNET, and WWW servers. FTP port forwarding will need an additional
patch as described in the FAQ section. Additional information on port forwarding is
available in the Forwards section of this HOWTO.
* IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP) [Y/n/?]
- YES: Enable support for masquerading ICMP packets. Though thought of as optional, many
programs will NOT function properly with out ICMP support.
* IP: loose UDP port managing (EXPERIMENTAL) (CONFIG_IP_MASQ_LOOSE_UDP) [Y/n/?]
- YES: This option is ONLY AVAILABLE VIA A PATCH for the 2.0.x kernels.
With this option, internally masqueraded computers can play NAT-friendly games
over the Internet. Explicit details are given in the FAQ section of this HOWTO.
* IP: always defragment (CONFIG_IP_ALWAYS_DEFRAG) [Y/n/?]
- YES: This feature optimizes IP MASQ connections - HIGHLY recommended
* IP: optimize as router not host (CONFIG_IP_ROUTER) [Y/n/?]
- YES: This optimizes the kernel for the network subsystem
* IP: Drop source routed frames (CONFIG_IP_NOSR) [Y/n/?]
- YES: HIGHLY recommended for basic network security
* Dummy net driver support (CONFIG_DUMMY) [M/n/y/?]
- YES: Though OPTIONAL, this option can help when debugging problems
* /proc filesystem support (CONFIG_PROC_FS) [Y/n/?]
- YES: Required to enable the Linux network forwarding system
NOTE: These are just the components you need for IP Masquerade
functionality. You will need to also select whatever other options you
need for your specific network and hardware setup.
ˇ After compiling the kernel, you need to also compile and install
the IP MASQ kernel modules by doing:
make modules; make modules_install
ˇ Next, add a few lines into your /etc/rc.d/rc.local file to load the
IP Masquerade script and thus enable IP MASQ automatically after
each reboot:
.
.
.
#rc.firewall script - Start IPMASQ and the firewall
/etc/rc.d/rc.firewall
.
.
.
3.1.2. Linux 2.2.x Kernels
Please see the ``'' section for any required software, patches, etc.
ˇ First of all, you need the kernel source for 2.2.x (preferably the
latest kernel version 2.2.1 or above)
ˇ If this is your first time compiling the kernel, don't be scared.
In fact, it's rather easy and it's covered in several URLs found in
the ``'' section.
ˇ Unpack the kernel source to /usr/src/ with a command: tar xvzf
linux-2.2.x.tar.gz -C /usr/src, where the "x" in 2.2.x is the
current Linux 2.2 kernel. Once finished, make sure there is a
directory or symbolic link to /usr/src/linux/
ˇ Apply any appropriate or optional patches to the kernel source
code. As of 2.2.1, IP Masq does not require any specific patching
to get everything working. Features like PPTP and Xwindows
forwarders are optional. Please refer to the ``'' section for URLs
and the IP Masquerade Resources for up-to-date information and
patch URLs.
ˇ Here are the MINIMUM options that are needed to be compiled into
the kernel. You will also need to configure the kernel to use your
installed network interfaces as well. Refer to the Linux Kernel
HOWTO and the
README file in the kernel source directory for further instructions
on compiling a kernel.
Please note the YES or NO ANSWERS to the following. Not all
options will be available without the proper kernel patches
described later in this HOWTO:
* Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?]
- YES: though not required for IP MASQ, this option allows the kernel to create the
MASQ modules and enable the option for port forwarding
* Enable loadable module support (CONFIG_MODULES) [Y/n/?]
- YES: allows you to load kernel IP MASQ modules
* Networking support (CONFIG_NET) [Y/n/?]
- YES: Enables the network subsystem
* Packet socket (CONFIG_PACKET) [Y/m/n/?]
- YES: Though this is OPTIONAL, this recommended feature will allow you to use TCPDUMP to debug
any problems with IP MASQ
* Kernel/User netlink socket (CONFIG_NETLINK) [Y/n/?]
- YES: Though this is OPTIONAL, this feature will allow the logging of firewall hits
* Routing messages (CONFIG_RTNETLINK) [Y/n/?]
- NO: This option does not have anything to do with packet firewall logging
* Network firewalls (CONFIG_FIREWALL) [Y/n/?]
- YES: Enables the IPCHAINS firewall tool
* TCP/IP networking (CONFIG_INET) [Y/n/?]
- YES: Enables the TCP/IP protocol
* IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [Y/n/?]
- NO: This is only required for CONFIG_IP_ROUTE_VERBOSE and fancy routing (independent of
ipchains/masq).
* IP: verbose route monitoring (CONFIG_IP_ROUTE_VERBOSE) [Y/n/?]
- YES: This is useful if you use the routing code to drop IP spoofed packets (highly
recommended) and you want to log them.
* IP: firewalling (CONFIG_IP_FIREWALL) [Y/n/?]
- YES: Enable the firewalling feature
* IP: firewall packet netlink device (CONFIG_IP_FIREWALL_NETLINK) [Y/n/?]
- YES: Though this is OPTIONAL, this feature will enhance the logging of firewall hits
* IP: always defragment (required for masquerading) (CONFIG_IP_ALWAYS_DEFRAG) [Y/n/?]
- YES: This feature is REQUIRED to get asked about enabling the IP Masquerade and/or
Transparent Proxying features. This feature also optimizes IP MASQ connections.
* IP: masquerading (CONFIG_IP_MASQUERADE) [Y/n/?]
- YES: Enable IP MASQ to re-address specific internal to external TCP/IP packets
* IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP) [Y/n/?]
- YES: Enable support for masquerading ICMP ping packets (ICMP error codes will be MASQed
regardless). This is an important feature for troubleshooting connections.
* IP: masquerading special modules support (CONFIG_IP_MASQUERADE_MOD) [Y/n/?]
- YES: Though OPTIONAL, this enables the OPTION to later enable the TCP/IP Port forwarding
system to allow external computers to directly connect to specified internal MASQed
machines.
* IP: ipautofw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPAUTOFW) [N/y/m/?]
- NO: IPautofw is a legacy method of port forwarding. It is mainly a hack which is
better handled by per-protocol modules. NOT recommended.
* IP: ipportfw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPPORTFW) [Y/m/n/?]
- YES: Enables IPPORTFW.
With this option, external computers on the Internet can directly communicate to
specified internal MASQed machines. This feature is typically used to access
internal SMTP, TELNET, and WWW servers. FTP port forwarding will need an additional
patch as described in the FAQ section. Additional information on port forwarding is
available in the Forwards section of this HOWTO.
* IP: ip fwmark masq-forwarding support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_MFW) [Y/m/n/?]
- NO: This allows to do IP forwarding from IPCHAINS directly. Currently, this code is
EXPERIMENTAL and the recommended method is to use IPMASQADM and IPPORTFW.
* IP: optimize as router not host (CONFIG_IP_ROUTER) [Y/n/?]
- YES: This optimizes the kernel for the network subsystem though it isn't known if it
makes a siginificant performance difference.
* IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [N/y/m/?]
- NO: This OPTIONAL selection is to enable PPTP and GRE tunnels through the IP MASQ box
* IP: TCP syncookie support (not enabled per default) (CONFIG_SYN_COOKIES) [Y/n/?]
YES: HIGHLY recommended for basic network security
* IP: Drop source routed frames (CONFIG_IP_NOSR) [Y/n/?]
- YES: HIGHLY recommended for basic network security
* Network device support (CONFIG_NETDEVICES) [Y/n/?]
- YES: Enables the Linux Network sublayer
* Dummy net driver support (CONFIG_DUMMY) [M/n/y/?]
- YES: Though OPTIONAL, this option can help when debugging problems
* /proc filesystem support (CONFIG_PROC_FS) [Y/n/?]
- YES: Required to enable the Linux network forwarding system
NOTE: These are just the components you need for IP Masquerade, select
whatever other options you need for your specific setup.
ˇ After compiling the kernel, you should compile and install the IP
MASQ modules by doing:
make modules; make modules_install
ˇ Then you should add a few lines into your /etc/rc.d/rc.local file
to load the IP Masquerade modules and enable IP MASQ automatically
after each reboot:
.
.
.
#rc.firewall script - Start IPMASQ and the firewall
/etc/rc.d/rc.firewall
.
.
.
3.2. Assigning Private Network IP Addresses to the Internal LAN
Since all INTERNAL MASQed machines should NOT have official Internet
assigned addressees, there must be specific and accepted way to
allocate address to those machines without conflicting with anyone
else's Internet addresses.
From the original IP Masquerade FAQ:
RFC 1918 is the official document on which IP addresses are to be used
on a non-connected or "private" network. There are 3 blocks of
numbers set aside specifically for this purpose
Section 3: Private Address Space
The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private networks:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
We will refer to the first block as "24-bit block", the second as
"20-bit block", and to the third as "16-bit" block". Note that the
first block is nothing but a single class A network number, while the
second block is a set of 16 contiguous class B network numbers, and
third block is a set of 255 contiguous class C network numbers.
For the record, my preference is to use the 192.168.0.0 network with a
255.255.255.0 Class-C subnet mask and this HOWTO reflects this. But,
any of the above private networks are valid but just be SURE to use
the correct subnet-mask.
So, if you're using a Class-C network, you should number your TCP/IP
enabled machines as 192.168.0.1, 192.168.0.2, 192.168.0.3, ...,
192.168.0.x
192.168.0.1 is usually the internal gateway or Linux MASQ machine to
get out to the external network. Please note that 192.168.0.0 and
192.168.0.255 are the Network and Broadcast address respectively
(these addresses are RESERVED). Avoid using these addresses on your
machines or your network will not work properly.
3.3. Configuring IP Forwarding Policies
At this point, you should have your kernel and other required packages
installed. All network IP addresses, gateway, and DNS addresses
should be configured on your Linux MASQ server as well. If you don't
know how to configure your Linux network cards, please consult the
HOWTOs listed in either the ``'' or ``'' sections.
Now, the only thing left to do is to configure the IP firewalling
tools to both FORWARD and MASQUERADE the appropriate packets to the
appropriate machine:
** This can be accomplished in many different ways. The
following suggestions and examples worked for me, but you
may have different ideas or needs.
** This section ONLY provides you with the bare minimum
firewall ruleset to get the IP Masquerade feature working.
Once IP MASQ has been successfully tested (as described
later in this HOWTO), please refer to the ``'' and ``'' sec
tions for more secure firewall rulesets. In addition, check
out the IPFWADM (2.0.x) and/or IPCHAINS(2.2.x) man pages for
more details.
3.3.1. Linux 2.0.x Kernels
Create the file /etc/rc.d/rc.firewall with the following initial
SIMPLE ruleset:
# rc.firewall - Initial SIMPLE IP Masquerade setup for 2.0.x kernels using IPFWADM
#
# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current available IP MASQ modules
# are shown below but are commented out from loading.
# Needed to initially load modules
#
/sbin/depmod -a
# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp
# Supports the masquerading of RealAudio over UDP. Without this module,
# RealAudio WILL function but in TCP mode. This can cause a reduction
# in sound quality
#
#/sbin/modprobe ip_masq_raudio
# Supports the masquerading of IRC DCC file transfers
#
#/sbin/modprobe ip_masq_irc
# Supports the masquerading of Quake and QuakeWorld by default. This modules is
# for for multiple users behind the Linux MASQ server. If you are going to play
# Quake I, II, and III, use the second example.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake ports=26000,27000,27910,27960
# Supports the masquerading of the CuSeeme video conferencing software
#
#/sbin/modprobe ip_masq_cuseeme
#Supports the masquerading of the VDO-live video conferencing software
#
#/sbin/modprobe ip_masq_vdolive
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your Internet IP address dynamically from SLIP, PPP, or DHCP, enable this following
# option. This enables dynamic-ip address hacking in IP MASQ, making the life
# with DialD, PPPd, and similar programs much easier.
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
#
/sbin/ipfwadm -M -s 7200 10 160
# DHCP: For people who receive their external IP address from either DHCP or BOOTP
# such as ADSL or Cablemodem users, it is necessary to use the following
# before the deny command. The "bootp_client_net_if_name" should be replaced
# the name of the link that the DHCP/BOOTP server will put an address on to?
# This will be something like "eth0", "eth1", etc.
#
# This example is currently commented out.
#
#
#/sbin/ipfwadm -I -a accept -S 0/0 67 -D 0/0 68 -W bootp_clients_net_if_name -P udp
# Enable simple IP forwarding and Masquerading
#
# NOTE: The following is an example for an internal LAN address in the 192.168.0.x
# network with a 255.255.255.0 or a "24" bit subnet mask.
#
# Please change this network number and subnet mask to match your internal LAN setup
#
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0
Once you are finished with editing the /etc/rc.d/rc.firewall ruleset,
make it executable by typing in "chmod 700 /etc/rc.d/rc.firewall"
You could have also enabled IP Masquerading on a PER MACHINE basis
instead of the above method enabling an ENTIRE TCP/IP network. For
example, say if I wanted only the 192.168.0.2 and 192.168.0.8 hosts to
have access to the Internet and NOT any of the other internal
machines. I would change the in the "Enable simple IP forwarding and
Masquerading" section (shown above) of the /etc/rc.d/rc.firewall
ruleset.
# Enable simple IP forwarding and Masquerading
#
# NOTE: The following is an example to only allow IP Masquerading for the 192.168.0.2
# and 192.168.0.8 machines with a 255.255.255.0 or a "24" bit subnet mask.
#
# Please use the following in ADDITION to the simple ruleset above for specific
# MASQ networks. Also change the network numbers and subnet masks to match your
# internal LAN setup
#
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a m -S 192.168.0.2/32 -D 0.0.0.0/0
/sbin/ipfwadm -F -a m -S 192.168.0.8/32 -D 0.0.0.0/0
What appears to be a common mistake with new IP Masq users is to make
the first command:
ipfwadm -F -p masquerade
Do NOT make your default policy be MASQUERADING. Otherwise someone
who can manipulate their routing tables will be able to tunnel
straight back through your gateway, using it to masquerade their OWN
identity!
Again, you can add these lines to the /etc/rc.d/rc.firewall file, one
of the other rc files you prefer, or do it manually every time you
need IP Masquerade.
Please see the ``'' and ``'' sections for a detailed guide on IPFWADM
and a stronger IPFWADM ruleset example.
3.3.2. Linux 2.2.x Kernels
Please note that IPFWADM is no longer the firewall tool for
manipulating IP Masquerading rules for both the 2.1.x and 2.2.x
kernels. These new kernels now use the IPCHAINS tool. For a more
detailed reason for this change, please see the ``'' section.
Create the file /etc/rc.d/rc.firewall with the following initial
SIMPLE ruleset:
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels using IPCHAINS
#
# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules
# are shown below but are commented out from loading.
# Needed to initially load modules
#
/sbin/depmod -a
# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp
# Supports the masquerading of RealAudio over UDP. Without this module,
# RealAudio WILL function but in TCP mode. This can cause a reduction
# in sound quality
#
#/sbin/modprobe ip_masq_raudio
# Supports the masquerading of IRC DCC file transfers
#
#/sbin/modprobe ip_masq_irc
# Supports the masquerading of Quake and QuakeWorld by default. This modules is
# for for multiple users behind the Linux MASQ server. If you are going to play
# Quake I, II, and III, use the second example.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake ports=26000,27000,27910,27960
# Supports the masquerading of the CuSeeme video conferencing software
#
#/sbin/modprobe ip_masq_cuseeme
#Supports the masquerading of the VDO-live video conferencing software
#
#/sbin/modprobe ip_masq_vdolive
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this following
# option. This enables dynamic-ip address hacking in IP MASQ, making the life
# with Diald and similar programs much easier.
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
#
/sbin/ipchains -M -S 7200 10 160
# DHCP: For people who receive their external IP address from either DHCP or BOOTP
# such as ADSL or Cablemodem users, it is necessary to use the following
# before the deny command. The "bootp_client_net_if_name" should be replaced
# the name of the link that the DHCP/BOOTP server will put an address on to?
# This will be something like "eth0", "eth1", etc.
#
# This example is currently commented out.
#
#
#/sbin/ipchains -A input -j ACCEPT -i bootp_clients_net_if_name -s 0/0 67 -d 0/0 68 -p udp
# Enable simple IP forwarding and Masquerading
#
# NOTE: The following is an example for an internal LAN address in the 192.168.0.x
# network with a 255.255.255.0 or a "24" bit subnet mask.
#
# Please change this network number and subnet mask to match your internal LAN setup
#
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ
Once you are finished with editing the /etc/rc.d/rc.firewall ruleset,
make it executable by typing in chmod 700 /etc/rc.d/rc.firewall
You could have also enabled IP Masquerading on a PER MACHINE basis
instead of the above method enabling an ENTIRE TCP/IP network. For
example, say if I wanted only the 192.168.0.2 and 192.168.0.8 hosts to
have access to the Internet and NOT any of the other internal
machines. I would change the in the "Enable simple IP forwarding and
Masquerading" section (shown above) of the /etc/rc.d/rc.firewall
ruleset.
#!/bin/sh
#
# Enable simple IP forwarding and Masquerading
#
# NOTE: The following is an example to only allow IP Masquerading for the 192.168.0.2
# and 192.168.0.8 machines with a 255.255.255.0 or a "24" bit subnet mask.
#
# Please change this network number and subnet mask to match your internal LAN setup
#
/sbin/ipchains -P forward deny
/sbin/ipchains -A forward -s 192.168.0.2/32 -j MASQ
/sbin/ipchains -A forward -s 192.168.0.8/32 -j MASQ
What appears to be a common mistake with new IP Masq users is to make
the first command:
/sbin/ipchains -P forward masquerade
Do NOT make your default policy be MASQUERADING. Otherwise someone
who can manipulate their routing tables will be able to tunnel
straight back through your gateway, using it to masquerade their OWN
identity!
Again, you can add these lines to the /etc/rc.d/rc.firewall file, one
of the other rc files you prefer, or do it manually every time you
need IP Masquerade.
Please see the ``'' and ``'' sections for a detailed guide on IPCHAINS
and a strong IPCHAINS ruleset example. For additional details on
IPCHAINS usage, please refer to the Linux IP CHAINS HOWTO
4. Configuring the other internal to-be MASQed machines
Besides setting the appropriate IP address for each internal MASQed
machine, you should also set each internal machine with the
appropriate gateway IP address of the Linux MASQ server and required
DNS servers. In general, this is rather straight forward. You simply
enter the address of your Linux host (usually 192.168.0.1) as the
machine's gateway address.
For the Domain Name Service, you can add in any DNS servers that are
available. The most apparent one should be the one that your Linux
server is using. You can optionally add any "domain search" suffix as
well.
After you have properly reconfigured the internal MASQed machines,
remember to restart their appropriate network services or reboot them.
The following configuration instructions assume that you are using a
Class C network with 192.168.0.1 as your Linux MASQ server's address.
Please note that 192.168.0.0 and 192.168.0.255 are reserved TCP/IP
address.
As it stands, the following Platforms have been tested as internal
MASQed machines:
ˇ Linux 1.2.x, 1.3.x, 2.0.x, 2.1.x, 2.2.x
ˇ Solaris 2.51, 2.6, 7
ˇ Windows 95, OSR2, 98
ˇ Windows NT 3.51, 4.0, 2000 (both workstation and server)
ˇ Windows For Workgroup 3.11 (with TCP/IP package)
ˇ Windows 3.1 (with the Netmanage Chameleon package)
ˇ Novell 4.01 Server with the TCP/IP service
ˇ OS/2 (including Warp v3)
ˇ Macintosh OS (with MacTCP or Open Transport)
ˇ DOS (with NCSA Telnet package, DOS Trumpet works partially)
ˇ Amiga (with AmiTCP or AS225-stack)
ˇ VAX Stations 3520 and 3100 with UCX (TCP/IP stack for VMS)
ˇ Alpha/AXP with Linux/Redhat
ˇ SCO Openserver (v3.2.4.2 and 5)
ˇ IBM RS/6000 running AIX
4.1. Configuring Microsoft Windows 95
1. If you haven't installed your network card and adapter driver, do
so now. Description of this is beyond the scope of this document.
2. Go to the 'Control Panel' --> 'Network'.
3. Click on Add --> Protocol --> Manufacture: Microsoft --> Protocol:
'TCP/IP protocol' if you don't already have it.
4. Highlight the TCP/IP item bound to your Windows95 network card and
select 'Properties'. Now goto the 'IP Address' tab and set IP
Address to 192.168.0.x, (1 < x < 255), and then set the Subnet Mask
to 255.255.255.0
5. Now select the "Gateway" tab and add 192.168.0.1 as your gateway
under 'Gateway' and hit "Add".
6. Under the 'DNS Configuration' tab, make sure to put in a name for
this machine and enter in your official domain name. If you don't
have your own domain, put in the domain of your ISP. Now, add all
of the DNS server that your Linux host uses (usually found in
/etc/resolv.conf). Usually these DNS servers are located at your
ISP though you can be running either your own CACHING or
Authoritative DNS server on your Linux MASQ server as well.
Optionally, you can add any appropriate domain search suffixes as
well.
7. Leave all the other settings as they are unless you know what
you're doing.
8. Click 'OK' on all dialog boxes and restart system.
9. Ping the linux box to test the network connection: 'Start/Run',
type: ping 192.168.0.1
(This is only an INTERNAL LAN connection test, you can't ping the
outside world yet.) If you don't see "replies" to your PINGs,
please verify your network configuration.
10.
You can optionally create a HOSTS file in the C:\Windows directory
so that you can ping the "hostname" of the machines on your LAN
without the need for a DNS server. There is an example called
HOSTS.SAM in the C:\windows directory.
4.2. Configuring Windows NT
1. If you haven't installed your network card and adapter driver, do
so now. Description of this is beyond the scope of this document.
2. Go to 'Control Panel' --> 'Network' --> Protocols
3. Add the TCP/IP Protocol and related Components from the 'Add
Software' menu if you don't have TCP/IP service installed already.
4. Under 'Network Software and Adapter Cards' section, highlight the
'TCP/IP Protocol' in the 'Installed Network Software' selection
box.
5. In 'TCP/IP Configuration', select the appropriate adapter, e.g.
[1]Novell NE2000 Adapter. Then set the IP Address to 192.168.0.x
(1 < x < 255), then set Subnet Mask to 255.255.255.0 and Default
Gateway to 192.168.0.1
6. Do not enable 'Automatic DHCP Configuration', put anything in those
'WINS Server' input areas, and Enable IP Forwardings unless you're
either in a Windows NT domain and you know EXACTLY what you're
doing.
7. Click 'DNS', fill in the appropriate information that your Linux
host uses (usually found in /etc/resolv.conf) and then click 'OK'
when you're done.
8. Click 'Advanced', be sure to DISABLE 'DNS for Windows Name
Resolution' and 'Enable LMHOSTS lookup' unless you known what these
options do. If you want to use a LMHOSTS file, it is stored in
C:\winnt\system32\drivers\etc.
9. Click 'OK' on all dialog boxes and restart system.
10.
Ping the linux box to test the network connection: 'File/Run',
type: ping 192.168.0.1
(This is only an INTERNAL LAN connection test, you can't ping the
outside world yet.) If you don't see "replies" to your PINGs,
please verify your network configuration.
4.3. Configuring Windows for Workgroup 3.11
1. If you haven't installed your network card and adapter driver, do
so now. Description of this is beyond the scope of this document.
2. Install the TCP/IP 32b package if you don't have it already.
3. In 'Main'/'Windows Setup'/'Network Setup', click on 'Drivers'.
4. Highlight 'Microsoft TCP/IP-32 3.11b' in the 'Network Drivers'
section, click 'Setup'.
5. Set the IP Address to 192.168.0.x (1 < x < 255), then set the
Subnet Mask to 255.255.255.0 and Default Gateway to 192.168.0.1
6. Do not enable 'Automatic DHCP Configuration' or put anything in
those 'WINS Server' input areas unless you're in a Windows NT
domain and you know what you're doing.
7. Click 'DNS', fill in the appropriate information your Linux host
uses (usually found in /etc/resolv.conf). Then click 'OK' when
you're done with it.
8. Click 'Advanced', check 'Enable DNS for Windows Name Resolution'
and 'Enable LMHOSTS lookup' found in c:\windows.
9. Click 'OK' on all dialog boxes and restart system.
10.
Ping the linux box to test the network connection: 'File/Run',
type: ping 192.168.0.1
4.4. Configuring UNIX Based Systems
1. If you haven't installed your network card and recompile your
kernel with the appropriate adapter driver, do so now. Description
of this is beyond the scope of this document.
2. Install TCP/IP networking, such as the net-tools package, if you
don't have it already.
3. Set IPADDR to 192.168.0.x (1 < x < 255), then set NETMASK to
255.255.255.0, GATEWAY to 192.168.0.1, and BROADCAST to
192.168.0.255
For example with Redhat Linux systems, you can edit the
/etc/sysconfig/network-scripts/ifcfg-eth0 file, or simply do it
through the Control Panel. These changes are different for other
UNIXes such as SunOS, BSDi, Slackware Linux, Solaris, SuSe, Debian,
etc...). Please refer to your UNIX documentation for more
information.
4. Add your domain name service (DNS) and domain search suffix in
/etc/resolv.conf and for the appropreiate UNIX versions, edit the
/etc/nsswitch.conf file to enable DNS services.
5. You may want to update your /etc/networks file depending on your
settings.
6. Restart the appropriate services, or simply restart your system.
7. Issue a ping command: ping 192.168.0.1 to test the connection to
your gateway machine.
(This is only an INTERNAL LAN connection test, you can't ping the
outside world yet.) If you don't see "replies" to your PINGs,
please verify your network configuration.
4.5. Configuring DOS using NCSA Telnet package
1. If you haven't installed your network card, do so now. Description
of this is beyond the scope of this document.
2. Load the appropriate packet driver. For example: using a NE2000
Ethernet card set for I/O port 300 and IRQ 10, issue nwpd 0x60 10
0x300
3. Make a new directory, and then unpack the NCSA Telnet package:
pkunzip tel2308b.zip
4. Use a text editor to open the config.tel file
5. Set myip=192.168.0.x (1 < x < 255), and netmask=255.255.255.0
6. In this example, you should set hardware=packet, interrupt=10,
ioaddr=60
7. You should have at least one individual machine specification set
as the gateway, i.e. the Linux host:
name=default
host=yourlinuxhostname
hostip=192.168.0.1
gateway=1
8. Have another specification for a domain name service:
name=dns.domain.com ; hostip=123.123.123.123; nameserver=1
Note: substitute the appropriate information about the DNS that your
Linux host uses
9. Save your config.tel file
10.
Telnet to the linux box to test the network connection: telnet
192.168.0.1 If you don't receive a LOGIN prompt, please verify
your network configuration.
4.6. Configuring MacOS Based System Running MacTCP
1. If you haven't installed the appropriate driver software for your
Ethernet adapter, do so now. Description of this is beyond the
scope of this document.
2. Open the MacTCP control panel. Select the appropriate network
driver (Ethernet, NOT EtherTalk) and click on the 'More...' button.
3. Under 'Obtain Address:', click 'Manually'.
4. Under 'IP Address:', select class C from the popup menu. Ignore the
rest of this section of the dialog box.
5. Fill in the appropriate information under 'Domain Name Server
Information:'.
6. Under 'Gateway Address:', enter 192.168.0.1
7. Click 'OK' to save the settings. In the main window of the MacTCP
control panel, enter the IP address of your Mac (192.168.0.x, 1 < x
< 255) in the 'IP Address:' box.
8. Close the MacTCP control panel. If a dialog box pops up notifying
you to do so, restart the system.
9. You may optionally ping the Linux box to test the network
connection. If you have the freeware program MacTCP Watcher, click
on the 'Ping' button, and enter the address of your Linux box
(192.168.0.1) in the dialog box that pops up. (This is only an
INTERNAL LAN connection test, you can't ping the outside world
yet.) If you don't see "replies" to your PINGs, please verify your
network configuration.
10.
You can optionally create a Hosts file in your System Folder so
that you can use the hostnames of the machines on your LAN. The
file should already exist in your System Folder, and should contain
some (commented-out) sample entries which you can modify according
to your needs.
4.7. Configuring MacOS Based System Running Open Transport
1. If you haven't installed the appropriate driver software for your
Ethernet adapter, do so now. Description of this is beyond the
scope of this document.
2. Open the TCP/IP Control Panel and choose 'User Mode ...' from the
Edit menu. Make sure the user mode is set to at least 'Advanced'
and click the 'OK' button.
3. Choose 'Configurations...' from the File menu. Select your
'Default' configuration and click the 'Duplicate...' button. Enter
'IP Masq' (or something to let you know that this is a special
configuration) in the 'Duplicate Configuration' dialog, it will
probably say something like 'Default copy'. Then click the 'OK'
button, and the 'Make Active' button
4. Select 'Ethernet' from the 'Connect via:' pop-up.
5. Select the appropriate item from the 'Configure:' pop-up. If you
don't know which option to choose, you probably should re-select
your 'Default' configuration and quit. I use 'Manually'.
6. Enter the IP address of your Mac (192.168.0.x, 1 < x < 255) in the
'IP Address:' box.
7. Enter 255.255.255.0 in the 'Subnet mask:' box.
8. Enter 192.168.0.1 in the 'Router address:' box.
9. Enter the IP addresses of your domain name servers in the 'Name
server addr.:' box.
10.
Enter the name of your Internet domain (e.g. 'microsoft.com') in
the 'Starting domain name' box under 'Implicit Search Path:'.
11.
The following procedures are optional. Incorrect values may cause
erratic behavior. If you're not sure, it's probably better to
leave them blank, unchecked and/or un-selected. Remove any
information from those fields, if necessary. As far as I know
there is no way through the TCP/IP dialogs, to tell the system not
to use a previously select alternate "Hosts" file. If you know, I
would be interested.
Check the '802.3' if your network requires 802.3 frame types.
12.
Click the 'Options...' button to make sure that the TCP/IP is
active. I use the 'Load only when needed' option. If you run and
quit TCP/IP applications many times without rebooting your machine,
you may find that unchecking the 'Load only when needed' option
will prevent/reduce the effects on your machines memory management.
With the item unchecked the TCP/IP protocol stacks are always
loaded and available for use. If checked, the TCP/IP stacks are
automatically loaded when needed and un-loaded when not. It's the
loading and unloading process that can cause your machines memory
to become fragmented.
13.
You may ping the Linux box to test the network connection. If you
have the freeware program MacTCP Watcher, click on the 'Ping'
button, and enter the address of your Linux box (192.168.0.1) in
the dialog box that pops up. (This is only an INTERNAL LAN
connection test, you can't ping the outside world yet.) If you
don't see "replies" to your PINGs, please verify your network
configuration.
14.
You can optionally create a Hosts file in your System Folder so
that you can use the hostnames of the machines on your LAN. The
file may or may not already exist in your System Folder. If so, it
should contain some (commented-out) sample entries which you can
modify according to your needs. If not, you can get a copy of the
file from a system running MacTCP, or just create your own (it
follows a subset of the Unix /etc/hosts file format, described on
RFC952). Once you've created the file, open the TCP/IP control
panel, click on the 'Select Hosts File...' button, and open the
Hosts file.
15.
Click the close box or choose 'Close' or 'Quit' from the File menu,
and then click the 'Save' button to save the changes you have made.
16.
The changes take effect immediately, but rebooting the system won't
hurt.
4.8. Configuring Novell network using DNS
1. If you haven't installed the appropriate driver software for your
Ethernet adapter, do so now. Description of this is beyond the
scope of this document.
2. Downloaded tcpip16.exe from The Novell LanWorkPlace page
3.
edit c:\nwclient\startnet.bat
SET NWLANGUAGE=ENGLISH
LH LSL.COM
LH KTC2000.COM
LH IPXODI.COM
LH tcpip
LH VLM.EXE
F:
4.
edit c:\nwclient\net.cfg
Link Driver KTC2000
Protocol IPX 0 ETHERNET_802.3
Frame ETHERNET_802.3
Frame Ethernet_II
FRAME Ethernet_802.2
NetWare DOS Requester
FIRST NETWORK DRIVE = F
USE DEFAULTS = OFF
VLM = CONN.VLM
VLM = IPXNCP.VLM
VLM = TRAN.VLM
VLM = SECURITY.VLM
VLM = NDS.VLM
VLM = BIND.VLM
VLM = NWP.VLM
VLM = FIO.VLM
VLM = GENERAL.VLM
VLM = REDIR.VLM
VLM = PRINT.VLM
VLM = NETX.VLM
Link Support
Buffers 8 1500
MemPool 4096
Protocol TCPIP
PATH SCRIPT C:\NET\SCRIPT
PATH PROFILE C:\NET\PROFILE
PATH LWP_CFG C:\NET\HSTACC
PATH TCP_CFG C:\NET\TCP
ip_address 192.168.0.xxx
ip_router 192.168.0.1
Change the IP address in the above "ip_address" field (192.168.0.x, 1 < x < 255)
and finally create c:\bin\resolv.cfg:
SEARCH DNS HOSTS SEQUENTIAL
NAMESERVER xxx.xxx.xxx.xxx
NAMESERVER yyy.yyy.yyy.yyy
5. Now edit the above "NAMESERVER" entries and replace them with the
correct IP addresses for your local DNS server.
6. Issue a ping command: ping 192.168.0.1 to test the connection to
your gateway machine.
(This is only an INTERNAL LAN connection test, you can't ping the
outside world yet.) If you don't see "replies" to your PINGs,
please verify your network configuration.
4.9. Configuring OS/2 Warp
1. If you haven't installed the appropriate driver software for your
Ethernet adapter, do so now. Description of this is beyond the
scope of this document.
2. Install the TCP/IP protocol if you don't have it already.
3. Go to Programs/TCP/IP (LAN) / TCP/IP Settings
4. In 'Network' add your TCP/IP Address (192.168.0.x) and set your
netmask (255.255.255.0)
5. Under 'Routing' press 'Add'. Set the Type to 'default' and type the
IP Address of your Linux Box in the Field 'Router Address'.
(192.168.0.1).
6. Set the same DNS (Nameserver) Address that your Linux host uses in
'Hosts'.
7. Close the TCP/IP control panel. Say yes to the following
question(s).
8. Reboot your system
9. You may ping the Linux box to test the network configuration. Type
'ping 192.168.0.1' in a 'OS/2 Command prompt Window'. When ping
packets are received all is ok.
4.10. Configuring Other Systems
The same logic should apply to setting up other platforms. Consult
the sections above. If you're interested in writing about any of
systems that have not been covered yet, please send a detail setup
instruction to ambrose@writeme.com and dranch@trinnet.net.
5. Testing IP Masquerade
Finally, it's time to give IP Masquerading an official try after all
this hard work. If you haven't already rebooted your Linux box, do so
to make sure the machines boots ok, executes the /etc/rc.d/rc.firewall
ruleset, etc. Next, make sure that both the internal LAN connection
and connection of your Linux hosts to the Internet is okay.
Now do the following:
ˇ One: From an internal MASQed computer, try pinging your local IP
address (i.e. ping 192.168.0.10 ). This will verify that TCP/IP is
correctly working on the local machine. If this doesn't work, make
sure that TCP/IP is correctly configured on the MASQed PC as
described earlier in this HOWTO.
ˇ Two: On the MASQ server itself, ping then internal IP address of
the MASQ network (i.e. ping 192.168.0.1). Now Then ping the
external IP address connected to the Internet. This address might
be your PPP, Ethernet, etc. address connected to your ISP. If you
don't know what this IP address is, run the Linux command
"/sbin/ifconfig" on the MASQ server to get the Internet address.
This will confirm that the MASQ server has full network
connectivity.
ˇ Three: Back on a internal MASQed computer, try pinging the IP
address of the Masquerading Linux box's internal Ethernet card,
(i.e. ping 192.168.0.1). This will prove that your internal
network and routing is ok. If this fails, make sure Ethernet cards
of the MASQ server and the MASQed computer have "link". This is
usually a LED light on either the back of each Ethernet card and
also on the Ethernet hub/switch (if you are using one).
ˇ Four: From an internal MASQed computer, ping the IP address of the
MASQ server's external TCP/IP address obtained in item TWO above.
This address might be your PPP, Ethernet, etc. address connected to
your ISP. This ping test will prove that masquerading is working
(ICMP Masquerading specifically). If it doesn't work, make sure
that you enabled "ICMP Masquerading" in the kernel and "IP
Forwarding" in your /etc/rc.d/rc.firewall script. Also make sure
that the /etc/rc.d/rc.firewall ruleset loaded ok. Try run the
/etc/rc.d/rc.firewall script manually for now to see if it runs ok.
If you still can't get things to work, take a look at the output from
ˇ "ifconfig" : Make sure your Internet connection is UP and you have
the correct IP address for the Internet connection
ˇ "netstat -rn" : Make sure your default gateway (the column one with
the IP address in the Gateway column) is set
ˇ "cat /proc/sys/net/ipv4/ip_forward" : Make sure it says "1" so that
Linux forwarding is enabled
ˇ "/sbin/ipfwadm -F -l" for 2.0.x or "/sbin/ipchains -F -L" for 2.2.x
users : Make sure you have MASQ enabled
ˇ Five: From an internal MASQed computer, now ping a static TCP/IP
address out on the Internet (i.e. ping 152.19.254.81 (this is
http://metalab.unc.edu - home of the LDP). If this works, that
means that ICMP Masquerading is working over the Internet. If it
didn't work, again check your Internet connection. If this still
doesn't work, make sure you are using the simple rc.firewall
ruleset and that you have ICMP Masqurading compiled into the Linux
kernel.
ˇ Six: Now try TELNETing to a remote IP address (i.e. telnet
152.2.254.81 (metalab.unc.edu - Note that this might take a while
to get a login prompt since this is a VERY busy server.) Did you
get a login prompt after a while? If that worked, that means that
TCP Masquerading is running ok. If not, try TELNETing to some
other hosts you think will support TELNET like 198.182.196.55
(www.linux.org). If this still doesn't work, make sure you are
using the simple rc.firewall ruleset for now.
ˇ Seven: Now try TELNETing to a remote HOSTNAME (i.e. "telnet
metalab.unc.edu" (152.2.254.81). If this works, this means that
DNS is working fine as well. If this didn't work but step FOUR did
work, make sure that you have valid DNS servers configured on your
MASQed computer.
ˇ Eight: As a last test, try browsing some 'INTERNET' WWW sites on
one of your MASQed machines, and see if you can reach them. For
example, access the Linux Documentation Project site. If this
works, you can be fairly certain that everything is working FINE!
If you see The Linux Documentation Project homepage, then
CONGRATULATIONS! It's working! If that WWW site comes up correctly,
then all other standard network tolls such as PING, TELNET, SSH, and
with their related IP MASQ modules loaded: FTP, Real Audio, IRC DCCs,
Quake I/II/III, CuSeeme, VDOLive, etc. should work fine! If FTP, IRC,
RealAudio, Quake I/II/III, etc. aren't working or are performing
poorly, make sure their associated Masquerading modules are loaded by
running "lsmod" and also be sure you are loading the module with any
non-default server ports. If you don't see your needed module, make
sure your /etc/rc.d/rc.firewall script is loading them (i.e. remove
the # character for a give IP MASQ module).
6. Other IP Masquerade Issues and Software Support
6.1. Problems with IP Masquerade
Some TCP/IP application protocols will not currently work with Linux
IP Masquerading because they either assume things about port numbers
or encode TCP/IP addresses and/or port numbers in their data stream.
These latter protocols need specific proxies or IP MASQ modules built
into the masquerading code to make them work.
6.2. Incoming services
By default, Linux IP Masquerading cannot handle incoming services at
all but there are a few ways of allowing them.
If you do not require high levels of security then you can simply
forward or redirect IP ports. There are various ways of doing this
though the most stable method is to use IPPORTFW. For more
information, please see the ``'' section.
If you wish to have some level of authorization on incoming
connections then you will need to either configure TCP-wrappers or
Xinetd to then allow only specific IP addresses through. The TIS
Firewall Toolkit is a good place to look for tools and information.
More details on incoming security can be found in the TrinityOS
document
and at IP Masquerade Resource .
6.3. Supported Client Software and Other Setup Notes
** The Linux Masquerade Application list
has a lot of good infor
mation regarding applications that work through Linux IP
masquerading. Unfortunately, this services hasn't been well
maintained but if you are interesting in taking over this
site, please email either ambrose@writeme.com and/or
dranch@trinnet.net.
Generally, any application that uses standard TCP and UDP should work.
If you have any suggestion, hints, etc., please see the IP Masquerade
Resource for more details.
6.3.1. Network Clients that -Work- with IP Masquerade
General Clients:
Archie
all supported platforms, file searching client (not all archie
clients are supported)
FTP
all supported platforms, with the ip_masq_ftp.o kernel module
for active FTP connections.
Gopher client
all supported platforms
HTTP
all supported platforms, WWW surfing
IRC
all IRC clients on various supported platforms, DCC is supported
via the ip_masq_irc.o module
NNTP (USENET)
all supported platforms, USENET news client
PING
all platforms, with ICMP Masquerading kernel option
POP3
all supported platforms, email clients
SSH
all supported platforms, Secure TELNET/FTP clients
SMTP
all supported platforms, email servers like Sendmail, Qmail,
PostFix, etc.
TELNET
all supported platforms, remote session
TRACEROUTE
UNIX and Windows based platforms , some variations may not work
VRML
Windows(possibly all supported platforms), virtual reality
surfing
WAIS client
all supported platforms
Multimedia and Communication Clients:
Alpha Worlds
Windows, Client-Server 3D chat program
CU-SeeMe
all supported platforms, with the ip_masq_cuseeme module loaded,
please see the ``'' section for more details.
ICQ
all supported clients. Requires the Linux kernel to be compiled
with IPPORTFW support and ICQ is configured to be behind a NON-
SOCKS proxy. A full description of this configuration is in the
``'' section.
Internet Phone 3.2
Windows, Peer-to-peer audio communications, people can reach you
only if you initiate the call, but people cannot call you
without a specific port forwarding setup. See the ``'' section
for more details.
Internet Wave Player
Windows, network streaming audio
Powwow
Windows, Peer-to-peer Text audio whiteboard communications,
people can reach you only if you initiate the call, but people
cannot call you without a specific port forwarding setup. See
the ``'' se ction for more details.
Real Audio Player
Windows, network streaming audio, higher quality available with
the ip_masq_raudio UDP module
True Speech Player 1.1b
Windows, network streaming audio
VDOLive
Windows, with the ip_masq_vdolive patch
Worlds Chat 0.9a
Windows, Client-Server 3D chat program
Games - See the ``'' section for more details on the LooseUDP patch
Battle.net
Works but requires TCP ports 116 and 118 and UDP port 6112
IPPORTFWed to the game machine. See the ``'' section for more
details. Please note that FSGS and Bnetd servers still require
IPPORTFW since they haven't been re-written to be NAT-friendly.
BattleZone 1.4
Works with LooseUDP patch and new NAT-friendly .DLLs from
Activision
Dark Reign 1.4
Works with LooseUDP patch or requires TCP ports 116 and 118 and
UDP port 6112 IPPORTFWed to the game machine. See the ``''
section for more details.
Diablo
Works with LooseUDP patch or requires TCP ports 116 and 118 and
UDP port 6112 IPPORTFWed to the game machine. Newer versions of
Diablo use only TCP port 6112 and UDP port 6112. See the ``''
section for more details.
Heavy Gear 2
Works with LooseUDP patch or requires TCP ports 116 and 118 and
UDP port 6112 IPPORTFWed to the game machine. See the ``''
section for more details.
Quake I/II/III
Works right out of the box but requires the ip_masq_quake module
if there are more than one Quake I/II/III player behind a MASQ
box. Also, this module only supports Quake I and QuakeWorld by
default. If you need to support Quake II or non-default server
ports, please see the module install section of the ``'' and
``'' rulesets.
StarCraft
Works with the LooseUDP patch and IPPORTFWing TCP and UDP ports
6112 to the internal MASQed game machine. See the ``'' section
for more details.
WorldCraft
Works with LooseUDP patch
Other Clients:
Linux net-acct package
Linux, network administration-account package
NCSA Telnet 2.3.08
DOS, a suite containing telnet, ftp, ping, etc.
PC-anywhere for Windows
MS-Windows, Remotely controls a PC over TCP/IP, only work if it
is a client but not a host without a specific port forwarding
setup. See the ``'' section for more details.
Socket Watch
uses NTP - network time protocol
6.3.2. Clients that do not Work:
All H.323 programs
- MS Netmeeting, Intel Internet Phone Beta 2 - Connects but
voice travels one way (out). Check out Equivalence's PhonePatch
H.323 gateway
for one possible solution.
Intel Streaming Media Viewer Beta 1
Cannot connect to server
Netscape CoolTalk
Cannot connect to opposite side
WebPhone
Cannot work at present (it makes invalid assumptions about
addresses).
6.4. Stronger IP Firewall (IPFWADM) Rulesets
This section provides a more in-depth guide on using the 2.0.x
firewall tool, IPFWADM. See below for IPCHAINS rulesets
This example is for a firewall/masquerade system behind a PPP link
with a static PPP address (dynamic PPP instructions are included but
disabled). The trusted interface is 192.168.0.1 and the PPP interface
IP address has been changed to protect the guilty :). I have listed
each incoming and outgoing interface individually to catch IP spoofing
as well as stuffed routing and/or masquerading. Anything not
explicitly allowed is FORBIDDEN (well.. rejected actually). If your
IP MASQ box breaks after implementing this rc.firewall script, be sure
that you edited it for your configuration and check your
/var/log/messages or /var/adm/messages SYSLOG file for any firewall
errors.
For more comprehensive examples of a strong IP Masqueraded IPFWADM
rulesets for PPP, Cablemodem users, etc., please see TrinityOS -
Section 10
and GreatCircle's Firewall WWW page
NOTE: If you get a dynamically assigned TCP/IP address from your ISP
(PPP, ADSL, Cablemodems, etc.), you CANNOT load this strong ruleset
upon boot. You will either need to reload this firewall ruleset EVERY
TIME you get a new IP address or make your /etc/rc.d/rc.firewall
ruleset more intelligent. To do this for PPP users, carefully read
and un-comment out the properly lines in the "Dynamic PPP IP fetch"
section below. You can also find more details in the TrinityOS -
Section 10
doc for more details on Strong rulesets and Dynamic IP addresses.
Please also be aware that there are several GUI Firewall creation
tools available as well. Please see the ``'' section for full
details.
Lastly, if you are using a STATIC PPP IP address, change the "ppp_ip =
"your.static.PPP.address"" line to reflect your address.
----------------------------------------------------------------
#!/bin/sh
#
# /etc/rc.d/rc.firewall: An example of a semi-STRONG IPFWADM firewall ruleset
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin
# testing, wait a bit then clear all firewall rules.
# uncomment following lines if you want the firewall to automatically
# disable after 10 minutes.
# (sleep 600; \
# ipfwadm -I -f; \
# ipfwadm -I -p accept; \
# ipfwadm -O -f; \
# ipfwadm -O -p accept; \
# ipfwadm -F -f; \
# ipfwadm -F -p accept; \
# ) &
# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules
# are shown below but are commented from loading.
# Needed to initially load modules
#
/sbin/depmod -a
# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp
# Supports the masquerading of RealAudio over UDP. Without this module,
# RealAudio WILL function but in TCP mode. This can cause a reduction
# in sound quality
#
#/sbin/modprobe ip_masq_raudio
# Supports the masquerading of IRC DCC file transfers
#
#/sbin/modprobe ip_masq_irc
# Supports the masquerading of Quake and QuakeWorld by default. This modules is
# for for multiple users behind the Linux MASQ server. If you are going to play
# Quake I, II, and III, use the second example.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake ports=26000,27000,27910,27960
# Supports the masquerading of the CuSeeme video conferencing software
#
#/sbin/modprobe ip_masq_cuseeme
#Supports the masquerading of the VDO-live video conferencing software
#
#/sbin/modprobe ip_masq_vdolive
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this following
# option. This enables dynamic-ip address hacking in IP MASQ, making the life
# with Diald and similar programs much easier.
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Specify your Static IP address here.
#
# If you have a DYNAMIC IP address, you need to make this ruleset understand your
# IP address everytime you get a new IP. To do this, enable the following one-line
# script. (Please note that the different single and double quote characters MATTER).
#
# You will also need to either create the following link or have your existing
# /etc/ppp/ip-up script run the /etc/rc.d/rc.firewall script.
#
# ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up
#
# If the /etc/ppp/ip-up file already exists, you should edit it and add a line
# containing "/etc/rc.d/rc.firewall" near the end of the file.
#
# If you aren't already aware, the /etc/ppp/ip-up script is always run when a PPP
# connection comes up. Because of this, we can make the ruleset go and get the
# new PPP IP address and update the strong firewall ruleset.
#
# PPP users: If your Internet connect is via a PPP connection, the following
one-line script will work fine.
#
# DHCP users: If you get your TCP/IP address via DHCP, you will need to replace
# the word "ppp0" with the name of your external Internet connection
# (eth0, eth1, etc). It should be also noted that DHCP can change
# IP addresses on you. To fix this, users should configure their
# DHCPc or DHCP client to re-run the firewall ruleset when their
# DHCP lease is renewed. For DHCPcd users, use the "-c" option.
#
#ppp_ip = "`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
#
ppp_ip = "your.static.PPP.address"
# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall timeout in ICQ itself)
#
/sbin/ipfwadm -M -s 7200 10 60
#############################################################################
# Incoming, flush and set default policy of reject. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
/sbin/ipfwadm -I -f
/sbin/ipfwadm -I -p reject
# local interface, local machines, going anywhere is valid
#
/sbin/ipfwadm -I -a accept -V 192.168.0.1 -S 192.168.0.0/24 -D 0.0.0.0/0
# remote interface, claiming to be local machines, IP spoofing, get lost
#
/sbin/ipfwadm -I -a reject -V $ppp_ip -S 192.168.0.0/24 -D 0.0.0.0/0 -o
# remote interface, any source, going to permanent PPP address is valid
#
/sbin/ipfwadm -I -a accept -V $ppp_ip -S 0.0.0.0/0 -D $ppp_ip/32
# loopback interface is valid.
#
/sbin/ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
# catch all rule, all other incoming is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
/sbin/ipfwadm -I -a reject -S 0.0.0.0/0 -D 0.0.0.0/0 -o
#############################################################################
# Outgoing, flush and set default policy of reject. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
/sbin/ipfwadm -O -f
/sbin/ipfwadm -O -p reject
# local interface, any source going to local net is valid
#
/sbin/ipfwadm -O -a accept -V 192.168.0.1 -S 0.0.0.0/0 -D 192.168.0.0/24
# outgoing to local net on remote interface, stuffed routing, deny
#
/sbin/ipfwadm -O -a reject -V $ppp_ip -S 0.0.0.0/0 -D 192.168.0.0/24 -o
# outgoing from local net on remote interface, stuffed masquerading, deny
#
/sbin/ipfwadm -O -a reject -V $ppp_ip -S 192.168.0.0/24 -D 0.0.0.0/0 -o
# outgoing from local net on remote interface, stuffed masquerading, deny
#
/sbin/ipfwadm -O -a reject -V $ppp_ip -S 0.0.0.0/0 -D 192.168.0.0/24 -o
# anything else outgoing on remote interface is valid
#
/sbin/ipfwadm -O -a accept -V $ppp_ip -S $ppp_ip /32 -D 0.0.0.0/0
# loopback interface is valid.
#
/sbin/ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
# catch all rule, all other outgoing is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
/sbin/ipfwadm -O -a reject -S 0.0.0.0/0 -D 0.0.0.0/0 -o
#############################################################################
# Forwarding, flush and set default policy of deny. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p deny
# Masquerade from local net on local interface to anywhere.
#
/sbin/ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.0/24 -D 0.0.0.0/0
#
# catch all rule, all other forwarding is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
/sbin/ipfwadm -F -a reject -S 0.0.0.0/0 -D 0.0.0.0/0 -o
With IPFWADM, you can block traffic to a particular site using the -I,
-O or -F rules. Remember that the set of rules are scanned top to
bottom and "-a" means "append" to the existing set of rules. So with
this in mind, any specific restrictions need to come before global
rules. For example:
Using -I rules. Probably the fastest but it only stops the local
machines, the firewall itself can still access the "forbidden" site.
Of course you might want to allow that combination.
In the /etc/rc.d/rc.firewall ruleset:
... start of -I rules ...
# reject and log local interface, local machines going to 204.50.10.13
#
/sbin/ipfwadm -I -a reject -V 192.168.0.1 -S 192.168.0.0/24 -D 204.50.10.13/32 -o
# local interface, local machines, going anywhere is valid
#
/sbin/ipfwadm -I -a accept -V 192.168.0.1 -S 192.168.0.0/24 -D 0.0.0.0/0
... end of -I rules ...
Using -O rules. Slowest because the packets go through masquerading
first but this rule even stops the firewall accessing the forbidden
site.
... start of -O rules ...
# reject and log outgoing to 204.50.10.13
#
/sbin/ipfwadm -O -a reject -V $ppp_ip -S $ppp_ip/32 -D 204.50.10.13/32 -o
# anything else outgoing on remote interface is valid
#
/sbin/ipfwadm -O -a accept -V $ppp_ip -S $ppp_ip/32 -D 0.0.0.0/0
... end of -O rules ...
Using -F rules. Probably slower than -I and this still only stops
masqueraded machines (i.e. internal), firewall can still get to
forbidden site.
... start of -F rules ...
# Reject and log from local net on PPP interface to 204.50.10.13.
#
/sbin/ipfwadm -F -a reject -W ppp0 -S 192.168.0.0/24 -D 204.50.10.13/32 -o
# Masquerade from local net on local interface to anywhere.
#
/sbin/ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.0/24 -D 0.0.0.0/0
... end of -F rules ...
No need for a special rule to allow 192.168.0.0/24 to go to
204.50.11.0, it is covered by the global rules.
There is more than one way of coding the interfaces in the above
rules. For example instead of "-V 192.168.255.1" you can code "-W
eth0", instead of "-V $ppp_ip" , you can use "-W ppp0". The "-V"
method was phased out with the imgration to IPCHAINS but for IPFWADM
users, its personal choice and documentation more than anything.
6.5. IP Firewalling Chains (ipchains)
This section provides a more in-depth guide on using the 2.2.x
firewall tool, IPCHAINS. See above for IPFWADM rulesets.
This example is for a firewall/masquerade system behind a PPP link
with a static PPP address (dynamic PPP instructions are included but
disabled). The trusted interface is 192.168.0.1 and the PPP interface
IP address has been changed to protect the guilty :). I have listed
each incoming and outgoing interface individually to catch IP spoofing
as well as stuffed routing and/or masquerading. A nything not
explicitly allowed is FORBIDDEN (well.. rejected actually). If your
IP MASQ box breaks after implementing this rc.firewall script, be sure
that you edited it for your configuration and check your
/var/log/messages or /var/adm/messages SYSLOG file for any firewall
errors.
For more comprehensive examples of a strong IP Masqueraded IPFWADM
rulesets for PPP, Cablemodem users, etc., please see TrinityOS -
Section 10
and GreatCircle's Firewall WWW page
NOTE: If you get a dynamically assigned TCP/IP address from your ISP
(PPP, ADSL, Cablemodems, etc.), you CANNOT load this strong ruleset
upon boot. You will either need to reload this firewall ruleset EVERY
TIME you get a new IP address or make your /etc/rc.d/rc.firewall
ruleset more intelligent. To do this for PPP users, carefully read
and un-comment out the properly lines in the "Dynamic PPP IP fetch"
section below. You can also find more details in the TrinityOS -
Section 10
doc for more details on Strong rulesets and Dynamic IP addresses.
Please also be aware that there are several GUI Firewall creation
tools available as well. Please see the ``'' section for full
details.
Lastly, if you are using a STATIC PPP IP address, change the "ppp_ip =
"your.static.PPP.address"" line to reflect your address.
----------------------------------------------------------------
#!/bin/sh
#
# /etc/rc.d/rc.firewall: An example of a Semi-Strong IPCHAINS firewall ruleset.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin
# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules
# are shown below but are commented from loading.
# Needed to initially load modules
#
/sbin/depmod -a
# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp
# Supports the masquerading of RealAudio over UDP. Without this module,
# RealAudio WILL function but in TCP mode. This can cause a reduction
# in sound quality
#
/sbin/modprobe ip_masq_raudio
# Supports the masquerading of IRC DCC file transfers
#
#/sbin/modprobe ip_masq_irc
# Supports the masquerading of Quake and QuakeWorld by default. This modules is
# for for multiple users behind the Linux MASQ server. If you are going to play
# Quake I, II, and III, use the second example.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake ports=26000,27000,27910,27960
# Supports the masquerading of the CuSeeme video conferencing software
#
#/sbin/modprobe ip_masq_cuseeme
#Supports the masquerading of the VDO-live video conferencing software
#
#/sbin/modprobe ip_masq_vdolive
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward
# Get the dynamic IP address assigned via DHCP
#
extip="`/sbin/ifconfig eth1 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
extint="eth1"
# Assign the internal IP
intint="eth0"
intnet="192.168.1.0/24"
# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall timeout in ICQ itself)
#
ipchains -M -S 7200 10 60
#############################################################################
# Incoming, flush and set default policy of reject. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F input
ipchains -P input REJECT
# local interface, local machines, going anywhere is valid
#
ipchains -A input -i $intint -s $intnet -d 0.0.0.0/0 -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
#
ipchains -A input -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
# remote interface, any source, going to permanent PPP address is valid
#
ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT
# loopback interface is valid.
#
ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# catch all rule, all other incoming is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
#############################################################################
# Outgoing, flush and set default policy of reject. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F output
ipchains -P output REJECT
# local interface, any source going to local net is valid
#
ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
#
ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet -l -j REJECT
# outgoing from local net on remote interface, stuffed masquerading, deny
#
ipchains -A output -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
# anything else outgoing on remote interface is valid
#
ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT
# loopback interface is valid.
#
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# catch all rule, all other outgoing is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
#############################################################################
# Forwarding, flush and set default policy of deny. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F forward
ipchains -P forward DENY
# Masquerade from local net on local interface to anywhere.
#
ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ
#
# catch all rule, all other forwarding is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
With IPCHAINS, you can block traffic to a particular site using the
"input", "output", and "forward" rules. Remember that the set of
rules are scanned t op to bottom and "-A" means "append" to the
existing set of rules. So with this in mind, any specific
restrictions need to come bef ore global rules. For example:
Using "input" rules: Probably the fastest but it only stops the local
machines, the firewall itself can still access the "forbidden" site.
Of course you might want to allow that combination.
In the /etc/rc.d/rc.firewall ruleset:
... start of "input" rules ...
# reject and log local interface, local machines going to 204.50.10.13
#
/sbin/ipfwadm -I -a reject -V 192.168.0.1 -S 192.168.0.0/24 -D 204.50.10.13/32 -o
# local interface, local machines, going anywhere is valid
#
/sbin/ipfwadm -I -a accept -V 192.168.0.1 -S 192.168.0.0/24 -D 0.0.0.0/0
... end of "input" rules ...
Using "output" rules. Slowest because the packets go through
masquerading first but this rule even stops the firewall accessing the
forbidden site.
... start of "output" rules ...
# reject and log outgoing to 204.50.10.13
#
/sbin/ipfwadm -O -a reject -V $ppp_ip -S $ppp_ip/32 -D 204.50.10.13/32 -o
# anything else outgoing on remote interface is valid
#
/sbin/ipfwadm -O -a accept -V $ppp_ip -S $ppp_ip/32 -D 0.0.0.0/0
... end of "output" rules ...
Using "forward" rules. Probably slower than "input" and this still
only stops masqueraded machines (i.e. internal), firewall can still
get to forbidden site.
... start of "forward" rules ...
# Reject and log from local net on PPP interface to 204.50.10.13.
#
/sbin/ipfwadm -F -a reject -W ppp0 -S 192.168.0.0/24 -D 204.50.10.13/32 -o
# Masquerade from local net on local interface to anywhere.
#
/sbin/ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.0/24 -D 0.0.0.0/0
... end of "forward" rules ...
No need for a special rule to allow 192.168.0.0/24 to go to
204.50.11.0, it is covered by the global rules.
Unlike IPFWADM, there is only one way of coding the interfaces in the
above rules. IPCHAINS uses the "-i eth0" option. The "-V" IPFWADM
method was phased out with the imgration to IPCHAINS but for IPFWADM
users, its personal choice and documentation more than anything.
6.6. IP Masquerading multiple internal networks
Masquerading more than one internal network is fairly simple. You
need to first make sure that all of your networks are running
correctly (both internal and external). You then need to enable
traffic to pass to both the other internal interfaces and to be MASQed
to the Internet.
Next, you need to enable Masquerading on the INTERNAL interfaces.
This example shows two internal interfaces eth1 (192.168.0.1) and eth2
(192.168.1.1) will be MASQed out of interface eth0. In your
rc.firewall ruleset next to the existing MASQ enable line, add the
following:
ˇ 2.0.x kernels with IPFWADM
#Enable internal interfaces to communication between each other
/sbin/ipfwadm -F -a -V 192.168.0.1 -D 192.168.1.0/24
/sbin/ipfwadm -F -a -V 192.168.1.1 -D 192.168.0.0/24
#Enable internal interfaces to MASQ out to the Internet
/sbin/ipfwadm -F -a masq -W eth0 -S 192.168.0.0/24 -D 0.0.0.0/0
/sbin/ipfwadm -F -a masq -W eth0 -S 192.168.1.0/24 -D 0.0.0.0/0
ˇ 2.2.x kernels with IPCHAINS
#Enable internal interfaces to communication between each other
/sbin/ipchains -A forward -i eth1 -d 192.168.1.0/24
/sbin/ipchains -A forward -i eth2 -d 192.168.0.0/24
#Enable internal interfaces to MASQ out to the Internet
/sbin/ipchains -A forward -j MASQ -i eth0 -s 192.168.0.0/24 -d 0.0.0.0/0
/sbin/ipchains -A forward -j MASQ -i eth0 -s 192.168.1.0/24 -d 0.0.0.0/0
6.7. IP Masquerade and Dial-on-Demand Connections
1. If you would like to setup your network to automatically dial up
the Internet, ether the Diald demand dial-up or new versions of the
PPPd packages will be of great utility. Diald is the recommended
solution due to its more granular configuration.
2. To setup Diald, please check out the Setting Up Diald for Linux
Page or
TrinityOS - Section 23
3. Once Diald and IP Masq have been setup properly, any MASQed client
machines that initiate a web, telnet or ftp session will make the
Linux box dynamically bring up its Internet link.
4. There is a timeout that will occur with the first connection. This
is inevitable if you are using analog modems. The time taken to
establish the modem link and the PPP connections may cause your
client program (WWW browser, etc.). This isn't common though. If
this does happen, just retry that Internet traffic request (say a
WWW page) again and it should come up fine. You can also try
setting echo "1" > /proc/sys/net/ipv4/ip_dynaddr kernel option to
help with this initial setup.
6.8. IPPORTFW, IPMASQADM, IPAUTOFW, REDIR, UDPRED, and other Port
Forwarding tools
IPPORTFW, IPAUTOFW, REDIR, UDPRED, and other programs are generic TCP
and/or UDP port forwarding tools for Linux IP Masquerade. These tools
are typically used with or as a replacement for specific IP MASQ
modules like the current ones for FTP, Quake, etc. With port
forwarders, you can now re-direct data connections from the Internet
to an internal, privately addressed machine behind your IP MASQ
server. This forwarding ability includes network protocols such as
TELNET, WWW, SMTP, FTP (with a special patch - see below), ICQ, and
many others.
NOTE: If you are just looking to do port forwarding without IP
Masquerading, you will STILL NEED to enable IP Masquerading in both
the kernel AND in either your IPFWADM or IPCHAINS ruleset to then be
able to use Linux's port forwarding tools.
So why all the different choices? IPAUTOFW, REDIR, and UDPRED (all
URLs are in the ``'' section) were the first tools available to IP
MASQ users to allow this functionality. Later, as Linux IP Masquerade
matured, these tools were eventually replaced by IPPORTFW which is a
more intelligent solution. Because of the availablity of the newer
tools, it is *HIGHLY DISCOURAGED* to use the old tools such as
IPAUTOFW and REDIR because they don't properly notify the Linux kernel
of their presence and can ultimately CRASH your Linux server with
extreme use.
Before jumping right into installing either the 2.0.x IPPORTFW or
2.2.x version of IPMASQADM with IPPORTFW support, network security can
be an issue with any port forwarder. The reason for this is because
these tools basically create a hole in the packet firewall for the
forwarded TCP/UDP ports. Though this doesn't pose any threat to your
Linux machine, it might be an issue to the internal machine that this
traffic is being forwarded to. No worries though, this is what Steven
Clarke (the author of IPPORTFW) had to say about that:
"Port Forwarding is only called within masquerading functions so it
fits inside the same IPFWADM/IPCHAINS rules. Masquerading is an extension to
IP forwarding. Therefore, ipportfw only sees a packet if it fits
both the input and masquerading ipfwadm rule sets."
With this said, it's important to have a strong firewall ruleset.
Please see the ``'' and ``'' sections for more details on strong
rulesets.
So, to install IPPORTFW forwarding support for either a 2.0.x or 2.2.x
kernel, you need to re-compile the Linux kernel to support IPPORTFW.
ˇ 2.0.x users will need to apply a simple kernel option patch (see
below)
ˇ 2.2.x kernel users will already have the IPPORTFW kernel option
available via IPMASQADM
6.8.1. IPPORTFW on 2.0.x kernels
First, make sure you have the newest 2.0.x kernel uncompressed into
/usr/src/linux. If you haven't already done this, please see the ``''
section for full details. Next, download the "ipportfw.c" program and
the "subs-patch-x.gz" kernel patch from the ``'' section into the
/usr/src/ directory.
NOTE: Please replace the "x" in the "subs-patch-x.gz" file name with
the most current version available on the site.
Now, copy the IPPORTFW patch (subs-patch-x.gz) into the Linux
directory
cp /usr/src/subs-patch-1.37.gz /usr/src/linux
Next, apply the kernel patch to create the IPPORTFW kernel option:
cd /usr/src/linux
zcat subs-patch-1.3x.gz | patch -p1
Next, if you plan on port forwarding FTP traffic to an internal
server, you will have to apply a NEW IP_MASQ_FTP module patch found in
the ``'' section. More details regarding this are later in this
section.
Ok, time to compile the kernel as shown in the ``'' section. Be sure
to say YES to the IPPORTFW option now available when you configure the
kernel. Once the compile is complete and you have rebooted, return to
this section.
Now with a newly compiled kernel, please compile and install the
actual "IPPORTFW" program
cd /usr/src
gcc ipportfw.c -o ipportfw
mv ipportfw /usr/local/sbin
Now, for this example, we are going to allow ALL WWW Internet traffic
(port 80) hitting your Internet TCP/IP address to then be forwarded to
the internal Masqueraded machine at IP address 192.168.0.10.
NOTE: Once you enable a port forwarder on port 80, that port can no
longer be used by the Linux IP Masquerade server. TO be more
specific, if you have a WWW server already running on the MASQ server
and then you port forward port 80 to an internal MASQed computer, ALL
internet users will see the WWW pages pages from the -INTERNAL- WWW
server and not the pages on your IP MASQ server. The only work around
for this is to port forward some other port, say 8080, to your
internal MASQ machine. Though this will work, all Internet users will
have to append :8080 to the URL to then contact the internal MASQed
WWW server.
Anyway, to enable port forwarding, edit the /etc/rc.d/rc.firewall
ruleset. Add the follow lines but be sure to replace the word
"$extip" with your Internet IP address.
NOTE: If you use get a DYNAMIC TCP/IP address from your ISP (PPP,
ADSL, Cablemodems, etc.), you will NEED to make your
/etc/rc.d/rc.firewall ruleset more intelligent. To do this, please
see TrinityOS - Section 10
for more
details on strong rulesets and Dynamic IP addresses.
/etc/rc.d/rc.firewall
--
#echo "Enabling IPPORTFW Redirection on the external LAN.."
#
/usr/local/sbin/ipportfw -C
/usr/local/sbin/ipportfw -A -t$extip/80 -R 192.168.0.10/80
--
That's it! Just re-run your /etc/rc.d/rc.firewall ruleset and test it
out!
If you get the error message "ipfwadm: setsockopt failed: Protocol not
available", you running your new kernel. Make sure that you moved the
new kernel over, re-run LILO, and then reboot again.
Port Forwarding FTP servers:
If you plan on port forwarding FTP to an internal machine, things get
more complicated. The reason for this is because the standard
IP_MASQ_FTP kernel module wasn't written for this. Fortunately, Fred
Viles wrote a modified IP_MASQ_FTP module to make things work. If you
are curious what EXACTLY is the issues, download the following archive
since Fred documents it quite well. Also understand that this patch
is somewhat experimental and should be treated as such. It should be
also noted that this patch is ONLY available for the 2.0.x kernels at
this time. Though some worked has already been done on a 2.2.x port,
if you are interested in helping complete this port, please email Fred
Viles - fv@episupport.com directly.
So, to get the 2.0.x patch working, you need to:
ˇ Apply the IPPORTFW kernel patch as shown earlier in this section
FIRST.
ˇ Download the "msqsrv-patch-36" from Fred Viles's FTP server in the
``'' section and put it into /usr/src/linux.
ˇ Patch the kernel with this new code by running "cat msqsrv-patch-36
| patch -p1"
ˇ Next, replace the original "ip_masq_ftp.c" kernel module with the
new one
ˇ mv /usr/src/linux/net/ipv4/ip_masq_ftp.c
/usr/src/linux/net/ipv4/ip_masq_ftp.c.orig
ˇ mv /usr/src/linux/ip_masq_ftp.c
/usr/src/linux/net/ipv4/ip_masq_ftp.c
ˇ Lastly build and install the kernel with this new code in place.
Once this is complete, edit the /etc/rc.d/rc.firewall ruleset and add
the follow lines but be sure to replace the word "$extip" with your
Internet IP address.
NOTE: If you use get a DYNAMIC TCP/IP address from your ISP (PPP,
ADSL, Cablemodems, etc.), you will NEED to make your
/etc/rc.d/rc.firewall ruleset more intelligent. To do this, please
see TrinityOS - Section 10
for more
details on strong rulesets and Dynamic IP addresses.
This example, like above, will allow ALL FTP Internet traffic (port
21) hitting your Internet TCP/IP address to then be forwarded to the
internal Masqueraded machine at IP address 192.168.0.10.
NOTE: Once you enable a port forwarder on port 21, that port can no
longer be used by the Linux IP Masquerade server. To be more
specific, if you have a FTP server already running on the MASQ server,
a port forward will now give all Internet users the FTP files from the
-INTERNAL- FTP server and not the files on your IP MASQ server.
/etc/rc.d/rc.firewall
--
#echo "Enabling IPPORTFW Redirection on the external LAN.."
#
/usr/local/sbin/ipportfw -C
/usr/local/sbin/ipportfw -A -t$extip/21 -R 192.168.0.10/21
--
That's it! Just re-run your /etc/rc.d/rc.firewall ruleset and test it
out!
If you get the error message "ipchains: setsockopt failed: Protocol
not available", you AREN'T running your new kernel. Make sure that
you moved the new kernel over, re-run LILO, and then reboot again. If
you are sure you are running your new kernel, run the command "ls
/proc/net" and make sure the "ip_portfw" file exists. If it doesn't,
you must have made an error when configuring your kernel. Try again.
6.8.2. IPMASQADM with IPPORTFW support on 2.2.x kernels
First, make sure you have the newest 2.2.x kernel uncompressed into
/usr/src/linux. If you haven't already done this, please see the ``''
section for full details. Next, download the "ipmasqadm.c" program
from the ``'' section into the /usr/src/ directory.
Next, you'll need to compile the 2.2.x kernel as shown in the ``''
section. Be sure to say YES to the IPPORTFW option when you
configure the kernel. Once the kernel compile is complete and you
have rebooted, return to this section.
Now, compile and install the IPMASQADM tool:
cd /usr/src
tar xzvf ipmasqadm-x.tgz
cd ipmasqadm-x
make
make install
Now, for this example, we are going to allow ALL WWW Internet traffic
(port 80) hitting your Internet TCP/IP address to then be forwarded to
the internal Masqueraded machine at IP address 192.168.0.10.
NOTE: At this time, it is beleived that this modified IP_MASQ_FTP
module for port forwarded FTP connections will NOT work for the 2.2.x
kernels. If you feel experimental, please try porting it to the 2.2.x
kernels and email Ambrose and David your results.
NOTE: Once you enable a port forwarder on port 80, that port can no
longer be used by the Linux IP Masquerade server. To be more
specific, if you have a WWW server already running on the MASQ server,
a port forward will now give all Internet users the WWW pages from the
-INTERNAL- WWW server and not the pages on your IP MASQ server.
Anyway, to enable port forwarding, edit the /etc/rc.d/rc.firewall
ruleset. Add the follow lines but be sure to replace the word
"$extip" with your Internet IP address.
NOTE: If you use get a DYNAMIC TCP/IP address from your ISP (PPP,
ADSL, Cablemodems, etc.), you will NEED to make your
/etc/rc.d/rc.firewall ruleset more intelligent. TO do this, please
see TrinityOS - Section 10
for more
details on strong rulesets and Dynamic IP addresses. I'll give you a
hint though: /etc/ppp/ip-up for PPP users.
/etc/rc.d/rc.firewall
--
#echo "Enabling IPPORTFW Redirection on the external LAN.."
#
/usr/sbin/ipmasqadm portfw -f
/usr/sbin/ipmasqadm portfw -a -P tcp -L $extip 80 -R 192.168.0.10 80
--
That's it! Just re-run your /etc/rc.d/rc.firewall ruleset and test it
out!
If you get the error message "ipchains: setsockopt failed: Protocol
not available", you AREN'T running your new kernel. Make sure that
you moved the new kernel over, re-run LILO, and then reboot again. If
you are sure you are running your new kernel, run the command "ls
/proc/net/ip_masq" and make sure the "portfw" file exists. If it
doesn't, you must have made an error when configuring your kernel.
Try again.
6.9. CU-SeeMe and Linux IP-Masquerade
Linux IP Masquerade supports CuSeeme via the "ip_masq_cuseeme" kernel
module. This kernel modules should be loaded in the
/etc/rc.d/rc.firewall script. Once the "ip_masq_cuseeme" module is
installed, you should be able to both initiate and receive CuSeeme
connections to remote reflectors and/or users.
NOTE: It is recommended to use the IPPORTFW tool instead of the old
IPAUTOFW tool for running CuSeeme.
If you need more explicit information on configuring CuSeeme, see
Michael Owings's CuSeeMe page
for a Mini-HOWTO or The IP Masquerade Resources for a mirror of the
Mini-HOWTO.
6.10. Mirabilis ICQ
There are two methods of getting ICQ to work behind a Linux MASQ
server. One solution is to use a new ICQ Masq module and the other
solution is to use IPPORTFW.
The ICQ module has some benefits and limitations. It allows for
simple setup of multiple ICQ users behind a MASQ server. It also
doesn't require any special changes to the ICQ client(s). Yet, at
this time, file transfer and read-time chat doesn't work.
With the IPPORTFW setup, you will have to make some changes on both
Linux and ICQ clients but all ICQ messaging, URLs, chat, file
transfer, etc. work.
If you are interested in Andrew Deryabin's djsf@usa.net ICQ IP Masq
module for the 2.2.x kernels. Please see the ``'' section for
details.
If you rather use the classic method of getting ICQ to run behind a
MASQ server, follow these steps:
ˇ First, you need to be running a Linux kernel with IPPPORTFW
enabled. Please see the ``'' section for more details.
ˇ Next, you need to add the following lines to your
/etc/rc.d/rc.firewall file. This example assumes that 10.1.2.3 is
your external Internet IP address and your internal MASQed ICQ
machine is 192.168.0.10:
The following example is for a 2.0.x kernel with IPFWADM:
I have included two examples here for the user: Either once works
fine:
Example #1
--
/usr/local/sbin/ipportfw -A -t10.1.2.3/2000 -R 192.168.0.10/2000
/usr/local/sbin/ipportfw -A -t10.1.2.3/2001 -R 192.168.0.10/2001
/usr/local/sbin/ipportfw -A -t10.1.2.3/2002 -R 192.168.0.10/2002
/usr/local/sbin/ipportfw -A -t10.1.2.3/2003 -R 192.168.0.10/2003
/usr/local/sbin/ipportfw -A -t10.1.2.3/2004 -R 192.168.0.10/2004
/usr/local/sbin/ipportfw -A -t10.1.2.3/2005 -R 192.168.0.10/2005
/usr/local/sbin/ipportfw -A -t10.1.2.3/2006 -R 192.168.0.10/2006
/usr/local/sbin/ipportfw -A -t10.1.2.3/2007 -R 192.168.0.10/2007
/usr/local/sbin/ipportfw -A -t10.1.2.3/2008 -R 192.168.0.10/2008
/usr/local/sbin/ipportfw -A -t10.1.2.3/2009 -R 192.168.0.10/2009
/usr/local/sbin/ipportfw -A -t10.1.2.3/2010 -R 192.168.0.10/2010
/usr/local/sbin/ipportfw -A -t10.1.2.3/2011 -R 192.168.0.10/2011
/usr/local/sbin/ipportfw -A -t10.1.2.3/2012 -R 192.168.0.10/2012
/usr/local/sbin/ipportfw -A -t10.1.2.3/2013 -R 192.168.0.10/2013
/usr/local/sbin/ipportfw -A -t10.1.2.3/2014 -R 192.168.0.10/2014
/usr/local/sbin/ipportfw -A -t10.1.2.3/2015 -R 192.168.0.10/2015
/usr/local/sbin/ipportfw -A -t10.1.2.3/2016 -R 192.168.0.10/2016
/usr/local/sbin/ipportfw -A -t10.1.2.3/2017 -R 192.168.0.10/2017
/usr/local/sbin/ipportfw -A -t10.1.2.3/2018 -R 192.168.0.10/2018
/usr/local/sbin/ipportfw -A -t10.1.2.3/2019 -R 192.168.0.10/2019
/usr/local/sbin/ipportfw -A -t10.1.2.3/2020 -R 192.168.0.10/2020
--
Example #2
--
port=2000
while [ $port -lt 2020 ]
do
/usr/local/sbin/ipportfw -A t10.1.2.3/$port -R 192.168.0.10/$port
port=$((port+1)
done
--
The following example is for a 2.2.x kernel with IPCHAINS:
I have included two examples here for the user: Either once works
fine:
Example #1
--
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2000 -R 192.168.0.10 2000
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2001 -R 192.168.0.10 2001
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2002 -R 192.168.0.10 2002
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2003 -R 192.168.0.10 2003
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2004 -R 192.168.0.10 2004
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2005 -R 192.168.0.10 2005
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2006 -R 192.168.0.10 2006
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2007 -R 192.168.0.10 2007
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2008 -R 192.168.0.10 2008
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2009 -R 192.168.0.10 2009
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2010 -R 192.168.0.10 2010
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2011 -R 192.168.0.10 2011
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2012 -R 192.168.0.10 2012
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2013 -R 192.168.0.10 2013
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2014 -R 192.168.0.10 2014
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2015 -R 192.168.0.10 2015
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2016 -R 192.168.0.10 2016
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2017 -R 192.168.0.10 2017
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2018 -R 192.168.0.10 2018
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2019 -R 192.168.0.10 2019
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2020 -R 192.168.0.10 2020
--
Example #2
--
port=2000
while [ $port -lt 2020 ]
do
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 $port -R 192.168.0.10 $port
port=$((port+1)
done
--
ˇ Once your new rc.firewall is ready, reload the ruleset to make sure
things are ok by simple typing in "/etc/rc.d/rc.firewall". If you
get any errors, you either don't have IPPORTFW support in the
kernel or you made a typo in the rc.firewall file.
ˇ Now, in ICQ's Preferences-->Connection, configure it to be "Behind
a LAN" and "Behind a firewall or Proxy". Now, click on "Firewall
Settings" and configure it to be "I don't use a SOCK5 proxy". Also
note that it was repviously recommended to change ICQ's "Firewall
session timeouts" to "30" seconds BUT many users have found that
ICQ becomes unreliable. It has been found that ICQ is more
reliable with its stock timeout setting (don't enable that ICQ
option) and simply change MASQ's timeout to 160 seconds. You can
see how to change this timeout in the ``'' and ``'' rulesets.
Finally, click on Next and configure ICQ to "Use the following TCP
listen ports.." from "2000" to "2020". Now click done.
Now ICQ will tell you that you have to restart ICQ for the changes
to take effect. To be honest, I had to REBOOT the Windows9x
machine to get things to work right but other people say otherwise.
So.. try it both ways.
ˇ It should also be noted that one user told me that simply
portforwarding port 4000 to his ICQ machine worked best. He
reported that everything worked fine (chat, file transfers, etc)
WITHOUT re-configuring ICQ from its default settings. Your mileage
might vary on this topic but I though you might like to hear about
this alternative configuration.
6.11. Gamers: T