On Sat, Mar 25, 2000 at 03:02:52AM -0500, Jeff Gordon wrote
> Hi, John --
> > Um.. in spite of what Andrew said, they're not modules.
> > ipfwadm is an IP packet firewall/masquerading setup 
> > utility that works with kernel 2.0.x; ipchains is similar, 
> > but for kernel 2.2.x.
> (Okay.)
> > # ipchains -L input
> > for kernel 2.2.x.
> > 
> > This should list the default policy and rules for accepting 
> > incoming packets, if your kernel supports IP firewalling (which 
> > is required for IP masquerading).
> Okay--the policy at present is one I set up awhile ago, basically
> allowing bidirectional forwarding on everything. :-)  We realized that
> if we didn't do that, my brother's packets would never make it out the
> door -- but we're still left with problems of how to get responding
> packets back to his machine, which (as I understand it, anyway) is
> where the Masq bits come into play -- and the kernel is saying
> Masquerading is not enabled -- so are we back at Andrew's original
> statement, that I need to compile a kernel in which Masquerading -is-
> enabled as the next order of business...?  (I hope so 'cause I'm
> downloading about 18 megs right now in order to do that. :-)

Are you using a "stock" Debian kernel, or one which you built
yourself? The stock kernels usually include masquerading

If you're using a "Stock" 2.2.x kernel you should see
masquerading modules (ip_masq_*.o) under
/lib/modules/2.2.14/ipv4 (assuming kernel version 2.2.14); if
you do then your kernel already has masquerading support built
in (if it *is* a stock kernel then you should also have a file
like /boot/config-2.2.14 that shows you the kernel configuration

If you're compiling your own, you need to include support for
(assuming kernel 2.2.x) Network Firewalls, IP Firewalls and IP
Masquerading.  You also need /proc filesystem support and sysctl
support (under "General Options").

If you are using a 2.2.x kernel, also bear in mind that IP
forwarding has to be enabled for IP masquerading to work; you
can enable forwarding with
# echo "1" > /proc/sys/net/ipv4/ip_forward

and see if it is enabled with 
# cat /proc/sys/net/ipv4/ip_forward

This step is not relevant to 2.0.x kernels; if they have
forwarding enabled at compile time then it is enabled.

Finally, here are the ipchains rules that perform
masquerading on my machine, running kernel 2.2.14:
# /sbin/ipchains -L -n
Chain input (policy DENY):
target     prot opt     source                destination           ports
ACCEPT     all  ------                n/a
ACCEPT     all  ------             n/a
ACCEPT     all  ------           n/a
DENY       all  ----l-             n/a
Chain forward (policy DENY):
target     prot opt     source                destination           ports
MASQ       all  ------             n/a
Chain output (policy DENY):
target     prot opt     source                destination           ports
ACCEPT     all  ------                n/a
ACCEPT     all  ------           n/a
ACCEPT     all  ------             n/a
DENY       all  ----l-           n/a

I use the ipmasq package to do this for me; I'm using version
3.2.5, which seems to work here.  The only extra tweaking I've
done (AFAICR) is to add the line
modprobe ip_masq_ftp

to the end of /etc/ppp/ip-up.d/00ipmasq; you may want to load 
the modules (if any) for the protocols you require there, also.

Good luck,

John P.
"Oh - I - you know - my job is to fear everything." - Bill Gates in Denmark

Reply via email to