Linux IP Masquerade HOWTO - The Linux Documentation Project

More documents

Recommendations

Info

IPTABLES for the 2.4.x kernels much like there was IPCHAINS for the 2.2.x kernels and IPFWADM for the 2.0.x kernels. The new IPTABLES system is far more powerful (combines several functions into one place like true NAT functionality), offers better security (stateful inspection), and better performance with the new 2.4.x TCP/IP stack. But this new suite of tools can be a bit complicated in comparison to older generation kernels. Hopefully, if you follow along with this HOWTO carefully, setting up IPMASQ won't be too bad. If you find anything unclear, downright wrong, etc. please email David about it. Unlike the migration to IPCHAINS from IPFWADM, the new NetFilter tool has kernel modules that can actually support older IPCHAINS and IPFWADM rulesets with minimal changes. So re−writing your old MASQ or firewall ruleset scripts is not longer required. BUT.. with the 2.4.x kernels, you cannot use the old 2.2.x MASQ modules like ip_masq_ftp, ip_masq_irc, etc. AND IPCHAINS is incompatible with the new IPTABLES modules like ip_conntrack_ftp, etc. So, what does this mean? It basically means that if you want to use IPMASQ or PORTFW functionality under a 2.4.x kernel, you shouldn't use IPCHAINS rules but IPTABLES ones instead. Please also keep in mind that there might be several benefits in performing a full ruleset re−write to take advantage of the newer IPTABLES features like stateful tracking, etc. but that is dependant upon how much time you have to migrate your old rulesets. Please see Section 7.40 for additional details. Some new 2.4.x functionalities include the following: PROs: CONs: Linux IP Masquerade HOWTO • Lots of new protocols modules like: amanda, eggdrop, ipsec, ipv6, portscan, pptp, quota, rsh, talk, and tftp • TRUE 1:1 NAT functionality for those who have TCP/IP addresses and subnets to use (no more iproute2 commands) • Stateful application level (FTP, IRC, etc.) and stateful protocol level (TCP/UDP/ICMP) network traffic inspection • Built−in PORT Forwarding (no more ipmasqadm or ipportfw commands) • The built−in PORTFW'ing support works for both external and internal traffic. This means that users that have PORTFW for external traffic and REDIR for internal port redirection do not need to use two tools any more! • PORT Forwarding of FTP traffic to internal hosts is now completely supported and is handled in the conn_trak_ftp module • Full Policy−Based routing features (source−based TCP/IP address routing) • Compatibility with Linux's FastRoute feature for significantly faster packet forwarding (a.k.a Linux network switching). Note that this feature is still not compatible with packet filtering for strong firewall rulesets. • Fully supports TCP/IP v4, v6, and even DECnet (ack!) • Supports wildcard interface names like "ppp*" for serial interfaces like ppp0, ppp1, etc • Supports filtering on both input and output INTERFACES (not just IP addresses) • Source Ethernet MAC filtering • Denial of Service (DoS) packet rate limiting • Packet REJECTs now have user−selectable return ICMP messages • Variable levels of logging (different packets can go to different SYSLOG levels) • Other features like traffic mirroring, securing traffic per login, etc. Chapter 2. Background Knowledge 7
• Netfilter is an entirely new architechure thus most of the older 2.2.x MASQ kernel modules written to make non−NAT friendly network applications work through IPMASQ need to be re−written for the 2.4.x kernels. Because of this, if you specifically need functionality from some of these modules (see below), you should stay with a 2.2.x kernel until these modules have been either ported or the application has been updated to use NAT−friendly protocols. If you are curious on the porting status of a given module, please email the author of the module and NOT David or Ambrose. We don't code.. we just document. :−) Here is the status of the known IP Masq kernel modules or patches as found on the IPMASQ WWW site's Application Support Matrix. In addition, you should also setup out the Netfilter Patch−o−Matic URL as well. If you have the time and knowledge to help in the porting of code, your efforts would be highly appreciated: Status = Module name = Description and notes −−−−−−−−− −−−−−−−−−−− −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Ported CuSeeme Used for Video conferencing NotPorted DirectPlay Used for online Microsoft−based games Ported FTP Used for file transfers − NOTEs: Built into the kernel and fully supports PORTFWed FTP ReWritten H.323 Used for Video conferencing NotPorted ICQ Used for Instant messaging * No longer required for modern ICQ clients Ported Irc Used for Online chat rooms Ported Quake Used for online Quake games Ported PPTP Allow for multiple clients to the same server NotPorted Real Audio Used for Streaming video / audio * No longer required for modern RealVideo clients NotPorted VDO Live Used for Streaming audio? Documentation on how to perform MASQ module porting is available at http://www.netfilter.org/documentation/HOWTO/netfilter−hacking−HOWTO.html. If you have the time and knowledge, your talent would highly be appreciated in porting these modules. If you'd like to read up more on NetFilter and IPTables, please see: http://www.netfilter.org/documentation/index.html#HOWTO and more specifically http://www.netfilter.org/documentation/HOWTO//NAT−HOWTO.html Linux 2.4.x IP Masquerade requirements include: Linux IP Masquerade HOWTO • Any decent computer hardware. See Section 7.2 for more details. • The 2.4.x kernel source is available from http://www.kernel.org/. NOTE: Most modern Linux distributions, Section 7.1, that natively come with 2.4.x kernels are typically modular kernels and have all the IP Masquerade functionality already included. In such cases, there is no need to compile a new Linux kernel. If you are UPGRADING your kernel, you should be aware of other programs that might be required and/or need to be upgraded as well Chapter 2. Background Knowledge 8
Page 1 and 2: Linux IP Masquerade HOWTO David A.
Page 3 and 4: Linux IP Masquerade HOWTO Table of
Page 5 and 6: Linux IP Masquerade HOWTO Table of
Page 7 and 8: Masquerade Resource web page. If yo
Page 9 and 10: Linux IP Masquerade HOWTO IP Masque
Page 11: | | : | C−box |:::::: | |.4 +−
Page 15 and 16: HOWTO. • Loadable kernel modules,
Page 17 and 18: • Linux IP Masquerade HOWTO havin
Page 19 and 20: ◊ ip_masquerade ip_conntrack ip_t
Page 21 and 22: commands might look different. It i
Page 23 and 24: cp extensions/libipt_esp.so /usr/lo
Page 25 and 26: [ Code maturity level options ] * P
Page 27 and 28: Linux IP Masquerade HOWTO * FTP pro
Page 29 and 30: (2.2.x kernels) and enable this opt
Page 31 and 32: • NOTE: Please notice that it isn
Page 33 and 34: Linux IP Masquerade HOWTO * Network
Page 35 and 36: == (Slow CPU, Telephony, SCSI, I2O,
Page 37 and 38: Please note the YES or NO ANSWERS t
Page 39 and 40: * IP: IPSEC masq debugging (DEBUG_I
Page 41 and 42: Linux IP Masquerade HOWTO We will r
Page 43 and 44: # #IPTABLES=/sbin/iptables IPTABLES
Page 45 and 46: #Loads the IRC NAT functionality in
Page 47 and 48: $IPTABLES −A FORWARD −j LOG ech
Page 49 and 50: esac 2. Slackware: • exit 1 exit
Page 51 and 52: Linux IP Masquerade HOWTO FWVER="1.
Page 53 and 54: Linux IP Masquerade HOWTO #CRITICAL
Page 55 and 56: this, copy the following file into
Page 57 and 58: Linux IP Masquerade HOWTO echo "Loa
Page 59 and 60: # Load all required IP MASQ modules
Page 61 and 62: # #/sbin/ipfwadm −I −a accept
Page 63 and 64:
Slackware: • mlist) $IPFWADM −M
Page 65 and 66:
Chapter 4. Configuring the other in
Page 67 and 68:
4.2. Configuring Windows NT Linux I
Page 69 and 70:
8. Linux IP Masquerade HOWTO gatewa
Page 71 and 72:
USE DEFAULTS = OFF VLM = CONN.VLM V
Page 73 and 74:
Chapter 5. Testing IP Masquerade Fi
Page 75 and 76:
Linux IP Masquerade HOWTO −−−
Page 77 and 78:
Linux IP Masquerade HOWTO . . PPP:
Page 79 and 80:
−−−−−−−−−−−
Page 81 and 82:
Linux IP Masquerade HOWTO 5.12. Any
Page 83 and 84:
all IRC clients on various supporte
Page 85 and 86:
6.3.2. Clients that do not have ful
Page 87 and 88:
# just leave this section alone. #
Page 89 and 90:
Linux IP Masquerade HOWTO # Enabled
Page 91 and 92:
echo "1" > /proc/sys/net/ipv4/ip_fo
Page 93 and 94:
# STATEFULLY TRACKED # $IPTABLES
Page 95 and 96:
echo −e "\nrc.firewall−iptables
Page 97 and 98:
INTNET="192.168.0.0/24" echo " Inte
Page 99 and 100:
# # Make sure the EXTIF variable ab
Page 101 and 102:
# −−−−− Begin OPTIONAL FO
Page 103 and 104:
#!/bin/sh # # /etc/rc.d/rc.firewall
Page 105 and 106:
# If you get your TCP/IP address a
Page 107 and 108:
#End of file. To automatically sta
Page 109 and 110:
Linux IP Masquerade HOWTO #Enable i
Page 111 and 112:
• 2.6.x and 2.4.x kernels have PO
Page 113 and 114:
look something like this: /sbin/ins
Page 115 and 116:
If I use: > > ipmasqadm portfw −a
Page 117 and 118:
If you plan on port forwarding FTP
Page 119 and 120:
SOCKS: Finally, your last and possi
Page 121 and 122:
Linux IP Masquerade HOWTO 6.10. Gam
Page 123 and 124:
Chapter 7. Frequently Asked Questio
Page 125 and 126:
Linux IP Masquerade HOWTO 7.3. ( Er
Page 127 and 128:
Linux IP Masquerade HOWTO MASQ: IP
Page 129 and 130:
♦ correct rc.firewall−* name fo
Page 131 and 132:
The reason is because you have a dy
Page 133 and 134:
Linux IP Masquerade HOWTO rc.firewa
Page 135 and 136:
*** If you know how to also change
Page 137 and 138:
type=DWORD name="MaxMSS" (Do NOT in
Page 139 and 140:
All interface types: So, in your PP
Page 141 and 142:
like: −−−−−−−−−
Page 143 and 144:
Linux IP Masquerade HOWTO − IPTAB
Page 145 and 146:
7.21. ( Log Reduction ) − My logs
Page 147 and 148:
7.26. ( IDENT ) − IRC won't work
Page 149 and 150:
• Idea #3: Say you want to log al
Page 151 and 152:
Linux IP Masquerade HOWTO 7.34. ( N
Page 153 and 154:
The "iprule" and "iproute" commands
Page 155 and 156:
There are several things you should
Page 157 and 158:
available at the Linux IP Masquerad
Page 159 and 160:
8.3. Thanks to the following suppor
Page 161 and 162:
this one. • 05/21/05 − Updated
Page 163 and 164:
• 05/24/03: Updated the 2.4 Requi
Page 165 and 166:
Linux IP Masquerade HOWTO • 08/25
Page 167 and 168:
• − Load the FTP nat modules no
Page 169 and 170:
• Updated the comments in the 2.0
Page 171 and 172:
• Added Mandrake 6.0, 6.1, 7.0 to
Page 173:
Linux IP Masquerade HOWTO • In th
show all

Linux IP Masquerade HOWTO - The Linux Documentation Project

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?