Linux IP Masquerade HOWTO | ||
---|---|---|
Prev | Chapter 8. Miscellaneous |
TO do - HOWTO:
Add the scripted IPMASQADM example to the Forwarders section. Also confirm the syntax.
Add a little section on having multiple subnets behind a MASQ server
Confirm the IPCHAINS ruleset and make sure it is consistant with the IPFWADM ruleset
TO DO - WWW page:
Update the PPTP patch on the masq site
Update the portfw FTP patch
Changes from 05/22/05 to 11/13/05
11/13/05 - Fix a bug where the PORTFW example rule in section 6.7 was incorrect. Updated the IPTABLES PORTFW section to include state tracking for the pre-routing rule, added a cross-reference to the PORTFW FAQ entry, and reduced some duplicate PORTFW examples in different chapters of the HOWTO. Thanks to Thomas Zajic for bringing this to my attention.
10/23/05 - Updated the dynamic IP FAQ section to give complete examples on how to re-run the rc.firewall-* scripts for various different DHCP clients
10/19/05 - Updated the HOWTO to be very clear on loading the various rc.firewall-* rulesets (there are 6 of them in this HOWTO both simple and stronger versions for IPTABLES, IPCHAINS, and IPFWADM) files vs. loading a generic rc.firewall file. I also updated the troubleshooting section to reflect this possibly confusing point.
05/27/05 - Updated the Multiple NAT situation to include ProxyARP solutions
05/26/05 - Clarified the section for IPMASQ on multiple internal LAN segments
Changes from 05/03/05 to 05/22/05
05/22/05 - Updated the rc.firewall-iptables-stronger ruleset to 0.87s. Removed the unused drop-and-logit chain as it was only later being deleted anyway. Thanks to Matthew Concannon for this one.
05/21/05 - Updated the Multiple-IPs FAQ entry a bit
Changes from 04/17/05 to 05/03/05
05/03/05 - Updated the rc.firewall-iptables-stronger ruleset to fix a typo
Changes from 03/19/04 to 04/17/05
04/30/05 - Updated the IP address for unc.metalab.org and published the HOWTO to the web.
12/18/04 - Added some comments in the IPTABLES, IPCHAINS, and IPFWADM rulesets why the default policy is ACCEPT and not something like DROP.
07/24/04: Renamed the rc.firewall-2.4/2.2/2.0-* rulesets to rc.firewall-iptables/ipchains/ipfwadm-*. This change better reflects that these rulesets can run on different kernel versions (such as 2.6.x). Updated the rc.firewall-iptables-stronger ruleset to 0.85s to fix an improper /24 netmask for the INTIP variable.
04/10/04: Updated the rc.firewall-2.4-stronger ruleset to use the 192.16.0.x network instead of 192.168.1.x network to better align with the rest of the HOWTO
04/04/04: Added that Redhat9 supports IPMASQ
Changes from 11/10/03 to 03/18/04
03/18/04: Added a sub-section for supporting multiple internal networks for IPTABLES
02/02/04: Updated some old jhardin rubyriver to impsec.org URLs
01/10/04: Updated the rc.firewall-2.4-stronger and 2.2 rulesets to make placement of PORTFW configs more obvious
01/01/04: Some systems require that the /etc/rc.d/init.d/firewall-2.* files be executable. Fixed. Thanks to Chris Carter and others for the nudge.
01/01/04: Some systems require that the /etc/rc.d/init.d/firewall-2.* files be executable. Fixed. Thanks to Chris Carter and others for the nudge.
01/01/04: Added an additional chkconfig check on Redhat systems to make sure that the firewall will load upon init level change. Thanks to Chris Carter for the idea.
12/19/03: Updated the rc.firewall-2.4-stronger ruleset to 0.82. This new ruleset has a special ICMP filter to work around a Netfilter bug. Also, the drop-and-log-it chain has been renamed to reject-and-log-it since that's actually what it's doing. Thanks to Bart Martens for the recommendations.
12/13/03: Fixed some minor grammar issues. Thanks to Lawrence Berlinsk for pointing them out.
11/30/03: Updated the rc.firewall-2.4-stronger ruleset to 0.81s, the rc-firewall-2.2-stronger ruleset to 0.72s, and updated the rc.firewall-2.0-stronger ruleset to 0.72s (never had a version # before). These changes reflect either the ruleset not having strong enough comments or allowing all traffic destined to the MASQ server itself from being protected. It's recommend that if you want to enable access to servers running on the MASQ server itself (http, ssh, etc.), selectively enable them under the OPTIONAL INPUT section.
11/03/03: Updated the rc.firewall-2.2-stronger ruleset where an INTLAN rule that was allowing traffic from ANY IP address instead of the proper INTIP IP address only. This aligns the IPCHAINS ruleset with the IPTABLES and IPFWADM ruleset examples
11/10/03: Deleted all kernelnotes.org URLS (juanjox URLs)
Changes from 06/22/03 to 11/09/03
10/25/03: Fixed a dead RFC1918 URL in section 3.3. Thanks to Mark Sobell for the report.
07/07/03: Added the "reducing-masq-log" FAQ entry to help people reduce the size of their firewall logs.
06/27/03: Updated the rc.firewall-2.4-stronger ruleset to 0.80s. Added a DISABLED ip_nat_irc kernel module section, changed the default of the ip_conntrack_irc to NOT load by default, and added additional kernel module comments.
06/27/03: Updated the rc.firewall-2.4 ruleset to 0.75. Added additional iptables kernel module comments.
06/24/03: Added Debian 3.0 to the supported distro list
06/23/03: Change the PMTU URLs to point to Phil's primary www site
Changes from 05/26/03 to 06/22/03
06/22/03: Updated the various Indyramp MASQ email URLs again as things seemed to have changed. Again.
06/21/03: Rewrote the MTU FAQ section to be more clear, include specific information of the problems, and also fixed a bad typo for PPPoE users who were trying to configure "--clamp-mss-to-mtu" when it should have been "--clamp-mss-to-pmtu" (missing the p in pmtu).
06/13/03: Added kernel info for Mandrake 8.1
06/02/03: Fixed a typo where extended 2.2.x kernel checks for IPMASQ functionality was using "cat" and not "ls"
Changes from 04/08/03 to 05/26/03
05/26/03: updated the firewall rulesets: rc.firewall-2.4 (to 0.74), rc.firewall-2.2 (to 1.22), rc.firewall-2.4-stronger (to 0.79s), and rc.firewall-2.2-strongerw (to 0.71s) to use modprobe instead of insmod.
05/26/03: Added how to dump IPTABLES MASQ entries in the Accounting FAQ section
05/26/03: Added Clamp-MSS recommendations to the MTU faq section
05/26/03: Added additional troubleshooting steps in Section 5 when the MASQ client cannot ping the MASQ server.
05/26/03: Added additional traffic shaping / traffic limiter URLs to the SHAPING FAQ entry
05/26/03: Renamed the "IPROUTE2" FAQ entry to "Souce Routing"; Added IPTABLES examples to the section; fixed an incorrect IP address of 62123.123.123.123
05/25/03: Fixed a SGML script that was improperly converting ampersands for the downloadable firewall-* and rc.firewall-* scripts. Also caught a SGML ampersand bug in a comment section of the rc.firewall-2.0 file
05/25/03: Deleted several dead links: ftp.gts.cz, novell.com LWP5, Old Juanjox mirror (geocities), old ipmasq2.webhop.net URL, old zzdmacka NAT information URL, old linux.org/uk/VERSION url, old netfilter.samba.org URLs (no longer a netfilter mirror - redirect), old Activision BattleZone DLL url, old iproute2 (rpms, ras.ru, donlug, dontsk, tusur, waaug, etc.) urls, old rlynch ipautofw mirror
05/25/03: Updated several URLs: suse/proxy_suite/, www.indyramp.net URLs, several urls with " ~ " in it became ~732 for some reason, updated all of the jhardin URls to point from wolfnet.com to impsec.org, updated all LDP urls (linuxdoc.org to tldp.org), IPCHAINS patches for 2.0.x kernels, metalab to tldp.org, winfiles.com to download.com, Microsoft technet article 172227, Oidentd, mumford LooseUDP URL, 2.2.x PORT-FTP URL, IRQTUNE url, midentd URL
05/25/03: Pending updates from remote webmasters: Indyramp EQL URL, insecurity.net sidentd
05/25/03: Lots of little updates like:: updated the Intro section verbage a little to reflect BETA kernels and not OLD kernels; Updated the Forward section (not PORTFW) to be a little more generic; Added a link in the Forward to the IPMASQ email list; Updated the dates in the copyright notice;
05/24/03: Updated the "Current Status" to add the remark that some programs have been updated to use NAT-friendly protocols and thus special NAT modules are no longer required
05/24/03: Updated the 2.4 Requirements section: deleted a duplicate line (true 1:1 NAT); cleaned some addition things up; Added CuSeeme to the 2.4 ported list
05/24/03: Updated the 2.2 / 2.0 Requirements section: Deleted the reference to the obsoltele IPMASQ ICQ module; Updated the link for the LooseUDP URL;
05/24/03: Updated the Compiling Linux 2.2.x / 2.0.x section: Deleted the recommendations to load the rc.firewall ruleset via rc.local. This should come later in the HOWTO and offer other methods for different Linux distributions
05/24/03: Updated the ICQ Application section to say that these steps are /not/ required for modern ICQ clients. I've left this section in the HOWTO to demonstrate a large PORTFW example
05/24/03: Made some of the FAQ entries more kernel version generic and also deleted the 2.0.x "upgrades-cont.html" FAQ entry as it was basically a duplicate
05/24/03: Updated the LooseUDP game section to explain how it works, explain how much of this was properly solved under the stateful IPTABLES systtem, and also say that it is NOT available for the 2.4.x kernels. If IPTABLES's stateful UDP tracking doesn't work for, you're probably out of luck.
05/24/03: Mentioned in the FAQ section that MASQ timers are NOT adjustable under IPTABLES
05/24/03: Vastly expanded the packet firewall log FAQ entry and finally added a IPTABLES packet log description section. I also aligned the IPCHAINS example to match the IPFWADM entry
04/11/03: Fixed a incorrect echo statement saying the IPTABLES policy was being set to REJECT and not DROP.
Changes from 01/31/03 to 04/08/03
04/08/03: Added additional formatting and the "ip_masquerade" /proc entry into Section 3.2. This helps users determine if their kernel is MASQ-ready.
03/08/03: Added the EXTIP variable to the 2.4.x PORTFW example as several people were trying to use this with the BASIC ruleset and I had assumed they were using the STRONGER ruleset. Thanks to Greg Lukins for bringing this to my attention.
03/08/03: Added Distros to the MASQ compatibility list: Mandrake, Gentoo
02/08/03: Forgot to update the VERSION number for the rc.firewall-2.4-stronger rulese. Added some additional formatting
02/01/03: Added additional checking in the kernel compiling section to understand if your kernel supports IPMASQ via modules or by being statically compiled in.
Changes from 01/12/03 to 01/31/03
01/31/03: Doh. I should have read my own comments. I've reversed the 2.4.x. policy settings from REJECT back to DROP. REJECT, for some lame reason, is not a legal policy. The recommended REJECT action is still carried out via the "drop-and-log-it" user chain.
01/30/03: Updated the Multiple-IPs FAQ entry to better describe how users that want to put external IPs behind a Linux router. Added additional URLs and cleaned up the text a bit too.
01/30/03: Updated the 2.4.x requirement section to reflect more of the pros of IPTABLES as well as updated the update status of some old legacy 2.2.x modules
01/30/03: Added an additional FAQ entry that clearly explains what the ipchains.o module can and CANNOT do on 2.4.x. kernels
01/28/03: Extensively updated the 2.4.x kernel compilation section to reflect a 2.4.20 kernel with IPTABLES 1.2.7a. The section also reflects the new methods to compile IPTABLES, apply Patch-O-Matic patches, and also included lots of example output too.
01/28/03: Updated the kernel compiling section to be a little more clear on how different Linux distros can have different kernels (modules vs. monolithic)
01/17/03: Fixed a major issue where the rc.firewall-2.2-stronger ruleset was referencing missing executable variables. This was taken from the 2.4-stronger ruleset but I guess I forgot to finish it off. Fixed. Thanks to Samuel Kim for catching this!
01/17/03: Fixed an issue where the rc.firewall-2.2-stronger's commented HTTP section was missing the "-p tcp" option. Thanks to Samuel Kim for catching this!
01/16/03: Updated the URL for DJSF's ICQ module
01/16/03: Changed the default policy and drop chain from DENY to REJECT on both IPTABLES rulesets and on the advanced IPFWADM rulset. Thanks to Jonathan Hutchins for bringing this to my attention.
01/16/03: Fixed a typo in the commented out HTTPd OUTPUT section of the rc.firewall-2.2-s ruleset
01/13/03: Updated the IPMASQ www site URL from ipmasq.cjb.net to ipmasq.webhop.net. CJB started to change their policies so we switched.
01/13/03: Added to the 2.4.x Requirements section that IPTABLES v1.2.7a is out and recommended.
01/13/03: Added an additional test item to the "Test Section - Section 5" for versions of IPTABLES that are too old. I also cleaned up this section to read easier.
01/13/03: Updated the rc.firewall-2.4-stronger ruleset to include commented rules to allow in HTTP traffic to a local HTTP server. Also added a rule comment in the FORWARD section to help users know where to put PORTFW commands.
01/13/03: Updated the rc.firewall-2.2-stronger ruleset to include commented rules to allow in HTTP traffic to a local HTTP server. Also added a rule comment in the FORWARD section to help users know where to put PORTFW commands.
01/13/03: Clarified the PORTFW section to help users better understand where the PORTFW commands should go in the rc.firewall rulesets. I also cleaned up this section to read a little better.
Changes from 12/13/02 to 01/12/03
01/03/03: Added Redhat 7.3 and 8.0 to the compatibility chart.
01/03/03: Fixed various typos. Thanks to Gabriel Withington for the sharp eye.
12/22/02: Updated the 2.2.x H.323 kernel patch URL. Thanks to Maxime Plante for pointing this out.
12/22/02: Updated the 2.4.x kernel compiling section to let users know that most modern kernels don't need IPTABLES Patch-o-matic patches to be applied except to fix bugs or add additional functionality.
Changes from 10/20/02 to 12/13/02
11/27/02: Fixed the init.d scripts to point the header to the correct config file. This must be due to newer versions of "chkconfig" doing better checking. Please note that this might still be a problem for the rc.firewall-2.?-stronger rulesets. Thanks to Joris Van Puyenbroeck for the heads up.
11/25/02: Updated all the firewall comments to reflect that PPPoE users need to user the "ppp0" logical interface as their external interface instead of the physical interface such as "eth0". Thanks to Meng Cheah for the nudge.
11/13/02: Updated the URL for the Donald Becker based NIC drivers. Thanks to Bruce Gorgon for the heads up.
11/01/02: Added a new FAQ section that covers redirection of local INTERNAL traffic to internal PORTFWed servers
11/01/02: Updated the PORTFW section to be a little more clear.
Changes from 04/19/02 to 10/20/02
09/29/02: Fixed a stray incorrect IP address pointing to metalab.unc.edu
08/29/02: Fixed a typo in the firewall-2.2 startup script which was starting the 2.4 firewall and not the 2.2. version. Thanks to Jean-Marc Vanel for catching this.
08/25/02: Updated the rc.firewall-2.2-stronger and rc.firewall-2.2 scripts to use shell environment variables.
07/09/02: Updated the FTP PORTFW section to be more readible
07/06/02: Replaced all the filewatcher.org URLs with netfilter.org URLs
06/12/02: Changed some of the formatting to try and help newbies better understand that the "\" character is used as a continuation of the previous line.
06/12/02: Updated the IP address of metalab.unc.edu in Section 5. Thanks to Pete Trachy for bringing this to my attention but please note that even major sites like Metalab change their IPs, subnets, or even ISPs from time to time.
06/02/02: Updated the rc.firewall-2.4 ruleset to include a commented option for NATing IRC DCCs, added the use of more environment vars, and added additional formatting.
05/18/02: Added some extra # lines the commented section of the the rc.firewall-2.4-stronger ruleset to better serve Cut and Paste users.
05/04/02: - Updated the various PPTP MASQ links to point to a valid URL. Also updated the HOWTO to reflect that PPTP is now supported on the 2.4.x kernels.
05/03/02: - Updated the 2.4.x kernel requirements section to point out that IPCHAINS compatibility under 2.4.x kernels isn't very good. If you want to use IPMASQ under a 2.4.x kernel, you should use IPTABLES rules only.
Changes from 01/05/02 to 04/19/02 - v2.00.041902 pubsished to the LDP
04/01/02: - Updated the rc.firewall-2.4-stronger ruleset to denote and disable internal DHCP server support on the OUTPUT rules
02/09/02: - Added Redhat-style init.d scripts to start the rc.firewall files
02/09/02: - Updated all the various chapters to use human readable file names vs. things like x2623.html.
02/09/02: - Expanded the IPMASQ accounting section
02/04/02: - Deleted an extra "$" from the PORTFW variable in section 6.7.1
01/31/02: - Updated the URLs for the PPPd and Diald homepages
01/26/02: - Fixed some typos and added a LooseUDP clarification to tell users to read the example rc.firewall-2.2 ruleset comments on how to enable LooseUDP.
01/08/02: - Made some slight clarifications to IP Alias support
Changes from 11/19/01 to 01/05/02 - 010502 pubsished to the LDP
01/05/02: - Added disabled rules to the rc.firewall-2.4-stronger ruleset to support INTERNAL DHCP server and EXTERNAL access to a WWW server running on the MASQ machine.
01/05/02: - Added required changes to the loading of the ip_conntrack_ftp module if people PORTFW to non-standard FTP ports.
01/05/02: - Added an example in the 2.4.x PORTFW section on how to REDIRECT internal traffic back to an INTERNAL server. This is the same as running REDIR under 2.2.x and 2.0.x kernels.
01/05/02: - Added Juanjox mirror URLs to the HOWTO.
01/04/02: - Clarified and cleaned up the ICQ PORTFW section; Added thoughts on the ip_masq_icq, PORTFW, and SOCKS solutions
01/05/02: - Added Slackware 8.0 to the supported list.
01/04/02: - Fixed some spelling mistakes in the 2.4 and 2.2 rulesets. Thanks to Michael Ott for the sharp eye.
12/19/01: - Fixed a minor comment typo in the rc.firewall-2.4 file. Thanks to Bruno Negrao for this one.
12/02/01: - Fixed some minor version typos in the 2.4.x rc.firewall ruleset; Added a missing $PORTFWIF variable for the 2.4.x PORTFW example. Thanks to Neil Bunn for the errata.
11/25/01: - Expanded on the ipchains module conflict error messages in Section 5
11/23/01: - Updated the HOWTO to reflect a new PPTP kernel module for the 2.4.x kernels
11/19/01: - Clarified the PPTP supports for 2.4.x kernels
Changes from 08/26/01 to 11/18/01 - 111801 published to the LDP
11/12/01: - updated various comments to reflect new versions:linux 2.4.14, iptables 1.2.4, and linux 2.2.20.
11/12/01: - Added the rc.firewall-2.4-stronger ruleset to the HOWTO, updated the 2.4.x kernel and IPTABLES compiling steps to reflect 2.4.14 and 1.2.4.
11/10/01: - Added the directly downloadable versions of the 2.4, 2.4-stronger, 2.2, 2.2-stronger, 2.0, and and 2.0.x-stronger rulesets to the WWW.
11/10/01: - Updated the 2.4.x PORTW example to add the missing FORWARD option.
11/10/01: - Updated the DSL-HOWTO link in the HOWTO
10/27/01: - Updated the network diagram in section 2.5 to be a little more verbose.
09/18/01: - Fixed some broken reference links pointing to the respective 2.4.x, 2.2.x, and 2.0.x kernel compiling recommendations.
09/16/01: - Cleaned up and updated the PORTFW section to also include PREROUTING examples for 2.4.x kernels.
09/13/01: - Updated the IPTABLES simple rc.firewall ruleset to 0.62. This fixed a typo on the MASQ enable line that used eth0 instead of $EXTIF. Thanks to Hafi for reporting this.
09/07/01: - It seems that most people who are getting IPCHAINS and IPTABLES conflicts are running Redhat 7.1. I have updated section 5 on how to fix this. Thanks to Jason Wenzel for helping me with this.
09/07/01: - Noted that IPTABLES v1.2.3 is current version. All versions less than v1.2.3 have an FTP module bug that can bypass strong firewall rulesets. Please upgrade your copy of IPTABLES now.
09/07/01: - Created version numbers for the simple rc.firewall rulesets (IPTABLES - v0.61) (IPCHAINS - v1.01) (IPFWADM - v2.01). and cleaned up some of the comments in each section.
09/07/01: - Added rules to the simple rc.firewall rulesets to flush the various tables. In addition to this, I have added the use of environment variables and more echo statements in the rulesets to make things easier to edit and monitor. Thanks to Ian Bishop for the good idea.
09/07/01: - Added the use of EXTIF and INTIF interface variables in each of the rc.firewall and partial firewall rulesets for better clarity (similar to how TrinityOS has been doing for a while now). Thanks to Sean McKeon for the nudge.
09/07/01: - Fixed a typo in the UNIX client configuration section where the network broadcast was 192.168.0.25 instead of .255.
Changes from 2.01 to 2.05 - 08/26/01
08/19/01: - Added an additional testing step in Section5 to make sure the rc.firewall file loads ok. Thanks to Steven Levis for the good idea.
08/15/01: - Change the reference for the /etc/hosts file from RFC952 to RFC1035. Thanks to Michael F. Maggard for the correction.
Changes from 1.96 to 2.01 - 08/12/01
08/12/01: - Updated the basic IPTABLES ruleset to 0.60 which fixed a major issue where all MASQed packets were being dropped. Ultimately, I forgot to add a rule to ACCEPT correct packets through the forwarding chain.
- Added an additional rule to log all bogus FORWARD packets
- Load the FTP nat modules now by default
- Changed the load order of some of the kernel modules to not create bogus error messages
- Added an IPTABLES section on how to MASQ specific hosts vs. an entire subnet
- Added more MASQ-client compatible operating systems
07/19/01: - The advanced IPCHAINS example for forwarding between multiple interfaces was missing the critital "-j ACCEPT" to actually let the packets flow. Thanks to Shingo Yamaguchi for catching this.
06/21/01: Updated Section 5 (Testing Section) to add an additional test to help users troubleshoot their MASQ setup. There are now a total of -11- tests. 06/16/01: Updated the intro History section at the beginning of the HOWTO. 06/14/01: Added mirror Netfilter and IPCHAINs mirror URLs 06/13/01: Updated the H.323 URL
06/10/01: Double DOH! The simple rc.firewall script for the 2.4 kernels had two major errors in it. The new version is far more informative and even works! I am continuing to go through the HOWTO and cleaning things up but I'm not done quite yet.
06/02/01: Updated the lists of known compatible MASQ'ed operating systems (Windows M3, Linux 2.3, 2.4, etc) Made more references to DHCP and DNS in the various different MASQ client configuration guides.
04/12/01: Thanks to the Joshua X and the other people at Command Prompt, Inc. for the port of the HOWTO from LinuxDoc to DocBook. Add email list URL to line 126
Changes from 1.90 to 1.95 - 11/11/00
A BIG thanks to the Joshua X and the other people at Command Prompt, Inc. for the port of the HOWTO from LinuxDoc to DocBook.
Added a quick upfront notice in the intro that running a SINGLE NIC in MASQ mutliple ethernet segments is NOT recommended and linked to the relivant FAQ entry. Thanks to Daniel Chudnov for helping the HOWTO be more clear.
Added a pointer in the Intro section to the FAQ section for users looking for how MASQ is different from NAT and Proxy services.
Reordered the Kernel requirements sections to be 2.2.x, 2.4.x, 2.0.x
Expanded the kernel testing in Section 3 to see if a given kernel already supports MASQ or not.
Reversed the order of the displayed simple MASQ ruleset examples (2.2.x and 2.0.x)
Cleaned up some formatting issues in the 2.0.x and 2.2.x rc.firewall files
Noted in the 2.2.x rc.firewall that the defrag option is gone in some distro's proc (Debian, TurboLinux, etc)
Added a NOTE #3 to the rc.firewall scripts to include instructions for Pump. Thanks to Ross Johnson for this one.
Cleaned up the simple MASQ ruleset examples for both the 2.2.x and 2.2.x kernels
Updated the simple and stronger IPCHAINS and IPFWADM rulesets to include the external interface names (IPCHAINS is -i; IPFWADM is -W) to avoid some internal traffic MASQing issues.
Vastly expanded the Section 5 (testing) with even more testing steps with added complete examples of what the output of the testing commands should look like.
Moved the H.323 application documentation from NOT supported to Supported. :-)
Reordered the Multiple LAN section examples (2.2.x then 2.0.x)
Made some additional clarifications to the Multiple LAN examples
Fixed a critical typo with multiple NIC MASQing where the network examples had the specified networks reversed. Thanks to Matt Goheen for catching this.
Added a little intro to MFW in the PORTFW section.
Reveresed the 2.0.x and 2.2.x sections for PORTFW
Updated the news regarding PORTFWing FTP traffic for 2.2.x kernels
NOTE: At this time, there *IS* a BETA level IP_MASQ_FTP module for PORT Forwarding FTP connections 2.2.x kernels which also supports adding additional PORTFW FTP ports on the fly without the requirement of unloading and reloading the IP_MASQ_FTP module and thus breaking any existing FTP transfers. |
Added a top level note about PORTFWed FTP support
Added a noted to the 2.0.x PORTFW'ed FTP example why users DON'T need to PORTFW port 20.
Updated the PORTFW section to also mention that users can use FTP proxy applications like the one from SuSe to support PORTFWed FTP-like functionality. Thanks to Stephen Graham for this one.
Updated the example for how to enable PORTFWed FTP to also include required configurations on how the ip_masq_ftp module is loaded for users who use multiple PORTs to contact multiple internal FTP servers. Thanks to Bob Britton for reminding me about this one.
Added a FAQ entry for users who have embedded ^Ms in their rc.firewall file
Expanded the FAQ entry talking about how MASQ is different from NAT and Proxy to include some informative URLs.
Updated the explanation of the MASQ MTU issue and described the two main explanations for the issue.
Clarified that the RFC, PPPoE should only require an MTU of 1492 though some ISPs require a setting of 1460. Because of this, I have updated the example to show an MTU of 1492.
Broke out the Windows 9x sections into Win95 and Win98 as they use different settings (DWORD vs. STRING). I also updated the sections to be clearer and the Registry backup methods have been updated.
Fixed a typo where the NT 4.0 Registry entries were backwards (Tcpip/Parameters vs. Parameters/Tcpip).
Fixed an issue where the WinNT entry should have been a DWORD and not a STRING.
A serious thanks goes out to Geoff Mottram for his various PPPoE and various Windows Registry entry fixes.
Added an explict URL for Oident in the IRC FAQ entry
Updated the FAQ section regarding some broken "netstat" versions
Added new FAQ sections for MASQ accounting ideas and traffic shaping
Expanded the IPROUTE2 FAQ entry on what Policy-routing is.
Moved the IPROUTE2 URLs to the 2.2.x Kernel requirements section and also added a few more URLs as well.
Corrected the "intnet" varible in the stronger IPCHAINS ruleset to reflect the 192.168.0.0 network to be consistent with the rest of the example. Thanks to Ross Johnson for this one.
Added a new FAQ section for users asking about forwarding problems between multiple internal MASQed LANs.
Added a new FAQ section about users wanting to PORTFW all ports from multiple external IP addresses to internal ones. I also touched on users who were trying to PORTFW all ports on multiple IP ALIASed interfaces and also noted the Bridge+Firewall HOWTO for DSL and Cablemodem users who have multiple IPs in a non-routed environment.
Added Mandrake 7.1, Mandrake 7.2, and Slackware 7.1 to the supported list
Added Redhat 7.0 to the MASQ supported distros. Thanks to Eugene Goldstein for this one.
Fixed a mathematical error in the "Maximum Throughput" calculation in the FAQ section. Thanks to Joe White @ [email protected] for this one.
Fixed the Windows9x MTU changes to be a STRING change and not a DWORD change to the registry. Thanks to [email protected] for this one.
Updated the comments in the 2.0.x rc.firewall script to note that the ip_defrag option is for both 2.0 and 2.2 kernels. Thanks to [email protected] for this clarification.
Changes from 1.85 to 1.90 - 07/03/00
Updated the URL for TrinityOS to reflect its newest layout
Caught a typo in the IPCHAINS rulesets where I was setting "ip_ip_always_defrag" instead of "ip_always_defrag"
The URL to Taro Fukunaga was invaild since it was using "mail:" instead of "mailto:"
Added some clarification to the "Masqing multiple internal interfaces" where some users didn't understand why eth0 was referenced multiple times.
Fixed another "space after the EXTIP variable" bug in the stronger IPCHAINS section. I guess I missed one.
In Test #7 of Section 5, I referred users to go back to step #4. That should have been step #6.
Updated the kernel versions that came with SuSe 5.2 and 6.0
Fixed a typo (or vs. of) in Section 7.2
Added Item #9 to the Testing MASQ section to refer users who are still haing MASQ problems to read the MTU entry in the FAQ
Improved the itemization in Section 5
Updated the IPCHAINS syntax to show the MASQ/FORWARD table. Before, it was valid to run "ipchains -F -L" but now only "ipchains -M -L" works.
Updated the LooseUDP documentation to reflect the new LooseUDP behavior in 2.2.16+ kernels. Before, it was always enabled, now, it defaults to OFF due to a possible MASQed UDP port scanning vulnerability. I updated the BASIC and SEMI-STRONG IPCHAINS rulesets to reflect this option.
Updated the recommended 2.2.x kernel to be 2.2.16+ since there is a TCP root exploit vulnerability on all lesser versions.
Added Redhat 6.2 to the MASQ supported list
Updated the link for Sonny Parlin's FWCONFIG to point to fBuilder.
Updated the various examples of IP addresses from 111.222.333.444 to be 111.222.121.212 and within a valid IP address range
Updated the URL for the BETA H.323 MASQ module
Finally updated the MTU FAQ section to help out PPPoE DSL and Cablemodem users. Basically, Section 7.15 now reflects the fact that users can also change the MTU settings of all of their INTERNAL machines to solve the dreaded MASQ MTU issue.
Added a clarification to the PORTFW section that PORTFWed connections which work for EXTERNAL clients but will not work for INTERNAL clients. If you also need INTERNAL portfw, you will need to also implement the REDIR tool as well. I also noted that this issue is fixed in the 2.4.x kernels with Netfilter.
I also added a technical explanation from Juanjo to the end of the PORTFW section to why this senario doesn't work properly.
Updated all of the IPCHAINS URLs to point to Paul Rusty's new site at http://www.netfilter.org/ipchains/
Updated Paul Rustys email address
Added a new FAQ section for users whose connections remain idle for a long period of time and PORTFWed connections no longer work.
Updated all the URLs to the LDP that pointed to metalab.unc.edu to the new site of linuxdoc.org
Updated the Netfilter URLs to point to renamed HOWTOs, etc.
I also updated the status of the 2.4.x support to note that I *will* add full Netfilter support to this HOWTO and if the time comes, then split that support off into a different HOWTO.
Updated the 2.4.x Requirements section to reflect how NetFilter has changed compared to IPFWADM and IPCHAINS and gave a PROs/CONs list of new features and changes to old behaviors.
Added a TCP/IP math example to the "My MASQ connection is slow" FAQ entry to better explain what a user should expect performance wise.
Updated the HOWTO to reflect that newer versions of the "pump" DHCP client now can run scripts upon bringup, lease renew, etc.
Updated the PORTFWing of FTP to reflect that several users say they can successfully forward FTP traffic to internal machines without the need of a special ip_masq_ftp module. I have made the HOWTO reflect that users should try it without the modified module first and then move to the patch if required.
Changes from 1.82 to 1.85 - 05/29/00
Ambrose Au's name has been taken off the title page as David Ranch has been the primary maintainer for the HOWTO for over a year. Ambrose will still be involved with the WWW site though.
Deleted a stray SPACE in section 6.4
Re-ordered the compatible MASQ'ed OS section and added instructions for setting up a AS/400 system running on OS/400. Thanks to [email protected] for the notes.
Added an additional PORFW-FTP patch URL for FTP access if HTTP access fails.
Updated the kernel versions for Redhat 5.1 & 6.1 in the FAQ
Added FloppyFW to the list of MASQ-enabled Linux distros
Fixed an issue in the Stronger IPFWADM rule set where there were spaces between "ppp_ip" and the "=".
In the kernel compiling section for 2.2.x kernels, I removed the reference to enable "CONFIG_IP_ALWAYS_DEFRAG". This option was removed from the compiling section and enabled by default with MASQ enabled in 2.2.12.
Because of the above change in the kernel behavior, I added the enabling of ip_always_defrag to all the rc.firewall examples.
Updated the status of support for H.323. There are now ALPHA versions of modules to support H.323 on both 2.0.x and 2.2.x kernels.
Added Debian v2.2 to the supported MASQ distributions list
Fixed a long standing issue where the section that covered explict filtering of IP addresses for IPCHAINS had old IPFWADM syntax. I've also cleaned this section up a little and made it understandable.
Doh! Added Juan Ciarlante's URL to the important MASQ resources section. Man.. you guys need to make me more honest than this!!
Updated the HOWTO to reflect kernels 2.0.38 and 2.2.15
Reversed the order shown to compile kernels to show 2.2.x kernels first as 2.0.x is getting pretty old.
Updated the 2.2.x kernel compiling section to reflect the changed options for the latter 2.2.x kernels.
Added a a possible solution for users that fail to get past MASQ test #5.
Changes from 1.81 to 1.82 - 01/22/00
Added a missing subsection for /proc/sys/net/ipv4/ip_dynaddr in the stronger IPCHAINS ruleset. Section 6.5
Changed the IP Masq support for Debian 2.1 to YES
Reorganized and updated the "Masq is slow" FAQ section to include fixing Ethernet speed and duplex issues.
Added a link to Donald Becker's MII utilities for Ethernet NIC cards
Added a missing ")" for the 2.2.x section (previously fixed it only for the 2.0.x version) to the ICQ portfw script and changed the evaluation from -lt to -le
Added Caldera eServer v2.3 to the MASQ supported list
Added Mandrake 6.0, 6.1, 7.0 to the MASQ supported list
Added Slackware v7.0 to the MASQ supported list
Added Redhat 6.1 to the MASQ supported list
Added TurboLinux 4.0 Lite to the MASQ supported list
Added SuSe 6.3 to the MASQ supported list
Updated the recommended stable 2.2.x kernel to be anything newer than 2.2.11
In section 3.3, the HOWTO forgot how to tell the user how to load the /etc/rc.d/rc.firewall upon each reboot. This has now been covered for Redhat (and Redhat-based distros) and Slackware.
Added clarification in the Windows WFWG v3.x and NT setup sections why users should NOT configure the DHCP, WINS, and Forwarding options.
Added a FAQ section on how to fix FTP problems with MASQed machines.
Fixed a typo in the Stronger firewall rulesets. The "extip" variabl cannot have the SPACE between the variable name and the "=" sign. Thanks to [email protected] for the sharp eye.
Updated the compatibly section: Mandrake 7.0 is based on 2.2.14 and TurboLinux v6.0 runs 2.2.12
Changes from 1.80 to 1.81 - 01/09/00
Updated the ICQ section to reflect that the new ICQ Masq module supports file transfer and real-time chat. The 2.0.x module still has those limitations.
Updated Steven E. Grevemeyer's email address. He is the maintainer of the IP Masq Applications page.
Fixed a few lines that were missing the work AREN'T for the "setsockopt" errors.
Updated a error the strong IPCHAINS ruleset where it was using the variable name "ppp_ip" instead of "extip".
Fixed a "." vs a "?" typo in section 3.3.1 in the DHCP comment section.
Added a missing ")" to the ICQ portfw script and changed the evaluation from -lt to -le
Updated the Quake Module syntax to NOT use the "ports=" verbage
Changes from 1.79 to 1.80 - 12/26/99
Fixed a space typo when setting the "ppp_ip" address.
Fixed a typo in the simple IPCHAINS ruleset. "deny" to "DENY"
Updated the URLs for Bjorn's "modutils" for Linux
Added verbage about NetFilter and IPTables and gave URLs until it is added to this HOWTO or a different HOWTO.
Updated the simple /etc/rc.d/rc.firewall examples to notify users about the old Quake module bug.
Updated the STRONG IPFWADM /etc/rc.d/rc.firewall to clarify users about dynamic IP addresses (PPP & DHCP), newer DHCPCD syntax, and the old Quake module bug.
Updated the STRONG IPCHAINS /etc/rc.d/rc.firewall to ADD a missing section on dynamic IP addresses (PPP & DHCP) and the old Quake module bug.
Added a note in the "Applications that DO NOT work" section that there IS a beta module for Microsoft NetMeeting (H.323 based) v2.x on 2.0.x kernels. There is NO versions available for Netmeeting 3.x and/or 2.2.x kernels as of yet.
Changes from 1.78 to 1.79 - 10/21/99
Updated the HOWTO name to reflect that it isn't a MINI anymore!
Changes from 1.77 to 1.78 - 8/24/99
Fixed a typo in "Section 6.6 - Multiple Internal Networks" where the -a policy was ommited.
Deleted the 2.2.x kernel configure option "Drop source routed frames" since it is now enabled by default and the kernel compile option was removed.
Updated the 2.2.x and all other IPCHAINS sections to notify users of the IPCHAINS fragmentation bug.
Updated all of the URLs pointing at Lee Nevo's old IP Masq Applications page to Seg's new page.
Changes from 1.76 to 1.77 - 7/26/99
Fixed a typo in the Port fowarding section that used "ipmasqadm ipportfw -C" instead of "ipmasqadm portfw -f"
Changes from 1.75 to 1.76 - 7/19/99
Updated the "ipfwadm: setsockopt failed: Protocol not available" message in the FAQ to be clearer instead of making the user hunt for the answer in the Forwarders section.
Fixed incorrect syntax in section 6.7 for IPMASQADM and "portfw"
Changes from 1.72 to 1.75 - 6/19/99
Fixed the quake module port setup order for the weak IPFWADM & IPCHAINS ruleset and the strong IPFWADM ruleset as well.
Added a user report about port forwarding ICQ 4000 directly in and using ICQ's default settings WITHOUT enabling the "Non-Sock" proxy setup.
Updated the URLs for the IPMASQADM tool
Added references to Taro Fukunaga, [email protected] for his MkLinux port of the HOWTO
Updated the blurb about Sonny Parlin's FWCONFIG tool to note new IPCHAINS support
Noted that Fred Vile's patch for portfw'ed FTP access is ONLY available for the 2.0.x kernels
Updated the 2.2.x kernel step with a few clarifications on the Experiemental tag
Added Glen Lamb's name to the credits for the LooseUDP patch
Added a clarification on installing the LooseUDP patch that it should use "cat" for non-compressed patches.
Fixed a typo in the IPAUTO FAQ section
I had the DHCP client port numbers reversed for the IPFWADM and IPCHAINS rulesets. The order I had was if your Linux server was a DHCP SERVER.
Added explict /sbin path to all weak and strong ruleset examples.
Made some clarifications in the strong IPFWADM section regarding Dynamic IP addresses for PPP and DHCP users. I also noted that the strong rulesets should be re-run when PPP comes up or when a DHCP lease is renewed.
Added references in the 2.2.x requirements, updated the ICQ FAQ section, and added Andrew Deryabin to the credits section for his ICQ MASQ module.
Added some clarifcations to the FAQ section explaining why the 2.1.x and 2.2.x kernels went to IPCHAINS.
Added a little FAQ section on Microsoft File/Print/Domain services (Samba) through a MASQ server. I also added an URL to a Microsoft Knowledge based document for more details.
Added clarifications to the FAQ section that NO Debian distribution supports IP masq out of the box.
Updated the supported MASQ distributions in the FAQ section.
Added to the Aliased NIC section of the FAQ that you CANNOT masq out of an aliased interface.
Wow.. never caught this before but the "ppp-ip" variable in the strong ruleset section is an invalid variable name! It has been renamed to "ppp_ip"
In both the IPFWADM and IPCHAINS simple ruleset setup areas, I had a commented out section on enabling DHCP traffic. Problem is, it was below the final reject line! Doh! I moved both up a section.
In the simple IPCHAINS setup, the #d out line for DHCP users, I was using the IPFWADM "-W" command instead of IPCHAINS's "-i" parameter.
Added a little blurb to the Forwarders section the resolution to the famous "ipfwadm: setsockopt failed: Protocol not available" error. This also includes a little /proc test to let users confirm if IPPORTFW is enabled in the kernel. I also added this error to a FAQ section for simple searching.
Added a Strong IPCHAINS ruleset to the HOWTO
Added a FAQ section explaining the "kernel: ip_masq_new(proto=UDP): no free ports." error.
Added an example of scripting IPMASQADM PORTFW rules
Updated a few of the Linux Documentation Project (LDP) URLs
Added Quake III support in the module loading sections of all the rc.firewall rulesets.
Fixed the IPMASQADM forwards for ICQ
1.72 - 4/14/99 - Dranch: Added a large list of Windows NAT/Proxy alternatives with rough pricing and URLs to the FAQ.
1.71 - 4/13/99 - Dranch: Added IPCHAINS setups for multiple internal MASQed networks. Changed the ICQ setup to use ICQ's default 60 second timeout and changed IPFWADM/IPCHAINS timeout to 160 seconds. Updated the MASQ and MASQ-DEV email list and archive subscription instructions.
1.70 - 3/30/99 - Dranch: Added two new FAQ sections that cover SMTP/POP-3 timeout problems and how to masquerade multiple internal networks out onto different external IP addresses with IPROUTE2.
1.65 - 3/29/99 - Dranch: Typo fixes, clarifications of required 2.2.x kernel options, added dynamic PPP IP address support to the strong firewall section, additional quake II module ports, noted that the LooseUDP patch is built into later 2.2.x kernels and its from Glenn Lamb and not Dan Kegel, added more game info in the compatibility section.
1.62 - Dranch: Make the final first-draft changes to the doc and now announce it in the MASQ email list.
1.61 - Dranch: Made editorial changes, cleaned things up and fixed some errors in the Windows95 and NT setups.
1.58 - Dranch: Addition of the port forwarding sections; LooseUDP setup; Ident servers for IRC users, how to read firewall logs, deleted the CuSeeme Mini-HOWTO since it is rarely used.
1.55 - Dranch: Complete overhaul, feature and FAQ addition, and editing sweep of the v1.50 HOWTO. Completed the 2.2.x kernel and IPCHAINS configurations. Did a conversion from IPAUTOFW to IPPORTFW for the examples that applied. Added many URLs to various other documentation and utility sites. There are so many changes.. I hope everyone likes it. Final publishing of this new rev of the HOWTO to the LDP project won't happen until the doc is looked over and approved by the IP MASQ email list (then v2.00).
1.50 - Ambrose: A serious update to the HOWTO and the initial addition of the 2.2.0 and IPCHAINS configurations.
1.20 - Ambrose: One of the more recent HOWTO versions that solely dealt with < 2.0.x kernels and IPFWADM.