Linux IP Masquerade HOWTO - The Linux Documentation Project
Linux IP Masquerade HOWTO - The Linux Documentation Project
Linux IP Masquerade HOWTO - The Linux Documentation Project
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Linux</strong> <strong>IP</strong> <strong>Masquerade</strong> <strong>HOWTO</strong><br />
* <strong>IP</strong>: multicasting (CONFIG_<strong>IP</strong>_MULTICAST) [N/y/?] y<br />
− OPTIONAL: You can enable this if you want to be able to receive<br />
Multicast traffic. Please note that your ISP must<br />
support Multicast as well for this all to work<br />
* <strong>IP</strong>: syn cookies (CONFIG_SYN_COOKIES) [Y/n/?] y<br />
− YES: HIGHLY recommended for basic network security<br />
* <strong>IP</strong>: firewalling (CONFIG_<strong>IP</strong>_FIREWALL) [Y/n/?] y<br />
− YES: Enable the packet firewall features<br />
* <strong>IP</strong>: firewall packet logging (CONFIG_<strong>IP</strong>_FIREWALL_VERBOSE) [Y/n/?] y<br />
− YES: Allows the kernel to report back on various packets traversing<br />
the firewall.<br />
* <strong>IP</strong>: masquerading (CONFIG_<strong>IP</strong>_MASQUERADE [Y/n/?] y<br />
− YES: Enable the kernel to perform <strong>IP</strong> MASQ NAT functionality<br />
* <strong>IP</strong>: ipautofw masquerade support (EXPERIMENTAL) (CONFIG_<strong>IP</strong>_MASQUERADE_<strong>IP</strong>AUTOFW) [Y/n/?] n<br />
− NO: NOT Recommended : <strong>IP</strong>autofw is a legacy method of TCP/<strong>IP</strong> port forwarding.<br />
Though <strong>IP</strong>autofw works, <strong>IP</strong>PORTFW is a better choice.<br />
* <strong>IP</strong>: ipportfw masq support (EXPERIMENTAL) (CONFIG_<strong>IP</strong>_MASQUERADE_<strong>IP</strong>PORTFW) [Y/n/?] y<br />
− YES: This option is ONLY AVAILABLE VIA A PATCH for the 2.0.x kernels.<br />
With this option, external computers on the Internet can directly<br />
communicate to specified internal MASQed machines. This feature is<br />
typically used to access internal SMTP, TELNET, and WWW servers.<br />
FTP port forwarding sometimes might require an additional patch as<br />
described in the FAQ section. Additional information on port<br />
forwarding is available in the Forwards section of this <strong>HOWTO</strong>.<br />
* <strong>IP</strong>: MS PPTP masq support (EXPERIMENTAL) (CONFIG_<strong>IP</strong>_MASQUERADE_PPTP) [N/y/?] (NEW) n<br />
− OPTIONAL: Enabling this feature will allow internal MASQ clients to<br />
properly connect to PPTP servers on the Internet.<br />
* <strong>IP</strong>: MS PPTP Call ID masq support (CONFIG_<strong>IP</strong>_MASQUERADE_PPTP_MULTICLIENT) [N/y/?] (NEW) n<br />
− OPTIONAL: If you enabled the CONFIG_<strong>IP</strong>_MASQUERADE_PPTP above, this<br />
option will allow for multiple internal PPTP clients behind the MASQ<br />
server to communicate to the same PPTP server.<br />
* <strong>IP</strong>: MS PPTP masq debugging (DEBUG_<strong>IP</strong>_MASQUERADE_PPTP) [N/y/?] n<br />
− OPTIONAL: NOT recommended : This is not required for <strong>IP</strong> MASQ or MASQing PPTP<br />
connections unless you need additional troubleshooting help. If enabled,<br />
this can fill up your logs quickly.<br />
* <strong>IP</strong>: MS PPTP masq verbose debugging (DEBUG_<strong>IP</strong>_MASQUERADE_PPTP_VERBOSE) [N/y/?] (NEW) n<br />
− OPTIONAL: NOT Recommended : If you enabled the DEBUG_<strong>IP</strong>_MASQUERADE_PPTP<br />
option above, this will make the logging even more verbose.<br />
* <strong>IP</strong>: <strong>IP</strong>SEC ESP & ISAKMP masq support (EXPERIMENTAL) * (CONFIG_<strong>IP</strong>_MASQUERADE_<strong>IP</strong>SEC) [N/y/?] m<br />
− OPTIONAL: This option allows for some forms of <strong>IP</strong>SEC tunnels to be<br />
masquraded<br />
* <strong>IP</strong>: <strong>IP</strong>SEC masq table lifetime (minutes) (CONFIG_<strong>IP</strong>_MASQUERADE_<strong>IP</strong>SEC_EXPIRE) * [30] (NEW)<br />
− OPTIONAL: This feature allows to change the MASQ table timeouts so that<br />
idle <strong>IP</strong>SEC tunnels won't be prematurely disconnected.<br />
* <strong>IP</strong>: Disable inbound ESP destination guessing * (CONFIG_<strong>IP</strong>_MASQUERADE_<strong>IP</strong>SEC_NOGUESS) [N/y/?] n<br />
− OPTIONAL: This feature allows the kernel to guess where the fully encrypted <strong>IP</strong>SEC VPN<br />
might be going and add it to the MASQ table.<br />
Chapter 3. Setting Up <strong>IP</strong> <strong>Masquerade</strong> 33