Linux IP Masquerade HOWTODavid A. Ranchv2.00.110903, 2003-11-09
This document describes how to enable the Linux IP Masquerade feature on a
given Linux host. IP Masquerade is a form of Network Address Translation or
NAT which NAT allows internally connected computers that do not have one or more
registered Internet IP addresses to communicate to the Internet via the Linux
server's Internet IP address.
- Table of Contents
- 1. Introduction
- 1.1. Introduction to IP Masquerading or IP MASQ
- 1.2. Foreword, Feedback & Credits
- 1.3. Copyright & Disclaimer
- 2. Background Knowledge
- 2.1. What is IP Masquerade?
- 2.2. Current Status
- 2.3. Who Can Benefit From IP Masquerade?
- 2.4. Who Doesn't Need IP Masquerade?
- 2.5. How does IP Masquerade Work?
- 2.6. Requirements for IP Masquerade on Linux 2.4.x
- 2.7. Requirements for IP Masquerade on Linux 2.2.x
- 2.8. Requirements for IP Masquerade on Linux 2.0.x
- 3. Setting Up IP Masquerade
- 3.1. Compiling a new kernel if needed
- 3.2. Checking your existing kernel for MASQ functionality
- 3.2.1. Compiling Linux 2.4.x Kernels
- 3.2.2. Compiling Linux 2.2.x Kernels
- 3.2.3. Compiling Linux 2.0.x Kernels
- 3.3. Assigning Private Network IP Addresses to the Internal LAN
- 3.4. Configuring IP Forwarding Policies
- 3.4.1. Configuring IP Masquerade on Linux 2.4.x Kernels
- 3.4.2. Configuring IP Masquerade on Linux 2.2.x Kernels
- 3.4.3. Configuring IP Masquerade on Linux 2.0.x Kernels
- 4. Configuring the other internal to-be MASQed machines
- 4.1. Configuring Microsoft Windows 95 and OSR2
- 4.2. Configuring Windows NT
- 4.3. Configuring Windows for Workgroup 3.11
- 4.4. Configuring UNIX Based Systems
- 4.5. Configuring DOS using NCSA Telnet package
- 4.6. Configuring MacOS Based System Running MacTCP
- 4.7. Configuring MacOS Based System Running Open Transport
- 4.8. Configuring Novell network using DNS
- 4.9. Configuring OS/2 Warp
- 4.10. Configuring OS/400 on a IBM AS/400
- 4.11. Configuring Other Systems
- 5. Testing IP Masquerade
- 5.1. Loading up the rc.firewall ruleset
- 5.2. Testing internal MASQ client PC connectivity
- 5.3. Testing internal MASQ client to MASQ server connectivity
- 5.4. Testing internal MASQ server connectivity
- 5.5. Testing internal MASQ server to MASQ client connectivity
- 5.6. Testing External MASQ server Internet connectivity
- 5.7. Testing internal MASQ client to external MASQ server connectivity
- 5.8. Testing external MASQ ICMP forwarding
- 5.9. Testing MASQ functionality without DNS
- 5.10. Testing MASQ functionality with DNS resolution
- 5.11. Testing more MASQ functionality with DNS
- 5.12. Any remaining functional, performance, etc. issues...
- 6. Other IP Masquerade Issues and Software Support
- 6.1. Problems with IP Masquerade
- 6.2. Incoming services
- 6.3. Supported Client Software and Other Setup Notes
- 6.3.1. Network Clients that -Work- with IP Masquerade
- 6.3.2. Clients that do not have full support in IP MASQ:
- 6.4. Stronger firewall rulesets to run after initial testing
- 6.4.1. Stronger IP Firewall (IPTABLES) rulesets
- 6.4.2. Stronger IP Firewall (IPCHAINS) rulesets
- 6.4.3. Stronger IP Firewall (IPFWADM) Rulesets
- 6.5. IP Masquerading multiple internal networks
- 6.6. IP Masquerade and Dial-on-Demand Connections
- 6.7. IPPORTFW, IPMASQADM, IPAUTOFW, REDIR, UDPRED, and other Port Forwarding
tools
- 6.7.1. 2.4.x PORTFWD'ing: Using IPTABLE's PREROUTING option for 2.4.x kernels
- 6.7.2. 2.2.x PORTFWD'ing: Using IPMASQADM with 2.2.x kernels
- 6.7.3. 2.0.x PORTFWD'ing: Using IPPORTFW on 2.0.x kernels
- 6.8. CU-SeeMe and Linux IP-Masquerade
- 6.9. Mirabilis ICQ
- 6.10. Gamers: The LooseUDP patch
- 7. Frequently Asked Questions
- 7.1. ( Distro ) - What Linux Distributions support IP Masquerading?
- 7.2. ( Requirements ) - What are the minimum hardware requirements and any
limitations for IP Masquerade? How well does it perform?
- 7.3. ( Errors ) - When I run the rc.firewall command, I get "command not found" errors.
Why?
- 7.4. ( Still wont work ) - I've checked all my configurations, I still can't get IP Masquerade to
work. What should I do?
- 7.5. ( Email list ) - How do I join or view the IP Masquerade and/or IP Masqurade Developers
mailing lists and archives?
- 7.6. ( NAT vs. Proxy ) - How does IP Masquerade differ from Proxy or NAT services?
- 7.7. ( GUI ) - Are there any GUI firewall creation/management tools?
- 7.8. ( MASQ and Dynamic IPs ) - Does IP Masquerade work with dynamically
assigned IP addresses?
- 7.9. ( MASQ and various networks ) - Can I use a cable modem (both bi-directional and with modem returns),
DSL, satellite link, etc. to connect to the Internet and use IP Masquerade?
- 7.10. ( Dial on Demand ) - Can I use Diald or the Dial-on-Demand feature of
PPPd with IP MASQ?
- 7.11. ( Apps ) - What applications are supported with IP Masquerade?
- 7.12. ( Distro Setup ) - How can I get IP Masquerade running on Redhat,
Debian, Slackware, etc.?
- 7.13. ( Timeouts ) - Connections seem to break if I don't use them often.
Why is that?
- 7.14. ( Odd Behavior ) - When my Internet connection first comes up, nothing
works. If I try again, everything then works fine. Why is this?
- 7.15. ( MTU ) - IP MASQ seems to be working fine but some sites don't work.
This usually happens with WWW and some FTP sites.
- 7.15.1. Enabling PMTU Clamping for PPPoE and some PPP Users:
- 7.15.2. Clamping the MSS via IPTABLES:
- 7.15.3. Changing the External MTU of the MASQ server:
- 7.15.4. Changing the MTU of various operating systems:
- 7.16. ( FTP ) - MASQed FTP clients don't work.
- 7.17. ( Performance ) - IP Masquerading seems slow
- 7.18. ( PORTFW ) - IP Masquerading with PORTFWing seems to break when my line
is idle for long periods
- 7.19. ( PORTFW - Locally ) - I can't reach my PORTFWed server from the INTERNAL lan
- 7.20. ( Logs ) - Now that I have IP Masquerading up, I'm getting all sorts of weird
notices and errors in the SYSLOG log files. How do I read the IPTABLES/IPCHAINS/IPFWADM
firewall errors?
- 7.21. ( Log Reduction ) - My logs are filling up with packet hits due to the
new "stronger" rulesets. How can I fix this?
- 7.22. ( MASQ Security ) - Can I configure IP MASQ to allow Internet users to
directly contact internal MASQed servers?
- 7.23. ( Free Ports ) - I'm getting "kernel: ip_masq_new(proto=UDP): no free ports." in my
SYSLOG files. Whats up?
- 7.24. ( SETSOCKOPT ) - I'm getting "ipfwadm: setsockopt failed: Protocol not
available" when I try to use IPPORTFW!
- 7.25. ( SAMBA ) - Microsoft File and Print Sharing and Microsoft Domain clients
don't work through IP Masq!
- 7.26. ( IDENT ) - IRC won't work properly for MASQed IRC users. Why?
- 7.27. ( IRC DCC ) - mIRC doesn't work with DCC Sends
- 7.28. ( IP Aliasing ) - Can IP Masquerade work with only ONE Ethernet network card?
- 7.29. ( Multiple-LANs ) - I have two MASQed LANs but they cannot communicate with
each other!
- 7.30. ( SHAPING ) - I want to be able to limit the speed of specific types of
traffic
- 7.31. ( ACCOUNTING ) - I need to do accounting on who is using the network
- 7.32. ( MULTIPLE IPs - DMZ segments) - I have several EXTERNAL IP addresses that I want to
PORTFW to several internal machines. How do I do this?
- 7.33. ( Netstat ) - I'm trying to use the NETSTAT command to show my Masqueraded
connections but its not working
- 7.34. ( VPNs ) - I would like to get Microsoft PPTP (GRE tunnels) and/or
IPSEC (Linux SWAN) tunnels running through IP MASQ
- 7.35. ( Games ) - I want to get the XYZ network game to work through IP MASQ but it won't
work. Help!
- 7.36. ( Stops working ) - IP MASQ works fine for a while but then it stops working. A reboot
seems to fix this. Why?
- 7.37. ( SMTP Relay ) - Internal MASQed computers cannot send SMTP or POP-3 mail!
- 7.38. ( Source Routing ) - I need different internal MASQed networks to exit
on different external IP addresses
- 7.39. ( IPCHAINS rulesets on 2.4.x kernels ) - What the ipchains.o module can
do on 2.4.x kernels
- 7.40. ( IPTABLES vs. IPCHAINS vs. IPFWADM ) - Why do the 2.4.x, 2.2.x,
and 2.0.x kernels use different firewall systems?
- 7.41. ( Upgrades ) - I've just upgraded to the x.y.z kernel, why isn't IP
Masquerade working?
- 7.42. ( EQL ) - I need help with EQL connections and IP Masq
- 7.43. ( Wussing out ) - I can't get IP Masquerade to work! What options do I
have for Windows Platforms?
- 7.44. ( Developers ) - I want to help with IP Masquerade development. What
can I do?
- 7.45. ( More INFO ) - Where can I find more information on IP Masquerade?
- 7.46. ( Translators ) - I want to translate this HOWTO to another language,
what should I do?
- 7.47. ( Updates ) - This HOWTO seems out of date, are you still maintaining
it? Can you include more information on ...? Are there any plans for making
this better?
- 7.48. ( Thanks ) - I got IP Masquerade working, it's great! I want to thank
you guys, what can I do?
- 8. Miscellaneous
- 8.1. Useful Resources
- 8.2. Linux IP Masquerade Resource
- 8.3. Thanks to the following supporters..
- 8.4. Reference
- 8.5. ChangeLOG
Chapter 1. Introduction1.1. Introduction to IP Masquerading or IP MASQThis document describes how to enable the Linux IP Masquerade feature on a
given Linux host. IP Masquerade, called "IPMASQ" or "MASQ" for short, is a form
of Network Address Translation (NAT) which allows internally connected computers
that do not have one or more registered Internet IP addresses to communicate to
the Internet via the Linux server's Internet IP address. Since IPMASQ is a
generic technology, you can connect the Linux server's internal and external
to other computers through LAN technologies like Ethernet, TokenRing, and FDDI,
as well as dialup connections line PPP or SLIP links. This document primarily
uses Ethernet and PPP connections in examples because it is most commonly used with
DSL / Cablemodems and dialup connections. "This document is intended for systems running stable Linux kernels like 2.4.x,
2.2.x, and 2.0.x preferably on an IBM-compatible PC. IP Masquerade
does work on other Linux-supported platforms like Sparc, Alpha, PowerPC, etc.
but this HOWTO doesn't cover them in as much detail. Beta kernels
such as 2.5.x, 2.3.x, 2.1.x, and ANY kernels less than 2.0.x are NOT covered
in this document. The primary reason for this is because many of the older
kernels are considered broken. If you are using an older kernel version, it
is highly advisable to upgrade to one of the stable Linux kernels before using
IP Masquerading. "
1.2. Foreword, Feedback & CreditsFrom the original IPMASQ HOWTO author: "As a new user, I found it very confusing to setup IP masquerade on the Linux
kernel, (back then, its was a 1.2.x kernel). Although there was a FAQ and a
mailing list, there was no documentation dedicated to this. There was also
some requests on the mailing list for a HOWTO manual. So, I decided to write
this HOWTO as a starting point for new users and possibly create a building
block for other knowledgeable users. If you, the reader, have any additional
ideas, corrections, or questions about this document, please feel free to
contact us. " This document was originally written by Ambrose Au back in August, 1996,
based on the 1.x kernel IPMASQ FAQ written by Ken Eves and numerous helpful
messages from the original IP Masquerade mailing list. In particular, a
mailing list message from Matthew Driver inspired Ambrose to set up IP
Masquerade and eventually write version 0.80 of this HOWTO. In April 1997,
Ambrose created the Linux IP Masquerade Resource Web site at
http://ipmasq.webhop.net which has
provided up-to-date information on Linux IP Masquerading ever since. In
February 1999, David Ranch took over
maintenance of the HOWTO. David then re-wrote the HOWTO and added a
substantial number of sections to the document. Today, the HOWTO is still
maintained by David where he constantly updates it and fixes any reported bugs,
etc. Please feel free to send any feedback or comments regarding this HOWTO to
dranch@trinnet.net if you have
any corrections or if any information/URLs/etc. is missing. Your invaluable
feedback will certainly influence the future of this HOWTO! This HOWTO is meant to be a fairly comprehensive guide to getting your Linux
IP Masquerading system working in the shortest time possible. David only
plays a technical writer on T.V. so you might find the information in this
document not as general and/or objective as it could be. If you think a
section could be clearer, etc.. please let David know. The latest version of
the MASQ HOWTO can be found at
Dranch's Linux Page. Additional news, mirrors of the HOWTO, and
information regarding IPMASQ can be found at the
IP Masquerade Resource web page.
If you have any technical questions on IP Masquerade, please join the
IP Masquerade Mailing List
instead of sending email to David or Ambrose. Most MASQ problems are -common-
for ALL MASQ users and can be easily solved by users on the list. In addition
to this, the response time of the IP MASQ email list will be much faster than
a reply from either David or Ambrose. The latest version of this document can be found at the following sites which
also contains HTML, Postscript, PDF, etc. versions
1.3. Copyright & DisclaimerThis document is copyrighted(c) 2003,2002,2001,2000 for
David A. Ranch and it is a FREE document. You may redistribute it
under the terms of the GNU General Public License (GPL). The information herein this document is, to the best of David's knowledge,
correct. However, the Linux IP Masquerade feature is written by humans and
thus, the chance of mistakes, bugs, etc. might occur from time to time. No person, group, or other body is responsible for any damage on your
computer(s) and any other losses by using the information on this document.
i.e. "THE AUTHORS AND ALL MAINTAINERS ARE NOT RESPONSIBLE FOR ANY
DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THE INFORMATION IN THIS
DOCUMENT. " Ok, with all this behind us... On with the show..
Chapter 2. Background Knowledge2.1. What is IP Masquerade?IP Masquerade is a networking function in Linux similar to the one-to-many
(1:Many) NAT (Network Address Translation) servers found in many commercial
firewalls and network routers. For example, if a Linux host is connected to
the Internet via PPP, Ethernet, etc., the IP Masquerade feature allows other
"internal" computers connected to this Linux box (via PPP, Ethernet, etc.) to
also reach the Internet as well. Linux IP Masquerading allows for this
functionality even though these internal machines don't have
an officially assigned IP address. MASQ allows a set of machines to invisibly
access the Internet via the MASQ gateway. To other machines on the Internet,
the outgoing traffic will appear to be from the IP MASQ Linux server itself.
In addition to the added functionality, IP Masquerade provides the foundation
to create a HEAVILY secured networking environment. With a well built firewall,
breaking the security of a well configured masquerading system and internal
LAN should be considerably difficult to accomplish. If you would like to know more on how MASQ (1:Many) differs from 1:1 (true) NAT
and Proxy solutions, please see the Section 7.6 FAQ entry.
2.2. Current StatusIP Masquerade has been in the Linux kernels for several years now and is quite
mature as the kernel enters the 2.4.x stage. Kernels since Linux 1.3.x have
had MASQ support built-in. Today, many individuals and commercial businesses
are using it with excellent results. 2.4.x kernel users:
The 2.4.x kernel hosts an entirely re-written set of NAT code which is
both far superior, faster, and more secure than any previous versions
written for Linux. Unfortunately, several kernel modules that were
written for the 2.2.x kernel to support things like UDP-based RealAudio,
etc. have not been ported to 2.4.x yet. Because of this, some people
should consider NOT upgrading if these network applications are critical
to them. But, at the same time, some of these programs have been updated
and now use different, NAT-friendly protocols. Thus special NAT treatment
is no longer required. As always, please see the
http://ipmasq.webhop.net/: The IP
Masquerade Resources site for updated news, etc.
Common network functionalities like Web browsing, telnet, ssh, ping,
traceroute, etc. work well over stock IP Masquerade setups. Other network
applications such as ftp, irc, and Real Audio work well with the appropriate
additional IP MASQ modules loaded into the kernel as modules. Other
network-specific programs like streaming audio (MP3s, True Speech, etc) should
work too without any special module. Some users on the mailing list also had
good results with video conferencing software. It should be noted that running IP Masquerade with only ONE network card (NIC)
to MASQ between internal and external Ethernet networks is NOT recommended.
For more details, please see Section 7.28 FAQ section. Anyways, please refer to Section 6.3 for a more
complete listing of software supported by IP Maquerade all kernel versions. IP Masquerade works well as a server to other 'client machines' running
various operating systems and hardware platforms. Here is a sampling of successful
reports with internal MASQed systems running :
UNIX: Sun Solaris, [Net,Free,Open,*i]-BSD, Hp-UX, Linux, IBM AIX, Digital UNIX, Ultrix, etc. Microsoft Windows 2000, NT (3.x and 4.x), 95/98/ME, Windows for Workgroups
(with the TCP/IP package) IBM OS/2 Apple Macintosh MacOS machines running either MacTCP or Open Transport DOS-based systems with packet drivers and the NCSA Telnet package VAXen Compaq/Digital Alpha running Linux and NT Amiga computers with AmiTCP or AS225-stack.
The list goes on and on but the point is, if your OS platform talks TCP/IP,
it should work with Linux's IP Masquerade!
2.3. Who Can Benefit From IP Masquerade?
If you have a Linux host connected to the Internet and.. if you have internal computers running TCP/IP connected that are connected to
this Linux box via on a network, and/or if your Linux host has more than one modem and acts as a PPP or SLIP server
connected to other computers, and these machines do not
have official or public assigned IP addresses (i.e. addressed with private
TCP/IP numbers). If you want those OTHER machines to communicate to
the Internet without spending extra money to acquire additional Public /
Official TCP/IP addresses from your ISP, then you should either configure
Linux to be a router or purchase an external router.
2.4. Who Doesn't Need IP Masquerade?
If your machine is a stand-alone Linux host connected to the Internet (setting
up a firewall is a good idea though), or if you already have multiple assigned public addresses for your OTHER machines, and if you don't like the idea of a 'free ride' using Linux and feel more
comfortable using expensive commercial tools to perform the exact same
functionalities.
2.5. How does IP Masquerade Work?Based from the original IP Masquerade FAQ by Ken Eves:
Here is a drawing of the most simplistic setup: PPP/ETH/etc. +------------+ +-------------+
to ISP provider | Linux #1 | PPP/ETH/etc. | Anybox |
| | | |
<---------- modem1| |modem2 ----------- modem3| |
| | | |
111.222.121.212 | | 192.168.0.100 | |
+------------+ +-------------+ |
In the above drawing, a Linux box with IP_MASQUERADING is installed as Linux
#1 and is connected to the Internet via PPP, Ethernet, etc. It has an
assigned public IP address of 111.222.121.212. It also has another network
interface (e.g. modem2) connected to allow incoming network traffic be it
from a PPP connection, Ethernet connection, etc. The second system (which does not need to be Linux) connects into the
Linux #1 box and starts its network traffic to the Internet. This second
machine does NOT have a publicly assigned IP address from the Internet, so it
uses an
RFC1918 private address, say 192.168.0.100. (see below for more info) With IP Masquerade and the routing configured properly, this second machine
"Anybox" can interact with the Internet as if it was directly connected to
the Internet with a few small exceptions [noted later]. Quoting Pauline Middelink (the founder of Linux's IPMASQ): "Do not forget to mention that the "ANYBOX" machine should have the Linux #1
box configured as its default gateway (whether it be the default route or
just a subnet is no matter). If the "ANYBOX" machine is connected via a PPP
or SLIP connection, the Linux #1 machine should be configured to support
proxy arp for all routed addresses. But, the setup and configuration of
proxy arp is beyond the scope of this document. Please see the PPP-HOWTO
for more details." The following is an excerpt on how IPMASQ briefly works though this will be
explained in more detail later. This short text is based from a previous post
on comp.os.linux.networking which has been edited to match the names used in
the above example: o I tell machine ANYBOX that my PPP or Ethernet connected Linux box is its
gateway.
o When a packet comes into the Linux box from ANYBOX, it will assign the
packet to a new TCP/IP source port number and insert its own IP address
inside the packet header, saving the originals. The MASQ server will
then send the modified packet over the PPP/ETH interface onto the
Internet.
o When a packet returns from the Internet into the Linux box, Linux
examines if the port number is one of those ports that was assigned
above. If so, the MASQ server will then take the original port and
IP address, put them back in the returned packet header, and send
the packet to ANYBOX.
o The host that sent the packet will never know the difference. |
Another IP Masquerading Example: A typical example is given in the diagram below: Ethernet
192.168.0.x
+----------+
| |
| A-box |::::::
| |.2 :
+----------+ :
: +----------+ PPP/ETH
+----------+ : .1 | Linux | link
| | :::::::| Masq-Gate|:::::::::::::::::::>> Internet
| B-box |:::::: | | 111.222.121.212
| |.3 : +----------+
+----------+ :
:
+----------+ :
| | :
| C-box |::::::
| |.4
+----------+
| | | >
| <-Internal Network--> | | <- External Network ----> >
| connected via an | | Connected from the >
| Ethernet hub or | | Linux server to your >
| switch | | Internet connection > |
In this example, there are (4) computer systems that we are concerned about.
There is also presumably something on the far right that your PPP/ETH
connection to the Internet comes through (modem server, DSL DSLAM, Cablemodem
router, etc.). Out on the Internet, there exists some remote host (very far
off to the right of the page) that you are interested in communicating with).
The Linux system named Masq-Gate is
the IP Masquerading gateway for ALL internal networked machines. In this
example, the machines A-box, B-box, and C-box would have to go through the Masq-Gate to reach the Internet. The
internal network uses one of several
RFC-1918 assigned private network addresses, where in this case, would
be the Class-C network 192.168.0.0. If you aren't familiar with RFC1918, it
is encouraged to read the first few chapters of the RFC but the jist of it is
that the TCP/IP addresses 10.0.0.0/8, 172.16-31.0.0/12, and 192.168.0.0/16
are reserved. When we say "reserved", we mean that anyone can use these
addresses as long as they aren't routed over the Internet. ISPs are even
allowed to use this private addressing space as long as they keep these
addresses within their own networks and NOT advertise them to other ISPs.
Unfortunately, this isn't always the case but thats beyond the scope of
this HOWTO. Anyway, the Linux box in the diagram above has the TCP/IP address 192.168.0.1
while the other systems has the addresses:
A-Box: 192.168.0.2 B-Box: 192.168.0.3 C-Box: 192.168.0.4
The three machines, A-box, B-box and
C-box, can have any one of several operating systems, just
as long as they can speak TCP/IP. Some such as Windows
95, Macintosh MacTCP or OpenTransport , or
even another Linux box have the ability to connect to
other machines on the Internet. When running the IP Masquerade, the
masquerading system or MASQ-gate converts all of these
internal connections so that they appear to originate from the
masq-gate itself. MASQ then arranges so that the data
coming back to a masqueraded connection is relayed to the proper originating
system. Therefore, the systems on the internal network are only able to see
a direct route to the internet and are unaware that their data is being
masqueraded. This is called a "Transparent" connection. NOTE: Please see Chapter 7 for more details on topics such as:
The differences between NAT, MASQ, and Proxy servers. How packet firewalls work
2.6. Requirements for IP Masquerade on Linux 2.4.x" ** Please refer to IP
Masquerade Resource for the latest information. ** " The newest 2.4.x kernels are now using both a completely new TCP/IP network
stack as well as a new NAT sub-system called NetFilter. Within this NetFilter
suite of tools, we now have a tool called IPTABLES for the 2.4.x kernels much
like there was IPCHAINS for the 2.2.x kernels and IPFWADM for the 2.0.x kernels.
The new IPTABLES system is far more powerful (combines several functions into
one place like true NAT functionality), offers better security (stateful
inspection), and better performance with the new 2.4.x TCP/IP stack. But this
new suite of tools can be a bit complicated in comparison to older generation
kernels. Hopefully, if you follow along with this HOWTO carefully, setting up
IPMASQ won't be too bad. If you find anything unclear, downright wrong, etc.
please email David about it. Unlike the migration to IPCHAINS from
IPFWADM, the new NetFilter tool has kernel modules that can actually
support older IPCHAINS and IPFWADM rulesets with minimal changes. So
re-writing your old MASQ or firewall ruleset scripts is not longer required.
BUT.. with the 2.4.x kernels, you cannot
use the old 2.2.x MASQ modules like ip_masq_ftp, ip_masq_irc, etc.
AND IPCHAINS is incompatible with the
new IPTABLES modules like ip_conntrack_ftp, etc. So, what does this mean?
It basically means that if you want to use IPMASQ or PORTFW functionality under
a 2.4.x kernel, you shouldn't use IPCHAINS rules but IPTABLES ones instead.
Please also keep in mind that there might be several benefits in performing a
full ruleset re-write to take advantage of the newer IPTABLES features like
stateful tracking, etc. but that is dependant upon how much time you have to
migrate your old rulesets. Please see Section 7.39 for
additional details.
Some new 2.4.x functionalities include the following: PROs:
Lots of new protocols modules like: amanda, eggdrop, ipsec, ipv6, portscan,
pptp, quota, rsh, talk, and tftp
TRUE 1:1 NAT functionality for those who have TCP/IP addresses and subnets
to use (no more iproute2 commands) Stateful application level (FTP, IRC, etc.) and stateful protocol level
(TCP/UDP/ICMP) network traffic inspection Built-in PORT Forwarding (no more ipmasqadm or ipportfw commands) The built-in PORTFW'ing support works for both external and internal
traffic. This means that users that have PORTFW for external traffic and
REDIR for internal port redirection do not need to use two tools any more! PORT Forwarding of FTP traffic to internal hosts is now completely supported
and is handled in the conn_trak_ftp module Full Policy-Based routing features (source-based TCP/IP address routing) Compatibility with Linux's FastRoute feature for significantly faster packet
forwarding (a.k.a Linux network switching). Note that this feature is still not compatible with packet filtering
for strong firewall rulesets. Fully supports TCP/IP v4, v6, and even DECnet (ack!) Supports wildcard interface names like "ppp*" for serial interfaces like
ppp0, ppp1, etc Supports filtering on both input and output INTERFACES (not just IP addresses) Source Ethernet MAC filtering Denial of Service (DoS) packet rate limiting Packet REJECTs now have user-selectable return ICMP messages Variable levels of logging (different packets can go to different SYSLOG
levels) Other features like traffic mirroring, securing traffic per login, etc.
CONs:
Netfilter is an entirely new architechure thus most of the older 2.2.x
MASQ kernel modules written to make non-NAT friendly network applications
work through IPMASQ need to be re-written for the 2.4.x kernels. Because of
this, if you specifically need functionality from some of these modules
(see below), you should stay with a 2.2.x kernel until these modules have
been either ported or the application has been updated to use NAT-friendly
protocols. If you are curious on the porting status of a given module,
please email the author of the module and NOT David or Ambrose. We don't
code.. we just document. :-) Here is the status of the known IP Masq kernel modules or patches as found
on the IPMASQ WWW site's Application
Support Matrix. In addition, you should also setup out the
Netfilter Patch-o-Matic URL as well. If you have the time and
knowledge to help in the porting of code, your efforts would be highly
appreciated: Status = Module name = Description and notes
--------- ----------- ----------------------------------
Ported CuSeeme Used for Video conferencing
NotPorted DirectPlay Used for online Microsoft-based games
Ported FTP Used for file transfers
- NOTEs: Built into the kernel and
fully supports PORTFWed FTP
ReWritten H.323 Used for Video conferencing
NotPorted ICQ Used for Instant messaging
* No longer required for modern ICQ clients
Ported Irc Used for Online chat rooms
Ported Quake Used for online Quake games
Ported PPTP Allow for multiple clients to the same server
NotPorted Real Audio Used for Streaming video / audio
* No longer required for modern RealVideo clients
NotPorted VDO Live Used for Streaming audio? |
Documentation on how to perform MASQ module porting is available at
http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO.html. If you have the time and knowledge, your talent would highly be
appreciated in porting these modules.
If you'd like to read up more on NetFilter and IPTables, please see:
http://www.netfilter.org/documentation/index.html#HOWTO
and more specifically http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html Linux 2.4.x IP Masquerade requirements include: Any decent computer hardware. See Section 7.2 for more
details.
The 2.4.x kernel source is available from http://www.kernel.org/.
NOTE: Most modern Linux distributions,
Section 7.1, that
natively come with 2.4.x kernels are typically modular kernels and have
all the IP Masquerade functionality already included. In such cases,
there is no need to compile a new Linux kernel. If you are UPGRADING your
kernel, you should be aware of other programs that might be required and/or
need to be upgraded as well (mentioned later in this HOWTO).
The program "iptables" version 1.2.4 or newer ( 1.2.7a or newer is highly
recommended ) archive available from
http://www.netfilter.org/
NOTE #1: All versions of IPTABLES less than 1.2.3 have a FTP module issue
that can bypass any existing firewall rulesets. ALL IPTABLES users are
highly recommended to upgrade to the newest version. The URL is above.
NOTE #2: All versions of IPTABLES less than 1.2.2 have a FTP "port" security
vulnerability in the ip_conntrack_ftp module. All IPTABLES users are highly
recommended to upgrade to the newest version. The URL is above.
This tool, much like the older IPCHAINS and IPFWADM tools enables the various
Masquerding code, more advanced forms of NAT, packet filtering, etc. It also
makes use of additional MASQ modules like the FTP and IRC modules. Additional
information on version requirements for the newest IPTABLES howto, etc. is
located at the
Unreliable IPTABLES HOWTOs
page.
Loadable kernel modules, preferably 2.1.121 or higher, are available from
http://home.pi.se/blox/modutils/index.html or
ftp://ftp.kernel.org/pub/linux/utils/kernel/modutils
A properly configured and running TCP/IP network running on the Linux machine
as covered in
Linux NET HOWTO and the
Network Administrator's Guide . Also check out the
TrinityOS document which is also authored by David Ranch. TrinityOS is a
very comprehensive guide for Linux networking. Some topics include IP MASQ, security,
DNS, DHCP, Sendmail, PPP, Diald, NFS, IPSEC-based VPNs, and performance sections,
to name a few. There are over Fifty sections in all! Connectivity to the Internet for your Linux host covered in
Linux ISP
Hookup HOWTO, Linux PPP HOWTO, and
TrinityOS. Other helpful HOWTOs could include:
Linux DHCP
mini-HOWTO,
Linux Cable Modem mini-HOWTO and
http://www.tldp.org/HOWTO/DSL-HOWTO/index.html Know how to configure, compile, and install a new Linux kernel as described in
the Linux Kernel
HOWTO. This HOWTO does cover kernel compiling but only for IP
Masquerade related options.
2.7. Requirements for IP Masquerade on Linux 2.2.x" ** Please refer to IP
Masquerade Resource for the latest information. ** "
Any decent computer hardware. See Section 7.2 for more
details.
The 2.2.x kernel source is available from http://www.kernel.org/.
NOTE: Most modern Linux distributions,
Section 7.1, that
natively come with 2.2.x kernels are typically modular kernels and have
all the IP Masquerade functionality already included. In such cases,
there is no need to compile a new Linux kernel. If you are UPGRADING your
kernel, you should be aware of other programs that might be required and/or
need to be upgraded as well (mentioned later in this HOWTO).
NOTE #1: --- UPDATE YOUR KERNEL ---
Linux 2.2.x kernels less than version 2.2.20 contain several different
security vulnerabilities (some were MASQ specific). Kernels less than
2.2.20 have a few local vulnerabilities. Kernel versions less
than 2.2.16 have a TCP root exploit vulnerability and versions less than
2.2.11 have a IPCHAINS fragmentation bug. Because of these issues, users
running a firewall with strong IPCHAINS rulesets are open to possible
instrusion. Please upgrade your kernel to a fixed version.
NOTE #2: Some newer Section 7.1 such as
Redhat 5.2 might not be Linux 2.2.x ready (upgradable). Tools
like DHCP, NetUtils, etc. will need to be upgraded. More details
can be found later in the HOWTO. Loadable kernel modules, preferably 2.1.121 or higher, are available from
http://home.pi.se/blox/modutils/index.html or
ftp://ftp.kernel.org/pub/linux/utils/kernel/modutils
A properly configured and running TCP/IP network running on the Linux
machine as covered in
Linux NET HOWTO and the
Network Administrator's Guide . Also check out the
TrinityOS document which is also authored by David Ranch. TrinityOS is
a very comprehensive guide for Linux networking. Some topics include IP MASQ,
security, DNS, DHCP, Sendmail, PPP, Diald, NFS, IPSEC-based VPNs, and
performance sections, to name a few. There are over Fifty sections in all! Connectivity to the Internet for your Linux host covered in
Linux ISP
Hookup HOWTO, Linux PPP HOWTO, and
TrinityOS. Other helpful HOWTOs could include:
Linux DHCP
mini-HOWTO,
Linux Cable Modem mini-HOWTO and
http://www.tldp.org/HOWTO/DSL-HOWTO/index.html IP Chains 1.3.10 or newer are available from
http://www.netfilter.org/ipchains/.
Additional information on
version requirements for the newest IPCHAINS HOWTO, etc is located at the
Linux IP Chains
page (mirror at
Samba.org) Know how to configure, compile, and install a new Linux kernel as described in
the Linux Kernel
HOWTO. This HOWTO does cover kernel compiling but only for IP
Masquerade related options.
Other optional patches and tools for 2.2.x kernels
TCP/IP port-forwarding or re-directing:
PORTFW FTP Solutions:
There are 2.2.x and 2.0.x kernel MASQ Module solutions for PORTFWed FTP
to a MASQed machine (put an FTP server behind a MASQ server). Please
see the Application Page on the IPMASQ WWW site for full details. Please note that this is not
required for 2.4.x kernels.
There is a full FTP proxy application from SuSe that will also allow
PORTFWed-like functionality to reach an internal FTP server. For more
details, please refer to the
SuSe Proxy
URL.
IPROUTE2 for True 1:1 NAT, Policy-based (source) routing, and Traffic
Shaping:
Please see the IP Masquerade Resource page for more information available on these patches and possibly
others as well.
2.8. Requirements for IP Masquerade on Linux 2.0.x" ** Please refer to IP
Masquerade Resource for the latest information. ** " Any decent computer hardware. See Section 7.2 for more
details. The 2.0.x kernel source is available from http://www.kernel.org/.
NOTE: Most modern Linux Section 7.1 that
natively come with 2.0.x kernels are typically modular kernels and have
all the IP Masquerade functionality already included. In such cases,
there is no need to compile a new Linux kernel. If you are UPGRADING your
kernel, you should be aware of other programs that might be required and/or
need to be upgraded as well (mentioned later in this HOWTO).
Loadable kernel modules, preferably 2.1.85 or newer is available from
http://home.pi.se/blox/modutils/index.html or
ftp://ftp.kernel.org/pub/linux/utils/kernel/modutils
(modules-1.3.57 is the minimal requirement)
A properly configured and running TCP/IP network running on the Linux machine
as covered in Linux
NET HOWTO and the Network Administrator's GuideAlso check out the
TrinityOS document which is also authored by David Ranch. TrinityOS is
a very comprehensive guide to Linux networking. Topics include IP MASQ,
security, DNS, DHCP, Sendmail, PPP, Diald, NFS, IPSEC-based VPNs, performance
issues, and many more. There exists over fifty sections in all! Connectivity to the Internet for your Linux host is covered in
Linux ISP
Hookup HOWTO, Linux PPP HOWTO, and
TrinityOS. Other helpful HOWTOs could include:
Linux DHCP
mini-HOWTO,
Linux Cable Modem mini-HOWTO and
Linux DSL HOWTO Ipfwadm 2.3.0 or newer is available from
http://www.xos.nl/linux/ipfwadm/download.html More information on version requirements are on the
Linux IPFWADM page If you are interested in running IPCHAINS on a 2.0.x+ kernel, see
Willy Tarreau's
IPCHAINS enabler for 2.0.36+ or
Rusty's
IPCHAINS for 2.0.x kernels. Please note that these patches are NOT
compatible with the IPPORTFW patches for the 2.0.x kernels. Unfortunately,
its an either/or deal. Know how to configure, compile, and install a new Linux kernel as described in
the Linux Kernel HOWTO. This HOWTO does cover kernel compiling but only
for IP Masquerade related options.
Here is a list of IP Masquerading patches for 2.0.x kernels: Steven Clarke's
IP
PortForwarding (IPPORTFW) - RECOMMENDED
IP AutoForward
- NOT
Recommended
REDIR for TCP
(REDIR) - NOT Recommended unless required for internal PORTFW
UDP redirector
(UDPRED) - NOT Recommended
PORTFWed FTP:
If you are going to port forward FTP traffic to an internal FTP server, you
might need to download Fred Viles's FTP server patch
The reason for "might" is that some
users have had success without the use of these pathches, while others need it.
Explicit details on this topic can be found in Section 6.7 of
this HOWTO.
X-Windows display forwarders:
PPTP (GRE) and SWAN (IPSEC) VPNs tunneling forwarders:
If you plan connecting an internal MASQed PC to a remote PPTP server,
you MUST INSTALL the PPTP-Masquerade kernel patch available from the URLsbelow.
If you plan on having external PPTP users connect to an internal masqueraded
PPTP server, not only do you need the kernel patch installed but you also need
PORTFW support enabled in the kernel. Please see the following URLs for the
patches and more information:
John Hardin's VPN Masquerade forwarders or the old patch for just
PPTP Support.
Game specific patches:
Chapter 3. Setting Up IP Masquerade3.1. Compiling a new kernel if neededIf your private network contains any vital information, think carefully in
terms of SECURITY before implementing IP Masquerade. By default, IP MASQ
becomes a GATEWAY for you to get onto the Internet, but it also can allow
someone from the Internet to possibly get into your internal network. Once you have IP MASQ functioning, it is HIGHLY recommended for the user to
implement a STRONG IPFWADM/IPCHAINS firewall ruleset. Please see
Section 6.4.1,
Section 6.4.2 and
Section 6.4.3 located below for more details.
3.2. Checking your existing kernel for MASQ functionalityAlmost ALL modern Linux distributions come MASQ-Ready
these days but its always good to check your system before you try to set
things up. Follow these few steps for your kernel to see if your kernel
is MASQ ready. To see which kernel your system is running, run the following command:
Just for clarity: 2.4.x kernels run IPTABLES :: 2.2.x kernels run IPCHAINS ::
2.0.x kernels run IPFWADM
In general, you must have kernel support for:
IP forwarding
IP masquerading
IP Firewalling
etc.
You will also need to have most MASQ-related modules compiled (most modular
kernels will already have all you need already done. Then you will NOT need
to re-compile the kernel. If you AREN'T SURE if your Linux distribution is
MASQ ready, do the following:
2.4.x kernels (look for most of the
following entries out of the much longer list):
Run the command "ls /proc/sys/net/ipv4" while logged
into the Linux box. These items are required and should be present
regardless if your kernel built IPMASQ as modules or statically.
To check if IPMASQ was compiled statically into the kernel, run the
command "/sbin/lsmod" and see if and modules like
the ones shown below for the MODULE section are loaded. No? Ok,
now run the command "ls /proc/net/" and see if you
see additional /proc files such as:
ip_masquerade
ip_conntrack
ip_tables_names
If you see these /proc entries and there WEREN'T any kernel modules loaded
(shown via the "lsmod" command mentioned above), then your kernel has
the IPTABLES subsystem statically compiled into it and is ready to go to
use IPMASQ on this system.
If your kernel uses IPTABLES via modules, most of the stuff listed above
should have been missing (because the modules probably aren't loaded).
Run the command "ls
/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/" where you should
see files like:
ip_conntrack.o, ip_conntrack_ftp.o, ip_conntrack_irc.o,
ip_nat_ftp.o, ip_nat_irc.o
ip_tables.o, ipt_MASQUERADE.o, iptable_nat.o,
iptable_mangle.o, iptable_filter.o
And some optional ones like: ipchains.o, ipt_REJECT.o,
and ipt_tcpmss.o
If you see those kernel files, IPTABLES was compiled using modules and
things look ready to go to use IPMASQ on this system.
2.2.x kernels (look for most of the
following entries out of the much longer list): list):
2.0.x kernels (look for most of the
following entries out of the much longer list):
Ultimately, it comes down to the fact if you see /proc files such as
"iip_forward", "ip_masq_debug",
"ip_masq_udp_dloose"(optional), and "ip_always_defrag" (optional) exist. So. Do most of the above /proc entries or kernel modules show up for your
respective kernel? If so, thats good! If you cannot find any of the above
entries or if you aren't sure if your distribution supports IP Masquerading by
default, ASSUME IT DOESN'T SUPPORT MASQ. You can do one last check by looking
at the Section 7.1 section and see if your
Linux Distribution is listed. Still not there? Sounds like you'll need to
compile a kernel but don't worry.. it isn't hard. Regardless if your current kernel has MASQ support or
not, reading the remainder of this section is still highly
recommended as it contains other useful information.
3.2.1. Compiling Linux 2.4.x Kernels First, you'll need to get some 2.4.x kernel sources (preferably the latest
kernel version - NEWER *IS* BETTER IN LINUX LAND)
NOTE #1: As both the 2.4.x kernel train and the iptables program
development progresses, the compile configurion options will change over time.
As of this version of the IPMASQ howto, this section reflects the settings for
IPTABLES 1.2.7a and the 2.4.20 kernel. If you are compiling against a newer
or previous kernel or IPTABLES version, the dialogs and even commands might
look different. It is recommended that you update to the newest versions of
both the kernel and IPTABLES for added capability, performance, and stability
of the kernel.
Next, depending on the version of the Linux kernel and IPTABLES archive you
downloaded, you might want to apply some
IPTABLES "patch-o-matic" patches against the kernel. These OPTIONAL patches
might fix some known problems, add additional functionality you might need
(H.323 protocol, specific issues with network games), etc. It should be
noted that the Patch-O-Matic patches used to come with the IPTABLES archive.
This is no longer the case and you have to download them (if any) seperately.
You can find the the various URLs for downloading IPTABLES, the
Patch-o-matic system, etc. Section 2.6.
If this is your first time compiling the kernel, don't be scared. In fact,
it's rather easy and it's covered in several URLs found in
Section 2.6. Please note that the instructions
included here is just one way to do build a kernel. Please see the Kernel
HOWTO for full details. NOTE: Please notice that it IS NOT recommended to put the new kernel sources
into the /usr/src/linux directory. You should leave the original kernel
sources that came with your Linux distribution in /usr/src/linux. For more
details on this topic, please read the "README" file in the top level
directory of the kernel sources. For this HOWTO example, create a directory called /usr/src/kernel.
Next, "cd" into this directory and download the newest 2.4.x kernel sources
into it. Once downloaded, issue the following command (if the file ends in a .tar.gz):
tar xvzf linux-2.4.x.tar.gz or (if the file ends in a
.tar.bzip2): tar xyvf linux-2.4.x.tar.bz2. Please
substitute the "x" in the 2.4.x filename with the Linux 2.4 kernel version you
downloaded. BZ2 Note: Some Linux distributions use the "I" option instead of the "y"
option to decompress bzip2 archives. Once uncompressed, I recommend that you rename the directory from the stock
"linux" name to "linux-2.4.x" (replace the "x" with the specific version of
your newly installed kernel) for clarity. To do this, run the command
"mv linux linux-2.4.x". Next, make sure there is a
directory or symbolic link pointing to
"/usr/src/kernel/linux" ie. run the command:
ln -s /usr/src/kernel/linux-2.4.x /usr/src/kernel/linux |
again subsituting the "x" for your proper kernel version.
As mentioned above, you might consider applying any appropriate or optional
patches to the kernel's MASQ code BEFORE you compile the final kernel.
The IP MASQ code found in the stock kernels is already very useful and does
not require any specific patching in order for the system to work for
NAT-friendly network applications. Many of these patches are only to fix
possible known bugs, add new features (some are /very/ cool), etc. Please
refer to Section 2.6 for URLs and the
IP Masquerade Resources for
up-to-date information and patch URLs. Applying IPTABLES and Patch-o-Matic kernel patches Download the iptables package and optional Patch-O-matics from the
Section 2.6 and put it into a directory, say
"/usr/src/archive/netfilter". Next, go into this new
netfilter directory and uncompress the iptables archive with the command: tar xyvf iptables-x.y.z.tar.bz2
tar xyvf patch-o-matic-x.tar.bz2 |
Now, go into the new iptables-x.y.x directory
(/usr/src/archive/netfilter/iptables-x.y.z) and run the command #For iptables v1.2.7a:
make KERNEL_DIR=/usr/src/kernel/linux
#For iptables v1.2.4 (when Patch-o-matic was built-in):
make pending-patches KERNEL_DIR=/usr/src/kernel/linux
|
NOTE: this assumes that your 2.4.x kernel sources are in the
/usr/src/kernel/linux directory. NOTE #2: If you append a "/" to the end of the above command line, you
will get an error stating:
"make: *** [/usr/src/kernel/linux/include/asm/socket.h] Error 1". |
Remove the trailing "/" and try again.Here is an example of compiling IPTABLES v1.2.7a. Your output might look
different depending on what version you are trying to use. # make KERNEL_DIR=/usr/src/kernel/linux
Extensions found:
cc -O2 -Wall -Wunused -I/usr/src/kernel/linux/include -Iinclude/
-DIPTABLES_VERSION=\"1.2.7a\" -fPIC -o extensions/libipt_ah_sh.o -c
extensions/libipt_ah.c
ld -shared -o extensions/libipt_ah.so extensions/libipt_ah_sh.o
cc -O2 -Wall -Wunused -I/usr/src/kernel/linux/include -Iinclude/
-DIPTABLES_VERSION=\"1.2.7a\" -fPIC -o extensions/libipt_conntrack_sh.o -c
extensions/libipt_conntrack.c
ld -shared -o extensions/libipt_conntrack.so extensions/libipt_conntrack_sh.o
cc -O2 -Wall -Wunused -I/usr/src/kernel/linux/include -Iinclude/
-DIPTABLES_VERSION=\"1.2.7a\" -fPIC -o extensions/libipt_dscp_sh.o -c
extensions/libipt_dscp.c
extensions/libipt_dscp_helper.c:69: warning: `dscp_to_name' defined but not
used
ld -shared -o extensions/libipt_dscp.so extensions/libipt_dscp_sh.o
.
.
.
cc -O2 -Wall -Wunused -I/usr/src/kernel/linux/include -Iinclude/
-DIPTABLES_VERSION=\"1.2.7a\" -c -o libipulog/libipulog.o
libipulog/libipulog.c
ar rv libipulog/libipulog.a libipulog/libipulog.o
a - libipulog/libipulog.o
rm libiptc/libip6tc.o libiptc/libip4tc.o libipulog/libipulog.o libipq/libipq.o |
Ok, hopefully the IPTABLES program compiled up for you. Now, you need to
install it. To do this, directory and run the command make install KERNEL_DIR=/usr/src/kernel/linux |
Here is an example of installing IPTABLES v1.2.7a. Your output might look
different depending on what version you are trying to use. # make install KERNEL_DIR=/usr/src/kernel/linux
cp iptables /usr/local/sbin/iptables
cp iptables-save /usr/local/sbin/iptables-save
cp iptables-restore /usr/local/sbin/iptables-restore
cp ip6tables /usr/local/sbin/ip6tables
cp extensions/libipt_ah.so /usr/local/lib/iptables/libipt_ah.so
cp extensions/libipt_conntrack.so /usr/local/lib/iptables/libipt_conntrack.so
cp extensions/libipt_dscp.so /usr/local/lib/iptables/libipt_dscp.so
cp extensions/libipt_ecn.so /usr/local/lib/iptables/libipt_ecn.so
cp extensions/libipt_esp.so /usr/local/lib/iptables/libipt_esp.so
cp extensions/libipt_helper.so /usr/local/lib/iptables/libipt_helper.so
.
.
.
cp extensions/libip6t_udp.so /usr/local/lib/iptables/libip6t_udp.so
cp extensions/libip6t_LOG.so /usr/local/lib/iptables/libip6t_LOG.so
cp extensions/libip6t_MARK.so /usr/local/lib/iptables/libip6t_MARK.so |
Next, if you are interested in applying a Patch-O-Matic patch set, go into the
patch-o-matic-X directory
(/usr/src/archive/netfilter/patch-o-matic-X) and run the command #For Patch-O-Matic later than the release of iptables v1.2.7a:
KERNEL_DIR=/usr/src/kernel/linux
./runme pending
|
NOTE #1: The use of the "pending" batch is the most common for IPMASQ
functionality but there are several others. See below. NOTE #2: this assumes that your 2.4.x kernel sources are in the
/usr/src/kernel/linux directory. NOTE #3: If you append a "/" to the end of the command line, you
will get an error stating:
"make: *** [/usr/src/kernel/linux/include/asm/socket.h] Error 1".
Remove the trailing "/" and try again. |
Here is an example of the Patch-O-Matic prompts you might receive for a
2.4.20 kernel with the "20030107" Patch-O-Matic set. You can also run the
"runme" program in a batch mode to speed things up, add experimental patches,
etc. if you'd like. To better
understand your options, simply run the "./runme" command
by itself. Please note that these prompts WILL CHANGE over time. Welcome to Rusty's Patch-o-matic!
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so I don't recommend applying them all!
-------------------------------------------------------
Already applied: submitted/01_2.4.19
submitted/02_2.4.20
submitted/ipt_ULOG-mac_len-fix
submitted/ipt_multiport-invfix
pending/01_ip_conntrack_proto_tcp-lockfix
pending/02_newnat-udp-helper
pending/03_REJECT-fwspotting-phrack60-fix
pending/04_ftp-conntrack-msg-fix
Testing... 05_ECN-tcpchecksum-littleendian-fix.patch NOT APPLIED (1 rejects out
of 1 hunks)
The pending/05_ECN-tcpchecksum-littleendian-fix patch:
Author: Patrick McHardy
Status: Pending for kernel inclusion
The 2.4.20 kernel included the new iptables 'ECN' target, enabling a
selective
ECN disable mechanism. Unfortunately there was a bug in the incremental
TCP
checksum update, resulting in broken TCP checksums on little endian
machines.
This patch fixes the Bug.
Testing patch pending/05_ECN-tcpchecksum-littleendian-fix.patch...
Patch pending/05_ECN-tcpchecksum-littleendian-fix.patch applied cleanly.
Applying patch pending/05_ECN-tcpchecksum-littleendian-fix.patch...
Patch pending/05_ECN-tcpchecksum-littleendian-fix.patch applied cleanly.
Excellent! Kernel is now ready for compilation. |
If everything patches fine, you should see something like the text
Excellent! Kernel is now ready for compilation. |
towards the bottom of the screen. Beyond that, you don't have to
install anything at this point. The next step is to compile the new
PATCHED kernel.
Ok, now the new kernel is ready to be compiled but you should make sure
that you also have the proper matching iptables program
on your machine too (just to make sure). Run the command:
and make sure its installed on the machine (the default place is in
/usr/local/sbin/iptables. If you cannot find it
or patched up your kernel sources as shown above, I recommend you just
re-compile it up as shown above.
Now that the kernel sources are patched up, you need to configure it to
know what kinds of features you need (HD support, Networking support, MASQ
support, etc.). Here are the MINIMUM kernel configuration options required
to enable IP Masquerade functionality. Please understand that this HOWTO
illustrates just ONE way to configure and compile a kernel (modules vs static).
The main difference from this example vs. an example given by a different
MASQ guide is that some people might wish to compile kernel components either
as modules OR monolithically into the
kernel. Basically, compiling things as modules gives you added flexibility
to what is or isn't installed into the kernel (reduces unneeded memory use
for things you aren't / won't use and modules also allow for drop-in software
upgrades [usually no need to reboot the machine]). On the flip side, kernel
modules add more complexity to your configuration and sometimes the kernel
auto-loader might make mistakes (not that I've ever seen this happen).
Compiling things directly into the kernel makes things simpler BUT you loose
a huge level of flexibility. The following kernel configuration example is a
mixture of both a selection of kernel modules and building them in
monolithically (you probably will ALWAYS need MASQ functionality ready to go). Side Note: It is assumed that you will also configure the kernel to use your
other installed hardware such as USB printers, Ethernet network interfaces,
SCSI and IDE HD controllers, etc. as well. Please refer to the
Linux Kernel HOWTO and the kernel source's "README"
file and "Documentation/" directory for detailed help on
compiling a kernel.
You will need to answer either YES, NO, or MODULE to the following program. Not all options will be available
without the proper kernel patches described later in this HOWTO. This
shouldn't be an issue as most 3rd party patches are only needed for a very
select group of users. Run the following commands to configure your kernel:
cd /usr/src/kernel/linux
make menuconfig
Please note the following kernel prompts reflect a 2.4.14 kernel (with some of
the optional Patch-O-Matic additions. Please read the following carefully for
recommendations: [ Code maturity level options ]
* Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?]
- YES: though not required for IP MASQ, this option allows the kernel to create
the MASQ modules and enable the option for port forwarding
* Enable loadable module support (CONFIG_MODULES) [Y/n/?]
- YES: allows you to load kernel IP MASQ modules
* Set version information on all module symbols (CONFIG_MODVERSIONS) [Y/n/?]
- YES: allows newer kernels to load older modules if possible
* Kernel module loader (CONFIG_KMOD) [Y/n/?]
- OPTIONAL: Recommended : allows the kernel to load various kernel modules as it needs them
== Non-MASQ options skipped
== (CPU type, memory, SMP, FPU, specific stuff)
[ General setup ]
* Networking support (CONFIG_NET) [Y/n/?]
- YES: Enables the network subsystem
== Non-MASQ options skipped
== (specific hardware, PCI, kernel binaries, PCMCIA, etc.)
* Sysctl support (CONFIG_SYSCTL) [Y/n/?]
- YES: Enables the ability to enable disable options such as forwarding,
dynamic IPs, etc. via the /proc interface
[ Block devices ]
== Non-MASQ options skipped
== (kernel binaries, power management, PnP, RAID, etc.)
== Don't forget to compile in support for hardware that you might need:
== IDE controllers, HDs, CDROMs, etc.
[ Networking options ]
* Packet socket (CONFIG_PACKET) [Y/m/n/?]
- YES: Though this is OPTIONAL, this recommended feature will allow you
to use TCPDUMP to debug any problems with IP MASQ
* Packet socket: mmapped IO (CONFIG_PACKET_MMAP) [N/y/?] y
- YES: Speed up the packet protocol
* Kernel/User netlink socket (CONFIG_NETLINK) [Y/n/?]
- OPTIONAL: Recommended : this feature will allow the logging of
advanced firewall issues such as routing messages, etc
* Routing messages (CONFIG_RTNETLINK) [N/y/?] (NEW) y
- OPTIONAL: Allows for support of advanced kernel routing messages
if you enabled the CONFIG_NETLINK option
* Netlink device emulation (CONFIG_NETLINK_DEV) [N/y/m/?] (NEW)
- NO: This option does not have anything to do with packet firewall
logging
* Network packet filtering (replaces ipchains) (CONFIG_NETFILTER) [N/y/?] y
- YES: Enable this option to let IPTABLES configure the TCP/IP subsection
of the kernel. By enabling this, then you can turn on advanced
routing mechanisms like IP Masq, packet filtering, etc.
* Network packet filtering debugging (CONFIG_NETFILTER_DEBUG) [N/y/?] (NEW) n
- NO: Not required for Masquerading functionality though it may help
for troubleshooting. There might be a performance penalty when
enabling this.
* Socket Filtering (CONFIG_FILTER) [Y/n/?]
- OPTIONAL: Recommended : Though this doesn't have anything do with IPMASQ,
if you plan on implimenting a DHCP server on the internal network, you WILL
need to enable this option.
* Unix domain sockets (CONFIG_UNIX) [Y/m/n/?]
- YES: This enables the UNIX TCP/IP sockets mechanisms
* TCP/IP networking (CONFIG_INET) [Y/n/?]
- YES: Enables the TCP/IP protocol
* IP: multicasting (CONFIG_IP_MULTICAST) [N/y/?]
- OPTIONAL: You can enable this if you want to be able to receive
Multicast traffic. Please note that your ISP must
support Multicast as well for this all to work at all
* IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [Y/n/?]
- OPTIONAL: Though there is nothing in this section mandatory for
Masquerade, some specific options might be useful
== Non-MASQ options skipped
== ( autoconf, tunneling )
* IP: multicast routing (CONFIG_IP_MROUTE) [N/y/?] n
- OPTIONAL: Though not needed for IPMASQ, enabling this feature will
let you route multicast traffic through your Linux box.
Please note that this requires that your ISP be multicast
enabled as well.
== Non-MASQ options skipped
== (ARPd)
* IP: TCP Explicit Congestion Notification support (CONFIG_INET_ECN) [N/y/?] n
- NO: Though enabling this option would be great, there are many Internet
sites out there that will block this. Hit the "?" when configuring
the kernel to learn more about it but it is recommended to say NO for
now.
* IP: TCP syncookie support (disabled per default) (CONFIG_SYN_COOKIES) [Y/n/?]
- YES: Recommended : for basic TCP/IP network security
[ Networking options --> IP: Netfilter Configuration ]
* Connection tracking (required for masq/NAT) (CONFIG_IP_NF_CONNTRACK) [N/y/m/?] (NEW) m
- YES: (Module) This enables the kernel to track various network connections.
This option is required for Masquerading support as well as to enable
Stateful tracking for various filewall mechanisms. Please note that
if you compile this directly into the kernel, you cannot enable
the legacy IPCHAINS or IPFWADM compatibility modules.
* FTP protocol support (CONFIG_IP_NF_FTP) [M/n/?] (NEW) m
- YES: (Module) This enables the proper Masquerading of FTP connections if
CONFIG_IP_NF_CONNTRACK was enabled above
* IRC protocol support (CONFIG_IP_NF_IRC) [M/n/?] (NEW) m
- YES: (Module) This enables the proper Masquerading of IRC connections if
CONFIG_IP_NF_CONNTRACK was enabled above
* Userspace queueing via NETLINK (EXPERIMENTAL) (CONFIG_IP_NF_QUEUE) [N/y/m/?] (NEW) m
- OPTIONAL: Though this is OPTIONAL, this feature will allow IPTABLES to
copy specific packets to UserSpace tools for additional checks
* IP tables support (required for filtering/masq/NAT) (CONFIG_IP_NF_IPTABLES) [N/y/m/?] (NEW) m
- YES: (Module) Enables IPTABLES support
* limit match support (CONFIG_IP_NF_MATCH_LIMIT) [N/y/m/?] (NEW) y
- OPTIONAL: (Module) Recommended : Though not required, this option can used to
enable rate limiting of both traffic and loggin messages help slow down denial
of service (DoS) attacks.
* MAC address match support (CONFIG_IP_NF_MATCH_MAC) [N/y/m/?] (NEW) m
- OPTIONAL: Though not required, the option can allow you to
filter traffic based upon the SOURCE Ethernet MAC address.
* netfilter MARK match support (CONFIG_IP_NF_MATCH_MARK) [N/y/m/?] (NEW) y
- YES: (Module) Recommended : This enables IPTABLES to take action upon marked packets.
This mechanism can allow for PORTFW functionality, TOS marking, etc.
* Multiple port match support (CONFIG_IP_NF_MATCH_MULTIPORT) [N/y/m/?] (NEW) y
- YES: (Module) Recommended : This enables IPTABLES to accept mutliple SRC/DST port
ranges (non-contiguous) instead of one port range per IPTABLES
statement.
* TOS match support (CONFIG_IP_NF_MATCH_TOS) [Y/m/n/?] n
- OPTIONAL: This allows IPTABLES to match packets based upon their
DIFFSERV settings.
* LENGTH match support (CONFIG_IP_NF_MATCH_LENGTH) [N/m/?] (NEW) n
- OPTIONAL: This allows IPTABLES to match packets based upon their
packet length.
* TTL match support (CONFIG_IP_NF_MATCH_TTL) [N/m/?] (NEW) ? n
- OPTIONAL: This allows IPTABLES to match packets based upon their
TTL settings.
* tcpmss match support (CONFIG_IP_NF_MATCH_TCPMSS) [N/y/m/?] m
- OPTIONAL: (Module) Recommended : This option allows users to examine the MSS value in
TCP SYN packets. This is an advanced knob but can be very valuable in
troubleshooting MTU problems.
* Connection state match support (CONFIG_IP_NF_MATCH_STATE) [M/n/?] m
- YES: (Module) Recommended : This option allows for Stateful tracking of network
connections.
* Unclean match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_UNCLEAN) [N/y/m/?] y
- YES: (Module) Recommended : This option allows for connection tracking on odd packets.
It cal also help in the detection of possibly malicious packets.
This can be a valuable tool in tracking hostile people on the network.
* Owner match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_OWNER) [N/y/m/?] n
- OPTIONAL: This option allows IPTABLES to match traffic based upon the
user login, group, etc. who created the traffic.
* Packet filtering (CONFIG_IP_NF_FILTER) [N/y/m/?] ? y
- YES: (Module) This option allows for the kernel to be able filter traffic at
the INPUT, FORWARDING, and OUTPUT traffic points.
* REJECT target support (CONFIG_IP_NF_TARGET_REJECT) [N/y/m/?] (NEW) y
- YES: (Module) With this option, a packet firewall can send an ICMP Reject packet
back to the originator when a packet is blocked.
* MIRROR target support (EXPERIMENTAL) (CONFIG_IP_NF_TARGET_MIRROR) [N/y/m/?] (NEW) n
- OPTIONAL: This option allows the packet firewall to mirror the exact same
network packet back to the originator when it is supposed to be
blocked. This is similar to the REJECT option above but it actually
sends the original packet back to the originator. i.e. a
hostile user could actually portscan themselves.
* Full NAT (CONFIG_IP_NF_NAT) [M/n/?] m
- YES: (Module) This option enables the future menus to enable Masquerading,
PORTFWing, Full (1:1) NAT, etc.
* MASQUERADE target support (CONFIG_IP_NF_TARGET_MASQUERADE) [M/n/?] (NEW) m
- YES: (Module) This option specifically enables Masquerade into the
kernel
* REDIRECT target support (CONFIG_IP_NF_TARGET_REDIRECT) [N/y/m/?] n
- OPTIONAL: Not needed for normal MASQ functionality though people who
want to do transparent proxy via Squid will want this.
* Basic SNMP-ALG support (EXPERIMENTAL) (CONFIG_IP_NF_NAT_SNMP_BASIC) [N/m/?] n
- OPTIONAL: This enables IPTABLES to properly NAT internal SNMP packets so
that machines with duplicate addressing ranges can be properly
managed.
* Packet mangling (CONFIG_IP_NF_MANGLE) [N/y/m/?] y
- YES: (Module) This option allows for advanced IPTABLES packet manipulation
options.
* TOS target support (CONFIG_IP_NF_TARGET_TOS) [N/y/m/?] (NEW) n
- OPTIONAL: Enables the kernel to modify the TOS field in a packet
before routing it on
* MARK target support (CONFIG_IP_NF_TARGET_MARK) [N/y/m/?] (NEW) m
- OPTIONAL: (Module) Recommended : This enables the kernel to manipulate
packets based upon the MARK field. This can be used for PORTFW
as well as many other things.
* LOG target support (CONFIG_IP_NF_TARGET_LOG) [N/y/m/?] m
- YES: (Module) This allows for the logging of packets before they are accepted,
denied, rejected, etc.
* TCPMSS target support (CONFIG_IP_NF_TARGET_TCPMSS) [N/y/m/?] ? m
- YES: (Module) This option help some people with MTU problems. Typically,
most users have to set their Internet connection's MTU to
1500 as well as ALL internal machines to 1500. With this
option, this whole MTU issue might be finally solved.
* ipchains (2.2-style) support (CONFIG_IP_NF_COMPAT_IPCHAINS) [N/y/m/?] m
- OPTIONAL: (Module) Recommended : If you have an existing IPCHAINS ruleset
(2.2.x kernels) and enable this option, you can continue to use the
IPCHAINS program and the majority of your old ruleset except for the
use of any 2.2.x kernel-specific modules. Please note that if this
IPCHAINS module is loaded, ALL IPTABLES modules will be non-
operational. This is an either/or deal only intended for legacy
rulesets.
* ipfwadm (2.0-style) support (CONFIG_IP_NF_COMPAT_IPFWADM) [N/y/m/?] n
- OPTIONAL: If you have an existing IPFWADM ruleset (2.0.x kernels) and
enable this option, you can continue to use the IPFWADM program and
the majority of your old ruleset except for the use of any 2.0.x
kernel-specific modules. Please note that if this IPFWADM module
is loaded, ALL IPTABLES modules will be non operational. This is
an either/or deal only intended to support legacy rulesets.
== Non-MASQ options skipped
== (IPv6, khttpd, ATM, IPX, AppleTalk, etc.) --
* Fast switching (read help!) (CONFIG_NET_FASTROUTE) [N/y/?] n
- NO: This performance optimization is NOT compatible with IP MASQ and/or
packet filtering
== Non-MASQ options skipped
== (QoS, Telephony, IDE, SCSI, 1394FW, I2O, etc)
== Don't forget to compile in support for hardware that you might need:
== IDE: HDs, CDROMs, etc.
== SCSI: HDs, CDROMs, etc.
[ Network device support ]
* Network device support (CONFIG_NETDEVICES) [Y/n/?]
- YES: Enables the Linux Network device sublayer
== Non-MASQ options skipped
== (Arcnet)
* Dummy net driver support (CONFIG_DUMMY) [M/n/y/?]
- YES: Though OPTIONAL, this option can help when debugging problems
== Non-MASQ options skipped
== (EQL, etc..)
== Don't forget to compile in support for hardware that you might need:
== NICs: eth, tr, etc.
== MODEMs: ppp (ppp async) and/or slip
== WANs: T1, T3, ISDN, etc.
== ISDN: for internal ISDN modems
== Non-MASQ options skipped
== (Amateur Radio, IrDA, ISDN, USB, etc.)
[ Character devices ]
== Don't forget to compile in serial port support if you are a modem user
== Don't forget to compile in mouse support
== Non-MASQ options skipped
== (I2C, Watchdog cards, Ftape, Video for Linux, etc. )
[ File systems ]
== Non-MASQ options skipped
== (Quota, ISO9660, NTFS, etc )
* /proc filesystem support (CONFIG_PROC_FS) [Y/n/?]
- YES: Required to dynamically configure the Linux forwarding
and NATing systems
== Non-MASQ options skipped
== (Console drivers, Sound, USB, Kernel Hacking)
|
So go ahead and select "exit" and you should be prompted to save your config. NOTE: These are just the kernel components you need for IP Masquerade networking
support. You will need to select whatever other options needed for your
specific setup. If you want more information on what each one of these kernel
modules does, please see the FAQ section of this HOWTO for details.
Now compile the kernel (make dep; make clean; make bzImage; make modules;
make modules_install) , etc. Again, it is beyond the scope of this HOWTO
if you have problems compiling your kernel. Please see
Section 2.6 for URLs to the KERNEL howto, etc. You will then have move over the kernel binary, update your bootloader
(LILO, Grub, etc.), and reboot. If you have questions about kernel compiling,
I highly recommend to consult some of the URLs mentioned above in this section.
3.2.2. Compiling Linux 2.2.x KernelsPlease see Section 2.7 for
any required software, patches, etc. First of all, you need the kernel source for 2.2.x (preferably the latest
kernel version)
NOTE #1: --- UPDATE YOUR KERNEL ---
Linux 2.2.x kernels less than version 2.2.20 contain several different
security
vulnerabilities (some were MASQ specific). Kernels less than
2.2.20 have a few local vulnerabilities. Kernel versions less
than 2.2.16 have a TCP root exploit vulnerability and versions less than
2.2.11 have a IPCHAINS fragmentation bug. Because of these issues, users
running a firewall with strong IPCHAINS rulesets are open to possible
instrusion. Please upgrade your kernel to a fixed version.
NOTE #2: As the 2.2.x train progressed, the compile-time options keep on
changing. As of this version, this section reflects the settings for a
2.2.20 kernel.
If you are running either a newer or older kernel version, the dialogs
will look different. It is recommended that you update to the newest
kernel for added capability and stability of the system.
If this is your first time compiling the kernel, don't be scared. In fact,
it's rather easy and it's covered in several URLs found in
Section 2.7. Please note that the instructions
included here is just one way to do build a kernel. Please see the Kernel
HOWTO for full details.
NOTE: Please notice that it isn't
recommended to put the new kernel sources into /usr/src/linux. You
should leave the original kernel sources that came with your Linux
distribution in /usr/src/linux. For more details on this
topic, please read the "README" file in the top level directory of
your kernel sources.
For this HOWTO example, create a directory called /usr/src/kernel.
Next, "cd" into this directory and download the newest 2.2.x kernel sources
into it. Once downloaded, issue the following command (if the file ends in a .tar.gz):
tar xvzf linux-2.2.x.tar.gz or (if the file ends in a
.tar.bzip2): tar xyvf linux-2.2.x.tar.bz2. Please
substitute the "x" in the 2.2.x filename with the Linux 2.2 kernel version you
downloaded.
NOTE: Some Linux distributions use the "I" option instead of the "y" option to
decompress bzip2 archives.
Once uncompressed, I recommend that you rename the directory from "linux" to
"linux-2.2.x" for clarity. To do this, run the command mv linux
linux-2.2.x. Next, make sure there is a directory or symbolic
link pointing to /usr/src/kernel/linux ie. run the
command: ln -s /usr/src/kernel/linux-2.2.x /usr/src/kernel/linuxo
again subsituting the "x" for your proper kernel version.
Apply any appropriate or optional patches to the kernel source code. By
default, stock Linux kernels do not require any specific patching in order
for the system to work. Features like PPTP/IPSEC masqurading are already
built-in in the newest kernels but other tools like Xwindows forwarders
are optional. Please refer to Section 2.7 for
URLs and the IP Masquerade Resources
for up-to-date information and patch URLs.
Now that the kernel is patched up (if required), here are the MINIMUM kernel
configuration options required to enable IP Masquerade functionality. Please
understand that this HOWTO illustrates just ONE way to compile a kernel. The
main difference from this method vs. a different one is some people wish to
compile things either as modules OR monolithically right into the kernel.
Basically, compiling things as modules gives you added flexibility to what is
or isn't installed into the kernel (reduces unneeded memory use and allow for
drop-in upgrades [no need to reboot]) BUT they add more complexity to your
configuration. On the flip side, compiling things directly into the kernel
makes things simpler BUT you loose a level of flexibility. The following
example is a mixture of both built-in AND modules.
Side Note:
It is assumed that you will also configure the kernel to use your
other installed hardware such as network interfaces, optional SCSI controllers,
etc. as well. Please refer to the
Linux Kernel
HOWTO and the kernel source's README file and Documentation/ directory
for detailed help on compiling a kernel.
Please note the YES or NO ANSWERS to the
following. Not all options will be available without the proper kernel
patches described later in this HOWTO. Run the following commands to configure your kernel:
cd /usr/src/kernel/linux
make menuconfig
The following kernel prompts reflect a 2.2.20 kernel: [ Code maturity level options ]
* Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?]
- YES: though not entirely required for IP MASQ, this option allows the kernel
to create possible additional MASQ modules such as PORTFW, etc.
== Non-MASQ options skipped
== (CPU, memory, MTRR, SMP, etc.)
[ Loadable module support ]
* Enable loadable module support (CONFIG_MODULES) [Y/n/?] y
- YES: allows you to load kernel IP MASQ modules
* Set version information on all symbols for modules (CONFIG_MODVERSIONS) [N/y/?] y
- YES: allows newer kernels to load older modules if possible
* Kernel module loader (CONFIG_KMOD) [Y/n/?] y
- OPTIONAL: Recommended : allows the kernel to load various kernel modules as
it needs them
[ General setup ]
* Networking support (CONFIG_NET) [Y/n/?]
- YES: This enables the network subsystem
== Non-MASQ options skipped
== (PCI, kernel binaries, specific hardware options, etc.)
* Sysctl support (CONFIG_SYSCTL) [Y/n/?]
- YES: Enables the ability to enable disable options such as forwarding,
dynamic IPs, etc. via the /proc interface
[ Block devices ]
== Non-MASQ options skipped
== (kernel binaries, power management, PnP, IDE, SCSI, etc.)
== Don't forget to compile in support for hardware that you might need:
== IDE controllers, HDs, CDROMs, etc.
[ Networking options ]
* Packet socket (CONFIG_PACKET) [Y/m/n/?] y
- YES: Though this is OPTIONAL, this recommended feature will allow you
to use TCPDUMP to debug any problems with IP MASQ
* Kernel/User netlink socket (CONFIG_NETLINK) [Y/n/?] y
- OPTIONAL: Recommended : This feature will allow the logging of
advanced firewall issues such as routing messages, etc
* Routing messages (CONFIG_RTNETLINK) [Y/n/?] y
- OPTIONAL: If you enabled the CONFIG_NETLINK option above, this option
will send routing messages and other information to SYSLOG.
* Netlink device emulation (CONFIG_NETLINK_DEV) [N/y/m/?] (NEW) n
- NO: This option does not have anything to do with packet firewall
logging
* Network firewalls (CONFIG_FIREWALL) [Y/n/?] y
- YES: Enables the kernel to be comfigured by the IPCHAINS firewall tool
* Socket Filtering (CONFIG_FILTER) [Y/n/?] y
- OPTIONAL: Though this doesn't have anything do with IPMASQ, if you
plan on implimenting a DHCP server on the internal network, you
WILL need this option.
* Unix domain sockets (CONFIG_UNIX) [Y/m/n/?] y
- YES: This enables the UNIX TCP/IP sockets mechanisms
* TCP/IP networking (CONFIG_INET) [Y/n/?] y
- YES: Enables the TCP/IP protocol
* IP: multicasting (CONFIG_IP_MULTICAST) [N/y/?] y
- OPTIONAL: You can enable this if you want to be able to receive
Multicast traffic. Please note that your ISP must
support Multicast as well for this all to work
* IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [Y/n/?] n
- OPTIONAL: Though there is nothing in this section mandatory for
Masquerade, some specific options might be useful
* IP: kernel level autoconfiguration (CONFIG_IP_PNP) [N/y/?] ?
- NO: Not needed for normal MASQ functionality
* IP: firewalling (CONFIG_IP_FIREWALL) [Y/n/?] y
- YES: This enables the kernel to support packet filtering, NAT, etc.
* IP: firewall packet netlink device (CONFIG_IP_FIREWALL_NETLINK) [Y/n/?] n
- OPTIONAL: Though this is OPTIONAL, this feature will allow IPCHAINS to
copy some packets to UserSpace tools for additional checks
* IP: transparent proxy support (CONFIG_IP_TRANSPARENT_PROXY) [N/y/?] n
- OPTIONAL: Not needed for normal MASQ functionality though people who
want to do transparent proxy via Squid will want this. Please note
that there is a PERFORMANCE PENALTY enabling this feature.
* IP: masquerading (CONFIG_IP_MASQUERADE) [Y/n/?] y
- YES: Enable IP Masquerade to re-address specific internal to external
TCP/IP packets
* IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP) [Y/n/?] y
- YES: Enable support for masquerading ICMP ping packets (ICMP error
codes will be MASQed regardless). This is an important feature
for troubleshooting connections.
* IP: masquerading special modules support (CONFIG_IP_MASQUERADE_MOD) [Y/n/?] y
- YES: Though OPTIONAL, this enables the option to later enable other
modules like the PORTFW to give external computers a directly
connection to specified internal MASQed machines.
* IP: ipautofw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPAUTOFW) [N/y/m/?] n
- NO: NOT recommended : IPautofw is a legacy method of port forwarding. It
is mainly old code and has been found to have some issues.
* IP: ipportfw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPPORTFW) [Y/m/n/?] y
- OPTIONAL: Recommended : This enables PORTFW which allows external computers
on the Internet to directly communicate to specified internal MASQed
machines. This feature is typically used to allow access to internal
SMTP, TELNET, and WWW servers. Please note that FTP port forwarding
needs an additional patch, as described in the FAQ section of the MASQ
HOWTO. Please see the this FAQ section in the HOWTO for additional
information.
* IP: ip fwmark masq-forwarding support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_MFW) [Y/m/n/?] y
- OPTIONAL: This is a NEW method of performing PORTFW-like functionality which is
similar to how the new 2.4.x kernels do things. With this option, IPCHAINS
can mark packets that should have additional work done upon it. Using a
UserSpace tool, much like IPMASQADM or IPPORFW, IPCHAINS would then
do things like re-address the packets, change their TOS value, etc.
Currently, this code is less tested than PORTFW but it looks promising.
For now, this HOWTO recommends to use IPMASQADM and IPPORTFW. If you
have specific thoughts or comments on MFW, please email dranch.
* IP: optimize as a router not host (CONFIG_IP_ROUTER) [Y/n/?] y
- YES: This optimizes the kernel for the network subsystem, though it
isn't well known if this makes a siginificant performance difference
or not.
== Non-MASQ options skipped
== ( autoconf, tunneling, GRE )
* IP: multicast routing (CONFIG_IP_MROUTE) [N/y/?] n
- OPTIONAL: Though not needed for IPMASQ, enabling this feature will
let you route multicast traffic through your Linux box.
Please note that this requires that your ISP be multicast
enabled as well.
== Non-MASQ options skipped
== (Aliasing, ARPd)
* IP: TCP syncookie support (disabled per default) (CONFIG_SYN_COOKIES) [Y/n/?]
- YES: Recommended : for basic TCP/IP network security
* IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [N/y/m/?]
- NO: This OPTIONAL selection is to enable PPTP and GRE tunnels through
the IP MASQ box
== Non-MASQ options skipped
== (aliasing, ARPd)
* IP: TCP syncookie support (not enabled per default) (CONFIG_SYN_COOKIES) [Y/n/?]
- YES: HIGHLY recommended for basic TCP/IP network security
== Non-MASQ options skipped
== (RARP)
* IP: Allow large windows (not recommended if <16Mb of memory) * (CONFIG_SKB_LARGE) [Y/n/?]
- YES: This is recommended to optimize Linux's TCP window
== Non-MASQ options skipped
== (IPv6, IPX, WAN router, etc.)
* Fast switching (read help!) (CONFIG_NET_FASTROUTE) [N/y/?] n
- NO: This performance optimization is NOT compatible with IP MASQ and/or
packet filtering
== Non-MASQ options skipped
== (Slow CPU, Telephony, SCSI, I2O, etc. )
== Don't forget to compile in support for hardware that you might need:
== SCSI: HDs, CDROMs, etc.
[ Network device support ]
* Network device support (CONFIG_NETDEVICES) [Y/n/?]
- YES: Enables the Linux Network device sublayer
== Non-MASQ options skipped
== (Arcnet)
* Dummy net driver support (CONFIG_DUMMY) [M/n/y/?]
- YES: Though OPTIONAL, this option can help when debugging problems
== Non-MASQ options skipped
== (EQL, NICs, Wireless, IrDA, ISDN, etc..)
== Don't forget to compile in support for hardware that you might need:
== NICs: eth, tr, etc.
== MODEMs: ppp and/or slip
== WANs: T1, T3, ISDN, etc.
== ISDN: for internal ISDN modems
[ Character devices ]
== Don't forget to compile in serial port support for modem users
== Don't forget to compile in mouse support
== Non-MASQ options skipped
== (I2C, Watchdog cards, Ftape, Video for Linux, USB, etc. )
[ File systems ]
== Non-MASQ options skipped
== (Quota, ISO9660, NTFS, etc )
* /proc filesystem support (CONFIG_PROC_FS) [Y/n/?]
- YES: Required to dynamically configure the Linux forwarding
and NATing systems
== Non-MASQ options skipped
== (network fs, NLS, video section, sound, kernel hacking) |
So go ahead and "exit" and you should be prompted to save your config.
NOTE: These are just the components you need for IP Masquerade. You will need
to select whatever other options needed for your specific setup. Now compile the kernel (make dep; make clean; make bzImage; make modules;
make modules_install) , etc. Again, it is beyond the scope of this HOWTO
if you have problems compiling your kernel. Please see
Section 2.7 for URLs to the KERNEL howto, etc.
You will then have move over the kernel binary, update your bootloader
(LILO, Grub, etc.), and reboot. If you have questions about kernel compiling,
I highly recommend to consult some of the URLs above in this section.
3.2.3. Compiling Linux 2.0.x KernelsPlease see Section 2.8 for any
required software, patches, etc. First of all, you need the kernel source for 2.0.x (preferably the latest
kernel version)
If this is your first time compiling the kernel, don't be scared. In fact,
it's rather easy and it's covered in several URLs found in
Section 2.8. Please note that the instructions
included here is just one way to do build a kernel. Please see the Kernel
HOWTO for full details.
NOTE: Please notice that it isn't
recommended to put the new kernel sources into /usr/src/linux. You
should leave the original kernel sources that came with your Linux
distribution in /usr/src/linux. For more details on this
topic, please read the "README" file in the top level directory of
your kernel sources.
For this HOWTO example, create a directory called /usr/src/kernel.
Next, "cd" into this directory and download the newest 2.0.x kernel sources
into it. Once downloaded, issue the following command:
tar xvzf linux-2.0.x.tar.gz . Please substitute the "x"
in the 2.0.x filename with the Linux 2.0 kernel version you downloaded.
Once uncompressed, I recommend that you rename the directory from "linux" to
"linux-2.0.x" for clarity. To do this, run the command mv linux
linux-2.0.x. Next, make sure there is a directory or symbolic
link pointing to /usr/src/kernel/linux ie. run the
command: ln -s /usr/src/kernel/linux-2.0.x /usr/src/kernel/linuxo
again subsituting the "x" for your proper kernel version.
Apply any appropriate or optional patches to the kernel source code. By
default, stock Linux kernels do not require any specific patching in order
for the system to work. Features like IPPORTFW, PPTP, and Xwindows
forwarders are optional but very useful. Please refer to
Section 2.8 for URLs and the
IP Masquerade Resources
for up-to-date information and patch URLs.
Now that the kernel is patched up (if required), here are the MINIMUM kernel
configuration options required to enable IP Masquerade functionality. Please
understand that this HOWTO illustrates just ONE way to compile a kernel. The
main difference from this method vs. a different one is some people wish to
compile things either as modules OR monolithically right into the kernel.
Basically, compiling things as modules gives you added flexibility to what is
or isn't installed into the kernel (reduces unneeded memory use and allow for
drop-in upgrades [no need to reboot]) BUT they add more complexity to your
configuration. On the flip side, compiling things directly into the kernel
makes things simpler BUT you loose a level of flexibility. The following
example is a mixture of both built-in AND modules.
Side Note:
It is assumed that you will also configure the kernel to use your
other installed hardware such as network interfaces, optional SCSI controllers,
etc. as well. Please refer to the
Linux Kernel
HOWTO and the kernel source's "README" file and
"Documentation/" directory for detailed help on compiling a kernel.
Please note the YES or NO ANSWERS to the
following options. Not all options will be available without the proper
kernel patches described later in this HOWTO: Run the following commands to configure your kernel:
cd /usr/src/kernel/linux
make menuconfig
The following kernel prompts reflect a 2.0.39 kernel: [ Code maturity level options ]
* Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?]
- YES: this will allow you to later select the IP Masquerade feature code
[ Loadable module support ]
* Enable loadable module support (CONFIG_MODULES) [Y/n/?] y
- YES: allows you to load kernel IP MASQ modules
* Set version information on all module symbols (CONFIG_MODVERSIONS) [N/y/?] y
- YES: allows newer kernels to load older modules if possible
* Kernel daemon support (e.g. autoload of modules) (CONFIG_KERNELD) [N/y/?] y
- OPTIONAL: Recommended : allows the kernel to load various kernel modules as
it needs them
[ General setup ]
== Non-MASQ options skipped
== (FPU, memory)
* Networking support (CONFIG_NET) [Y/n/?] y
- YES: Enables the network subsystem
== Non-MASQ options skipped
== (memory, PCI, binary format, APM, etc.)
== Don't forget to compile in support for hardware that you might need:
== IDE controllers, HDs, CDROMs, etc.
[ Networking options ]
* Network firewalls (CONFIG_FIREWALL) [Y/n/?] y
- YES: Enables the IPFWADM firewall tool
== Non-MASQ options skipped
== (Aliasing)
* TCP/IP networking (CONFIG_INET) [Y/n/?] y
- YES: Enables the TCP/IP protocol
* IP: forwarding/gatewaying (CONFIG_IP_FORWARD) [N/y/?] y
- YES: Enables Linux network packet forwarding and routing
- Controlled by IPFWADM
* IP: multicasting (CONFIG_IP_MULTICAST) [N/y/?] y
- OPTIONAL: You can enable this if you want to be able to receive
Multicast traffic. Please note that your ISP must
support Multicast as well for this all to work
* IP: syn cookies (CONFIG_SYN_COOKIES) [Y/n/?] y
- YES: HIGHLY recommended for basic network security
* IP: firewalling (CONFIG_IP_FIREWALL) [Y/n/?] y
- YES: Enable the packet firewall features
* IP: firewall packet logging (CONFIG_IP_FIREWALL_VERBOSE) [Y/n/?] y
- YES: Allows the kernel to report back on various packets traversing
the firewall.
* IP: masquerading (CONFIG_IP_MASQUERADE [Y/n/?] y
- YES: Enable the kernel to perform IP MASQ NAT functionality
* IP: ipautofw masquerade support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPAUTOFW) [Y/n/?] n
- NO: NOT Recommended : IPautofw is a legacy method of TCP/IP port forwarding.
Though IPautofw works, IPPORTFW is a better choice.
* IP: ipportfw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPPORTFW) [Y/n/?] y
- YES: This option is ONLY AVAILABLE VIA A PATCH for the 2.0.x kernels.
With this option, external computers on the Internet can directly
communicate to specified internal MASQed machines. This feature is
typically used to access internal SMTP, TELNET, and WWW servers.
FTP port forwarding sometimes might require an additional patch as
described in the FAQ section. Additional information on port
forwarding is available in the Forwards section of this HOWTO.
* IP: MS PPTP masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_PPTP) [N/y/?] (NEW) n
- OPTIONAL: Enabling this feature will allow internal MASQ clients to
properly connect to PPTP servers on the Internet.
* IP: MS PPTP Call ID masq support (CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT) [N/y/?] (NEW) n
- OPTIONAL: If you enabled the CONFIG_IP_MASQUERADE_PPTP above, this
option will allow for multiple internal PPTP clients behind the MASQ
server to communicate to the same PPTP server.
* IP: MS PPTP masq debugging (DEBUG_IP_MASQUERADE_PPTP) [N/y/?] n
- OPTIONAL: NOT recommended : This is not required for IP MASQ or MASQing PPTP
connections unless you need additional troubleshooting help. If enabled,
this can fill up your logs quickly.
* IP: MS PPTP masq verbose debugging (DEBUG_IP_MASQUERADE_PPTP_VERBOSE) [N/y/?] (NEW) n
- OPTIONAL: NOT Recommended : If you enabled the DEBUG_IP_MASQUERADE_PPTP
option above, this will make the logging even more verbose.
* IP: IPSEC ESP & ISAKMP masq support (EXPERIMENTAL) * (CONFIG_IP_MASQUERADE_IPSEC) [N/y/?] m
- OPTIONAL: This option allows for some forms of IPSEC tunnels to be
masquraded
* IP: IPSEC masq table lifetime (minutes) (CONFIG_IP_MASQUERADE_IPSEC_EXPIRE) * [30] (NEW)
- OPTIONAL: This feature allows to change the MASQ table timeouts so that
idle IPSEC tunnels won't be prematurely disconnected.
* IP: Disable inbound ESP destination guessing * (CONFIG_IP_MASQUERADE_IPSEC_NOGUESS) [N/y/?] n
- OPTIONAL: This feature allows the kernel to guess where the fully encrypted IPSEC VPN
might be going and add it to the MASQ table.
* IP: IPSEC masq debugging (DEBUG_IP_MASQUERADE_IPSEC) [N/y/?] ? n
- OPTIONAL: NOT recommended : This is not required for IP MASQ or MASQing IPSEC
connections unless you need additional troubleshooting help. If enabled,
this can fill up your logs quickly.
* IP: IPSEC masq verbose debugging (DEBUG_IP_MASQUERADE_IPSEC_VERBOSE) [N/y/?] (NEW) n
- OPTIONAL: NOT Recommended : If you enabled the DEBUG_IP_MA |
|
