[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ...no Masquerade...?

On Sat, Mar 25, 2000 at 03:02:52AM -0500, Jeff Gordon wrote
> Hi, John --
> 
> > Um.. in spite of what Andrew said, they're not modules.
> > ipfwadm is an IP packet firewall/masquerading setup 
> > utility that works with kernel 2.0.x; ipchains is similar, 
> > but for kernel 2.2.x.
> 
> (Okay.)
> 
> > # ipchains -L input
> > for kernel 2.2.x.
> > 
> > This should list the default policy and rules for accepting 
> > incoming packets, if your kernel supports IP firewalling (which 
> > is required for IP masquerading).
> 
> Okay--the policy at present is one I set up awhile ago, basically
> allowing bidirectional forwarding on everything. :-)  We realized that
> if we didn't do that, my brother's packets would never make it out the
> door -- but we're still left with problems of how to get responding
> packets back to his machine, which (as I understand it, anyway) is
> where the Masq bits come into play -- and the kernel is saying
> Masquerading is not enabled -- so are we back at Andrew's original
> statement, that I need to compile a kernel in which Masquerading -is-
> enabled as the next order of business...?  (I hope so 'cause I'm
> downloading about 18 megs right now in order to do that. :-)
> 

Are you using a "stock" Debian kernel, or one which you built
yourself? The stock kernels usually include masquerading
support.

If you're using a "Stock" 2.2.x kernel you should see
masquerading modules (ip_masq_*.o) under
/lib/modules/2.2.14/ipv4 (assuming kernel version 2.2.14); if
you do then your kernel already has masquerading support built
in (if it *is* a stock kernel then you should also have a file
like /boot/config-2.2.14 that shows you the kernel configuration
used).

If you're compiling your own, you need to include support for
(assuming kernel 2.2.x) Network Firewalls, IP Firewalls and IP
Masquerading.  You also need /proc filesystem support and sysctl
support (under "General Options").

If you are using a 2.2.x kernel, also bear in mind that IP
forwarding has to be enabled for IP masquerading to work; you
can enable forwarding with
# echo "1" > /proc/sys/net/ipv4/ip_forward

and see if it is enabled with 
# cat /proc/sys/net/ipv4/ip_forward

This step is not relevant to 2.0.x kernels; if they have
forwarding enabled at compile time then it is enabled.

Finally, here are the ipchains rules that perform
masquerading on my machine, running kernel 2.2.14:
# /sbin/ipchains -L -n
Chain input (policy DENY):
target     prot opt     source                destination           ports
ACCEPT     all  ------  0.0.0.0/0             0.0.0.0/0             n/a
ACCEPT     all  ------  192.168.1.0/24        0.0.0.0/0             n/a
ACCEPT     all  ------  0.0.0.0/0             203.55.241.211        n/a
DENY       all  ----l-  192.168.1.0/24        0.0.0.0/0             n/a
Chain forward (policy DENY):
target     prot opt     source                destination           ports
MASQ       all  ------  192.168.1.0/24        0.0.0.0/0             n/a
Chain output (policy DENY):
target     prot opt     source                destination           ports
ACCEPT     all  ------  0.0.0.0/0             0.0.0.0/0             n/a
ACCEPT     all  ------  0.0.0.0/0             192.168.1.0/24        n/a
ACCEPT     all  ------  203.55.241.211        0.0.0.0/0             n/a
DENY       all  ----l-  0.0.0.0/0             192.168.1.0/24        n/a
# 

I use the ipmasq package to do this for me; I'm using version
3.2.5, which seems to work here.  The only extra tweaking I've
done (AFAICR) is to add the line
modprobe ip_masq_ftp

to the end of /etc/ppp/ip-up.d/00ipmasq; you may want to load 
the modules (if any) for the protocols you require there, also.

Good luck,


John P.
-- 
huiac@camtech.net.au
john@huiac.apana.org.au
"Oh - I - you know - my job is to fear everything." - Bill Gates in Denmark
Reply to: