  Linux IP Masquerade mini HOWTO
  Ambrose Au, ambrose@writeme.com; David Ranch, dranch@trin-
  net.net
  v1.65, March 29, 1999

  This document describes how to enable the Linux IP Masquerade feature
  on a given Linux host.  IP Masq is a form of Network Address Transla-
  tion or NAT that allows internally connected computers that do not
  have one or more registered Internet IP addresses to have the ability
  to communicate to the Internet via your Linux box's single Internet IP
  address.
  ______________________________________________________________________

  Table of Contents




















































  1. Introduction

     1.1 Introduction to IP Masquerading or IP MASQ for short
     1.2 Foreword, Feedback & Credits
     1.3 Copyright & Disclaimer

  2. Background Knowledge

     2.1 What is IP Masquerade?
     2.2 Current Status
     2.3 Who Can Benefit From IP Masquerade?
     2.4 Who Doesn't Need IP Masquerade?
     2.5 How does IP Masquerade Work?
     2.6 Requirements for IP Masquerade on Linux 2.0.x
     2.7 Requirements for IP Masquerade on Linux 2.2.x

  3. Setting Up IP Masquerade

     3.1 Compiling the Kernel for IP Masquerade Support
        3.1.1 Linux 2.0.x Kernels
        3.1.2 Linux 2.2.x Kernels
     3.2 Assigning Private Network IP Addresses to the Internal LAN
     3.3 Configuring IP Forwarding Policies
        3.3.1 Linux 2.0.x Kernels
        3.3.2 Linux 2.2.x Kernels

  4. Configuring the other internal to-be MASQed machines

     4.1 Configuring Microsoft Windows 95
     4.2 Configuring Windows NT
     4.3 Configuring Windows for Workgroup 3.11
     4.4 Configuring UNIX Based Systems
     4.5 Configuring DOS using NCSA Telnet package
     4.6 Configuring MacOS Based System Running MacTCP
     4.7 Configuring MacOS Based System Running Open Transport
     4.8 Configuring Novell network using DNS
     4.9 Configuring OS/2 Warp
     4.10 Configuring Other Systems

  5. Testing IP Masquerade

  6. Other IP Masquerade Issues and Software Support

     6.1 Problems with IP Masquerade
     6.2 Incoming services
     6.3 Supported Client Software and Other Setup Note
        6.3.1 Network Clients that -Work- with IP Masquerade
        6.3.2 Clients that do not Work:
     6.4 Stronger IP Firewall (IPFWADM) Rulesets
     6.5 IP Firewalling Chains (ipchains)
     6.6 IP Masquerading multiple internal networks
     6.7 IP Masquerade and Dial-on-Demand Connections
     6.8 IPPORTFW, IPMASQADM, IPAUTOFW, REDIR, UDPRED, and other Port Forwarding tools
        6.8.1 IPPORTFW on 2.0.x kernels
        6.8.2 IPMASQADM with IPPORTFW support on 2.2.x kernels
     6.9 CU-SeeMe and Linux IP-Masquerade
     6.10 Mirabilis ICQ
     6.11 Gamers:  The LooseUDP patch

  7. Frequently Asked Questions

     7.1 What Linux Distributions support IP Masquerading out of the box?
     7.2 What are the minimum hardware requirements and any limitations for IP Masquerade?  How well does it perform?
     7.3 I've checked all my configurations, I still can't get IP Masquerade to work.  What should I do?
     7.4 How do I join the IP Masquerade Mailing List?
     7.5 How does IP Masquerade differ from Proxy or NAT services?
     7.6 Are there any GUI firewall creation/management tools?
     7.7 Does IP Masquerade work with dynamically assigned IP addresses?
     7.8 Can I use a cable modem (both bi-directional and with modem returns), DSL, satellite link, etc. to connect to the Internet and use IP Masquerade?
     7.9 Can I use Diald or the Dial-on-Demand feature of PPPd with IP MASQ?
     7.10 What applications are supported with IP Masquerade?
     7.11 How can I get IP Masquerade running on Redhat, Debian, Slackware, etc.?
     7.12 TELNET connections seem to break if I don't use them often.  Why is that?
     7.13 When my Internet connection first comes up, nothing works.  If I try again, everything then works fine.  Why is this?
     7.14 IP MASQ seems to be working fine but some sites don't work.  This usually happens with WWW surfing.
     7.15 IP Masquerading seems slow
     7.16 Now that I have IP Masquerading up, I'm getting all sorts of weird notices and errors in the SYSLOG log files.  How do I read the IPFWADM/IPCHAINS firewall errors?
     7.17 Can I configure IP MASQ to allow Internet users to directly contact internal MASQed servers?
     7.18 IRC won't work properly for MASQed IRC users.  Why?
     7.19 mIRC doesn't work with DCC Sends
     7.20 Can IP Masquerade work with only ONE Ethernet network card?
     7.21 I'm trying to use the NETSTAT command to show my Masqueraded connections but its not working
     7.22 I would like to get Microsoft PPTP (GRE tunnels) and/or IPSEC (Linux SWAN) tunnels running through IP MASQ
     7.23 I want to get the XYZ network game to work through IP MASQ but it won't work.  Help!
     7.24 IP MASQ works fine for a while but then it stops working.  A reboot seems to fix this for a while.  Why?
     7.25 Internal MASQed computers cannot send SMTP mail!
     7.26 Why do the new 2.1.x and 2.2.x kernels use IPCHAINS instead of IPFWADM?
     7.27 I've just upgraded to the 2.2.x kernels, why isn't IP Masquerade working?
     7.28 I've just upgraded to a 2.0.36+ kernels later, why isn't IP Masquerade working?
     7.29 I need help with EQL connections and IP Masq
     7.30 I can't get IP Masquerade to work!  What options do I have for Windows Platforms?
     7.31 I want to help on IP Masquerade development.  What can I do?
     7.32 Where can I find more information on IP Masquerade?
     7.33 I want to translate this HOWTO to another language, what should I do?
     7.34 This HOWTO seems out of date, are you still maintaining it?  Can you include more information on ...?  Are there any plans for making this better?
     7.35 I got IP Masquerade working, it's great!  I want to thank you guys, what can I do?

  8. Miscellaneous

     8.1 Useful Resources
     8.2 Linux IP Masquerade Resource
     8.3 Thanks to the following people..
     8.4 Reference
     8.5 Changes


  ______________________________________________________________________

  1.  Introduction


  1.1.  Introduction to IP Masquerading or IP MASQ for short


  This document describes how to enable the Linux IP Masquerade feature
  on a given Linux host.  IP Masq is a form of Network Address
  Translation or NAT that allows internally connected computers that do
  not have one or more registered Internet IP addresses to have the
  ability to communicate to the Internet via your Linux box's single
  Internet IP address.  It is possible to connect your internal machines
  to the Linux host with LAN technologies like Ethernet, TokenRing,
  FDDI, as well as other kinds of connections such as dialup PPP or SLIP
  links. This document uses Ethernet for the primary example since it is
  the most common scenario.


       This document is intended for users using either of the sta-
       ble Linux kernels: 2.0.36+ and 2.2.2+. Older kernels such as
       1.2.x, 1.3.x, and 2.1.x are NOT covered in this document
       and, in some kernel versions, can be considered broken.
       Please upgrade to one of the stable Linux kernels before
       using IP Masquerading.
  1.2.  Foreword, Feedback & Credits

  As a new user, I found it very confusing to setup IP masquerade on
  Linux kernel, (1.2.x kernel back then).  Although there is a FAQ and a
  mailing list, there was no document that was dedicated to it.  There
  were also some requests on the mailing list for such a HOWTO.  So, I
  decided to write this HOWTO as a starting point for new users and
  possibly create a building block for other knowledgeable users to use
  add to in the future.  If you have any ideas for this document,
  corrections, etc., feel free to tell us so that we can make it better.

  This document was originally based on the original FAQ by Ken Eves and
  numerous helpful messages from the IP Masquerade mailing list.  A
  special thanks to Mr. Matthew Driver whose mailing list message
  inspired me to set up IP Masquerade and eventually writing this.
  Recently, David Ranch edited the HOWTO and added a substantial number
  of sections to the HOWTO to make this document as complete as
  possible.

  Please feel free to send any feedback or comments to
  ambrose@writeme.com and dranch@trinnet.net if you have any corrections
  or if any information/URLs/etc. is missing. Your invaluable feedback
  will certainly influence the future of this HOWTO!

  This HOWTO is meant to be a fairly comprehensive guide on getting your
  Linux IP Masquerading network working in the shortest time possible.
  As neither Ambrose nor David are technical writers, you might find the
  information in this document not as general and/or objective as it
  could be.  The latest news and information regarding this HOWTO and
  other IP MASQ details can be found at the IP Masquerade Resource
  <http://ipmasq.cjb.net/> web page that we actively maintain.  If you
  have any technical questions on IP Masquerade, please join the IP
  Masquerade Mailing List instead of sending email to either Ambrose or
  David.  Most MASQ problems are common for ALL MASQ users and can be
  easily solved by someone on the list.  In addition to this, the
  response time of the IP MASQ email list will be much faster than a
  reply from either Ambrose or David.


  The latest version of this document can be found at the following
  sites which also contains HTML and postscript versions

  o  http://ipmasq.cjb.net/: The IP Masquerade Resources

  o  http://ipmasq2.cjb.net/: The IP Masquerade Resources MIRROR

  o  The Linux Documentation Project

  o  Also refer to IP Masquerade Resource Mirror Sites Listing
     <http://ipmasq.cjb.net/index.html#mirror> for other local mirror
     sites.


  1.3.  Copyright & Disclaimer


  This document is copyright(c) 1999 Ambrose Au and David Ranch and it
  is a FREE document. You may redistribute it under the terms of the GNU
  General Public License.

  The information herein this document is, to the best of Ambrose's and
  David's knowledge, correct.  However, the Linux IP Masquerade feature
  is written by humans and thus, there is the chance that mistakes,
  bugs, etc. might happen from time to time.


  No person, group, or other body is responsible for any damage on your
  computer(s) and any other losses by using the information on this
  document. i.e.


       THE AUTHORS AND ALL MAINTAINERS ARE NOT RESPONSIBLE FOR ANY
       DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THE INFORMA-
       TION IN THIS DOCUMENT.


  Ok, with all this behind us... On with the show..



  2.  Background Knowledge



  2.1.  What is IP Masquerade?

  IP Masquerade is a networking function in Linux similar to one-to-many
  NAT (Network Address Translation) found in many commercial firewalls
  and network routers.  For example, if a Linux host is connected to the
  Internet via PPP, Ethernet, etc., the IP Masquerade feature allows
  other "internal" computers connected to this Linux box (via PPP,
  Ethernet, etc.) to also reach the Internet as well.  Linux IP
  Masquerading allows for this functionality even though these internal
  machines don't have an officially assigned IP addresses.

  MASQ allows a set of machines to invisibly access the Internet via the
  MASQ gateway.  To other machines on the Internet, all this outgoing
  traffic will appear to be from the IP MASQ Linux server itself.  In
  addition to the added functionality, IP Masquerade provides the
  foundation to create a VERY secure networking environment.  With a
  well built firewall, breaking the security of a well configured
  masquerading system and internal LAN should be considerably difficult.


  2.2.  Current Status

  IP Masquerade has been out for several years now and is fairly mature
  as Linux enters the 2.2.x kernel stage.  Kernels since Linux 1.3.x
  have had MASQ support built-in.  Today many individuals and commercial
  businesses are using it with excellent results.

  Common network uses like Web browsing, TELNET, FTP, PING, TRACEROUTE,
  etc. work well over IP Masquerade.  Other communications such as FTP,
  IRC, and Real Audio work well with the appropriate IP MASQ modules
  loaded.  Other network-specific programs like streaming audio (MP3s,
  True Speech, etc) work too.  Some fellow users on the mailing list
  have even had good results with video conferencing software.

  Please refer to ``'' section for a more complete listing of software
  supported.



  IP Masquerade works well as a server to other 'client machines'
  running various different OS and hardware platforms. There are
  successful cases with internal MASQed systems using :



  o  Unix:  Sun Solaris, *BSD, Linux, Digital UNIX, etc.


  o  Microsoft Windows 95/98, Windows NT, and Windows for Workgroups
     (with the TCP/IP package)

  o  IBM OS/2

  o  Apple Macintosh MacOS machines running either MacTCP or Open
     Transport

  o  DOS-based systems with packet drivers and the NCSA Telnet package

  o  VAXen

  o  Compaq/Digital Alpha running Linux and NT

  o  even Amiga computers with AmiTCP or AS225-stack.

  The list goes on and on but the point is, if your OS platform talks
  TCP/IP, it should work with IP Masquerade!


  2.3.  Who Can Benefit From IP Masquerade?


  o  If you have a Linux host connected to the Internet and

  o  if you have some computers running TCP/IP connected to a Linux box
     on a local subnet, and/or

  o  if your Linux host has more than one modem and acts as a PPP or
     SLIP server connecting other computers, which

  o  those OTHER machines do not have official or public assigned IP
     addresses (i.e. addressed with private TCP/IP numbers).

  o  And of course, if you want those OTHER machines to communicate to
     the Internet without spending extra money to get additional Public
     / Official TCP/IP addresses from your ISP and either configure
     Linux to be a router or purchase an external router.


  2.4.  Who Doesn't Need IP Masquerade?


  o  If your machine is a stand-alone Linux host connected to the
     Internet (though setting up a firewall is a good idea), or

  o  if you already have multiple assigned public addresses for your
     OTHER machines, and

  o  of course, if you don't like the idea of a 'free ride' using Linux
     and feel more comfortable using expensive commercial tools to do
     the exact same thing.


  2.5.  How does IP Masquerade Work?

  From the original IP Masquerade FAQ by Ken Eves:









    Here is a drawing of the most simple setup:

     SLIP/PPP         +------------+                         +-------------+
     to ISP provider  |  Linux     |         SLIP/PPP        | Anybox      |
    <---------- modem1|    #1      |modem2 ----------- modem3|             |
      111.222.333.444 |            |           192.168.0.100 |             |
                      +------------+                         +-------------+

      In the above drawing, a Linux box with IP_MASQUERADING is installed as
    Linux #1 and is connected to the Internet via SLIP/or/PPP using modem1.  It has
    an assigned public IP address of 111.222.333.444.  It also has modem2 connected
    to allow callers to dial-in and start a SLIP/or/PPP connection.

      The second system (which doesn't have to be running Linux) calls into the
    Linux #1 box and starts a SLIP/or/PPP connection.  It does NOT have a publicly
    assigned IP address from the Internet so it uses the private address
    192.168.0.100. (see below for more info)

      With IP Masquerade and the routing configured properly, the machine
    "Anybox" can interact with the Internet as if it was directly connected to the
    Internet (with a few small exceptions).

  Quoting Pauline Middelink:

    Do not forget to mention that the "ANYBOX" machine should have the
    Linux #1 box configured as its gateway (whether is be the default route or just
    a subnet is no matter). If the "ANYBOX" machine can not do this, the Linux
    machine should be configured to support proxy arp for all routed addresses. But,
    the setup and configuration of proxy arp is beyond the scope of the document.

  The following is an excerpt from a previous post on comp.os.linux.networking which
  has been edited to match the names used in the above example:

     o I tell machine ANYBOX that my PPP or SLIPed Linux box is its gateway.
     o When a packet comes into the Linux box from ANYBOX, it will assign it
       a new TCP/IP source port number and slap its own IP address in the packet
       header, saving the originals.  The MASQ server will then send the modified
       packet out over the SLIP/PPP interface to the Internet.
     o When a packet returns from the Internet to the Linux box, Linux examines
       if the port number is one of those ports that was assigned above.  If so, the
       MASQ server will get the original port and IP address, put them back in the
       returned packet header, and send the packet to ANYBOX.
     o The host that sent the packet will never know the difference.




  Another IP Masquerading Example:


  A typical example is given in the diagram below:















      +----------+
      |          |  Ethernet
      | A-box    |::::::
      |          |.2   : 192.168.0.x
      +----------+     :
                       :      +----------+   PPP
      +----------+     :   .1 |  Linux   |   link
      |          |     :::::::| Masq-Gate|:::::::::::::::::::// Internet
      | B-box    |::::::      |          |  111.222.333.444
      |          |.3   :      +----------+
      +----------+     :
                       :
      +----------+     :
      |          |     :
      | C-box    |::::::
      |          |.4
      +----------+

      |                       |          |
      | <-Internal Network--> |          | <- External Network ---->
      |                       |          |



  In this example, there are (4) computer systems that we are concerned
  about.   There is also presumably something on the far right that your
  PPP connection to the Internet comes through (terminal server, etc.)
  and that there is some remote host (very far off to the right of the
  page) out on the Internet that you are interested communicating with).
  The Linux system Masq-Gate is the IP Masquerading gateway for ALL the
  internal network of machines A-box, B-box and C-box to get to the
  Internet.  The internal network uses one of the several RFC-1918
  assigned private network addresses where in this case, the Class-C
  network 192.168.0.0.  The Linux box having the TCP/IP address
  192.168.0.1 while the other systems having the addresses:


  o  A-Box: 192.168.0.2

  o  B-Box: 192.168.0.3

  o  C-Box: 192.168.0.4


  The three machines, A-box, B-box and C-box, can be running any
  operating system as long as they can speak TCP/IP.  OSes  such as
  Windows 95, Macintosh MacTCP or OpenTransport  or even another Linux
  box can connect to other machines on the Internet.  When running, the
  masquerading system or MASQ-gate converts all of these internal
  connections so that they appear to originate from masq-gate itself.
  MASQ then arranges so that data coming back in to a masqueraded
  connection is relayed back to the proper originating system.   Because
  of this, the systems on the internal network see a direct route to the
  internet and are unaware that their data is being masqueraded.  This
  is called a "Transparent" connection.

  NOTE:  Please see the ``'' for more details on topics such as:


  o  The differences between NAT, MASQ, and Proxy servers.

  o  How packet firewalls work




  2.6.  Requirements for IP Masquerade on Linux 2.0.x



       ** Please refer to IP Masquerade Resource
       <http://ipmasq.cjb.net/> for the latest information. **



  o  Any decent computer hardware.  See the ``'' section for more
     details.


  o  Kernel 2.0.x source available from http://www.kernel.org/
     (Most modern Linux ``'' such as Redhat 5.2 have modular kernels
     with all the IP Masquerade kernel options compiled in.  In such
     cases, there is no need to compile a new Linux kernel.  If you are
     UPGRADING your kernel, you should be aware of what other programs
     might be required and/or upgraded (mentioned later in the HOWTO.)


  o  Loadable kernel modules, preferably 2.1.85 or newer available from
     http://www.pi.se/blox/modules/
     (modules-1.3.57 is the minimal requirement)


  o  A running TCP/IP network or LAN covered in Linux NET-3 HOWTO
     <http://metalab.unc.edu/mdw/HOWTO/NET-3-HOWTO.html> and the Network
     Administrator's Guide <http://metalab.unc.edu/mdw/LDP/nag/nag.html>
     Also check out the TrinityOS
     <http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri>
     deocument.  TrinityOS is a very comprehensive guide on Linux
     networking including topics like IP MASQ, security, DNS, DHCP,
     Sendmail, PPP, Diald, NFS, IPSEC-based VPNs, and performance
     sections just to name a few.  Over Fifty sections in all!


  o  Connectivity to the Internet for your Linux host covered in Linux
     ISP Hookup HOWTO <http://metalab.unc.edu/mdw/HOWTO/ISP-Hookup-
     HOWTO.html>, Linux PPP HOWTO <http://metalab.unc.edu/mdw/HOWTO/PPP-
     HOWTO.html>, TrinityOS
     <http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri>, Linux
     DHCP mini-HOWTO <http://metalab.unc.edu/mdw/HOWTO/mini/DHCP.html>
     and Linux Cable Modem mini-HOWTO
     <http://metalab.unc.edu/mdw/HOWTO/mini/Cable-Modem.html>


  o  Ipfwadm 2.3 or newer available from
     ftp://ftp.xos.nl/pub/linux/ipfwadm/ipfwadm-2.3.tar.gz
     More information on version requirement is on the Linux IPFWADM
     page <http://www.xos.nl/linux/ipfwadm/>


  o  If you are interested in running IPCHAINS on a 2.0.36+ kernel, see
     Willy Tarreau's IPCHAINS enabler for 2.0.36 <http://www-
     miaif.lip6.fr/willy/pub/linux-patches/> or Rusty's IPCHAINS for
     2.0.x kernels


  o  Know how to configure, compile, and install a new Linux kernel as
     described in the Linux Kernel HOWTO
     <http://metalab.unc.edu/mdw/HOWTO/Kernel-HOWTO.html>


  o  You can also apply various optional IP Masquerade patches to enable
     other functionality such as:
  o  TCP/IP port-forwarders or re-directors:  With these tools, you can
     get some non-MASQ friendly programs to work behind a MASQ server.
     In addition to this, you can configure a MASQ server to let
     Internet users contact internal WWW, TELNET, SMTP, FTP (with a
     patch), etc., servers.  See ``'' section of the HOWTO for more
     information.  Here is a list of IP Masquerading patches for 2.0.x
     kernels:


  o  Steven Clarke's IP PortForwarding (IPPORTFW) - RECOMMENDED

  o  IP AutoForward and a mirror
     <ftp://ftp.netis.com/pub/members/rlynch/ipautofw.tar.gz> (IPAUTOFW)
     - NOT Recommended

  o  REDIR <http://ipmasq.cjb.net/redir_0.7.orig.tar.gz> for TCP (REDIR)
     - NOT Recommended

  o  UDP redirector (UDPRED) - NOT Recommended

     PORTFWed FTP:


  o  If you are going to port forward FTP traffic to an internal FTP
     server, you need to download Fred Viles's FTP server patch.
     Explicit details on this topic can be found in the ``'' section of
     the HOWTO.

     X-Windows display forwarders:

  o  X-windows forwarding (DXCP)
     <ftp://sunsite.unc.edu/pub/Linux/X11/compress/dxpc-3.7.0.tar.gz>

     PPTP (GRE) and SWAN (IPSEC) VPNs tunneling forwarders:

  o  John Hardin's VPN Masquerade forwarders or the old patch for just
     PPTP Support <http://ipmasq.cjb.net/ip_masq_pptp.patch.gz>.

     Game specific patches:

  o  Glenn Lamb's LooseUDP for 2.0.36+
     <ftp://ftp.netcom.com/pub/mu/mumford/loose-udp-2.0.36.patch.gz>
     patch.  Also check out Dan Kegel's NAT Page
     <http://www.alumni.caltech.edu/~dank/peer-nat.html> for more
     information.  Additional information can be found in the ``''
     section and the ``'' section.

     Please see the IP Masquerade Resource <http://ipmasq.cjb.net/> page
     for more information available on these patches and possibly others
     as well.





  2.7.  Requirements for IP Masquerade on Linux 2.2.x



       ** Please refer to IP Masquerade Resource
       <http://ipmasq.cjb.net/> for the latest information. **





  o  Kernel 2.2.x source available from http://www.kernel.org/
     NOTE:  Most of the modern ``'' such as Redhat 5.2 might not be
     Linux 2.2.x ready for your setup.  Tools like DHCP, NetUtils, etc.
     will need to be upgraded.  More details can be found in the HOWTO.


  o  Loadable kernel modules, preferably 2.1.121 or newer available from
     http://www.pi.se/blox/modules/


  o  A running TCP/IP network or LAN covered in Linux NET-3 HOWTO
     <http://metalab.unc.edu/mdw/HOWTO/NET-3-HOWTO.html> and the Network
     Administrator's Guide <http://metalab.unc.edu/mdw/LDP/nag/nag.html>


  o  Connectivity to Internet for your Linux host covered in Linux ISP
     Hookup HOWTO <http://metalab.unc.edu/mdw/HOWTO/ISP-Hookup-
     HOWTO.html>, Linux PPP HOWTO <http://metalab.unc.edu/mdw/HOWTO/PPP-
     HOWTO.html>, TrinityOS
     <http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri>, Linux
     DHCP mini-HOWTO <http://metalab.unc.edu/mdw/HOWTO/mini/DHCP.html>
     and Linux Cable Modem mini-HOWTO
     <http://metalab.unc.edu/mdw/HOWTO/mini/Cable-Modem.html>


  o  IP Chains 1.3.8 or newer available from
     http://www.rustcorp.com/linux/ipchains/
     Additional information on version requirements is at the Linux IP
     Firewalling Chains page <http://www.rustcorp.com/linux/ipchains/>


  o  Know how to configure, compile, and install a new Linux kernel as
     described in the Linux Kernel HOWTO
     <http://metalab.unc.edu/mdw/HOWTO/Kernel-HOWTO.html>


  o  You can download and use various optional IP Masquerade tools to
     enable other functionality such as:


  o  TCP/IP port-forwarders or re-directors:

  o  IP PortForwarding (IPMASQADM) - RECOMMENDED
     <http://juanjox.linuxhq.com/> or his mirror.


  Please see the IP Masquerade Resource <http://ipmasq.cjb.net/> page
  for more information available on these patches and possibly others as
  well.




  3.  Setting Up IP Masquerade


       If your private network contains any vital information,
       think carefully in terms of SECURITY before implementing IP
       Masquerade.  By default, IP MASQ becomes a GATEWAY for you
       to get to the Internet but it also can allow someone on the
       Internet to possibly get into your internal network.

       Once you have IP MASQ functioning, it is HIGHLY recommended
       for the user to implement a STRONG IPFWADM/IPCHAINS firewall
       ruleset.  Please see the ``'' section below for more
       details.
  3.1.  Compiling the Kernel for IP Masquerade Support




       If your Linux distribution already has all the required fea-
       ture support compiled such as:

       o  IPFWADM/IPCHAINS

       o  IP forwarding

       o  IP masquerading

       o  IP Firewalling

       o  etc.

          and all MASQ-related modules compiled (most modular
          kernels will have all you need), then you will NOT need
          to re-compile the kernel.  If you aren't sure if you
          Linux distribution is MASQ ready, see the ``'' section or
          the IP Masquerade Resource <http://ipmasq.cjb.net/> for
          more details.  If you can't find out if your distribution
          does support IP Masquerading by default, ASSUME IT
          DOESN'T.

       Regardless of native support or not, reading this section is
       still highly recommended as it contains other useful
       information.





  3.1.1.  Linux 2.0.x Kernels


  Please see the ``'' section for any required software, patches, etc.


  o  First of all, you need the kernel source (preferably the latest
     kernel version 2.0.36 or above)


  o  If this is your first time compiling the kernel, don't be scared.
     In fact, it's rather easy and it's covered in several URLs found in
     the ``'' section.


  o  Unpack the kernel source to /usr/src/ with a command: tar xvzf
     linux-2.0.x.tar.gz -C /usr/src, where the "x" in 2.0.x is the
     current Linux 2.0 kernel.  Once finished, make sure there is a
     directory or symbolic link to /usr/src/linux/


  o  Apply any appropriate or optional patches to the kernel source
     code.  As of 2.0.36, IP Masq does not require any specific patching
     to get everything working.  Features like IPPORTFW, PPTP, and
     Xwindows forwarders are optional.  Please refer to the ``'' section
     for URLs and the IP Masquerade Resources <http://ipmasq.cjb.net/>
     for up-to-date information and additional patch URLs.


  o  Here are the MINIMUM options that are needed to be compiled into
     the kernel.  You will also need to confi gure the kernel to use
     your installed network interfaces as well. Refer to the Linux
     Kernel HOWTO <http://metalab.unc.edu/mdw/HOWTO/Kernel-HOWTO.html>
     and the README file in the kernel source directory for further
     instructions on compiling a kernel


     Please note the YES or NO ANSWERS to the following options.  Not
     all options will be available without the proper kernel patches
     described later in this HOWTO:

























































    * Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?]
      - YES: this will allow you to later select the IP Masquerade feature code

    * Enable loadable module support (CONFIG_MODULES) [Y/n/?]
      - YES: allows you to load kernel IP MASQ modules

    * Networking support (CONFIG_NET) [Y/n/?]
      - YES: Enables the network subsystem

    * Network firewalls (CONFIG_FIREWALL) [Y/n/?]
      - YES: Enables the IPFWADM firewall tool

    * TCP/IP networking (CONFIG_INET)
      - YES: Enables the TCP/IP protocol

    * IP: forwarding/gatewaying (CONFIG_IP_FORWARD)
      - YES: Enables Linux network packet forwarding and routing - Controlled by IPFWADM

    * IP: syn cookies (CONFIG_SYN_COOKIES) [Y/n/?]
      - YES: HIGHLY recommended for basic network security

    * IP: firewalling (CONFIG_IP_FIREWALL) [Y/n/?]
      - YES: Enable the firewalling feature

    * IP: firewall packet logging (CONFIG_IP_FIREWALL_VERBOSE) [Y/n/?]
      - YES: (OPTIONAL but HIGHLY recommended):  Allows for the reporting of firewall hits

    * IP: masquerading (CONFIG_IP_MASQUERADE [Y/n/?]
      - YES: Enable IP MASQ to re-address specific internal to external TCP/IP packets

    * IP: ipautofw masquerade support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPAUTOFW) [Y/n/?]
      - NO:  IPautofw is a legacy method of TCP/IP port forwarding.  Though it works, IPPORTFW
             is a better way so IPAUTOFW is not recommended.

    * IP: ipportfw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPPORTFW) [Y/n/?]
      - YES: This option is ONLY AVAILABLE VIA A PATCH for the 2.0.x kernels.

             With this option, external computers on the Internet can directly communicate to
             specified internal MASQed machines.  This feature is typically used to access
             internal SMTP, TELNET, and WWW servers.  FTP port forwarding will need an additional
             patch as described in the FAQ section.  Additional information on port forwarding is
             available in the Forwards section of this HOWTO.

    * IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP) [Y/n/?]
      - YES: Enable support for masquerading ICMP packets. Though thought of as optional, many
             programs will NOT function properly with out ICMP support.

    * IP: loose UDP port managing (EXPERIMENTAL) (CONFIG_IP_MASQ_LOOSE_UDP) [Y/n/?]
      - YES: This option is ONLY AVAILABLE VIA A PATCH for the 2.0.x kernels.

             With this option, internally masqueraded computers can play NAT-friendly games
             over the Internet.  Explicit details are given in the FAQ section of this HOWTO.

    * IP: always defragment (CONFIG_IP_ALWAYS_DEFRAG) [Y/n/?]
      - YES:  This feature optimizes IP MASQ connections - HIGHLY recommended

    * IP: optimize as router not host (CONFIG_IP_ROUTER) [Y/n/?]
      - YES:  This optimizes the kernel for the network subsystem

    * IP: Drop source routed frames (CONFIG_IP_NOSR) [Y/n/?]
      - YES: HIGHLY recommended for basic network security

    * Dummy net driver support (CONFIG_DUMMY) [M/n/y/?]
      - YES:  Though OPTIONAL, this option can help when debugging problems

    * /proc filesystem support (CONFIG_PROC_FS) [Y/n/?]
      - YES:  Required to enable the Linux network forwarding system




  NOTE: These are just the components you need for IP Masquerade
  functionality. You will need to also select whatever other options you
  need for your specific network and hardware setup.


  o  After compiling the kernel, you need to also compile and install
     the IP MASQ kernel modules by doing:


       make modules; make modules_install





  o  Next, add a few lines into your /etc/rc.d/rc.local file to load the
     IP Masquerade script and thus enable IP MASQ automatically after
     each reboot:



               .
               .
               .
               #rc.firewall script - Start IPMASQ and the firewall
               /etc/rc.d/rc.firewall
               .
               .
               .








  3.1.2.  Linux 2.2.x Kernels


  Please see the ``'' section for any required software, patches, etc.


  o  First of all, you need the kernel source for 2.2.x (preferably the
     latest kernel version 2.2.1 or above)


  o  If this is your first time compiling the kernel, don't be scared.
     In fact, it's rather easy and it's covered in several URLs found in
     the ``'' section.


  o  Unpack the kernel source to /usr/src/ with a command: tar xvzf
     linux-2.2.x.tar.gz -C /usr/src, where the "x" in 2.2.x is the
     current Linux 2.2 kernel.  Once finished, make sure there is a
     directory or symbolic link to /usr/src/linux/


  o  Apply any appropriate or optional patches to the kernel source
     code.  As of 2.2.1, IP Masq does not require any specific patching
     to get everything working.  Features like PPTP and Xwindows
     forwarders are optional.  Please refer to the ``'' section for URLs
     and the IP Masquerade Resources for up-to-date information and
     patch URLs.


  o  Here are the MINIMUM options that are needed to be compiled into
     the kernel.  You will also need to configure the kernel to use your
     installed network interfaces as well.  Refer to the Linux Kernel
     HOWTO <http://metalab.unc.edu/mdw/HOWTO/Kernel-HOWTO.html> and the
     README file in the kernel source directory for further instructions
     on compiling a kernel.


     Please note the YES or NO ANSWERS to the following.  Not all
     options will be available without the proper kernel patches
     described later in this HOWTO:


















































    * Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?]
      - YES: this allows the kernel to create the MASQ modules and enable the option for port forwarding

    * Enable loadable module support (CONFIG_MODULES) [Y/n/?]
      - YES: allows you to load kernel IP MASQ modules

    * Networking support (CONFIG_NET) [Y/n/?]
      - YES: Enables the network subsystem

    * Packet socket (CONFIG_PACKET) [Y/m/n/?]
      - YES: Though this is OPTIONAL, this recommended feature will allow you to use TCPDUMP to debug
             any problems with IP MASQ

    * Kernel/User netlink socket (CONFIG_NETLINK) [Y/n/?]
      - YES: Though this is OPTIONAL, this feature will allow the logging of firewall hits

    * Routing messages (CONFIG_RTNETLINK) [Y/n/?]
      - NO:  This option does not have anything to do with packet firewall logging

    * Network firewalls (CONFIG_FIREWALL) [Y/n/?]
      - YES: Enables the IPCHAINS firewall tool

    * TCP/IP networking (CONFIG_INET) [Y/n/?]
      - YES: Enables the TCP/IP protocol

    * IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [Y/n/?]
      - NO:  This is only required for CONFIG_IP_ROUTE_VERBOSE and fancy routing (independent of
             ipchains/masq).

    * IP: verbose route monitoring (CONFIG_IP_ROUTE_VERBOSE) [Y/n/?]
      - YES: This is useful if you use the routing code to drop IP spoofed packets (highly
             recommended) and you want to log them.

    * IP: firewalling (CONFIG_IP_FIREWALL) [Y/n/?]
      - YES: Enable the firewalling feature

    * IP: firewall packet netlink device (CONFIG_IP_FIREWALL_NETLINK) [Y/n/?]
      - YES: Though this is OPTIONAL, this feature will enhance the logging of firewall hits

    * IP: always defragment (required for masquerading) (CONFIG_IP_ALWAYS_DEFRAG) [Y/n/?]
      - YES:  This feature is REQUIRED to get asked about enabling the IP Masquerade and/or
              Transparent Proxying features.  This feature also optimizes IP MASQ connections.

    * IP: masquerading (CONFIG_IP_MASQUERADE) [Y/n/?]
      - YES: Enable IP MASQ to re-address specific internal to external TCP/IP packets

    * IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP) [Y/n/?]
      - YES: Enable support for masquerading ICMP ping packets (ICMP error codes will be MASQed
             regardless).  This is an important feature for troubleshooting connections.

    * IP: masquerading special modules support (CONFIG_IP_MASQUERADE_MOD) [Y/n/?]
      - YES: Though OPTIONAL, this enables the OPTION to later enable the TCP/IP Port forwarding
             system to allow external computers to directly connect to specified internal MASQed
             machines.

    * IP: ipautofw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPAUTOFW) [N/y/m/?]
      - NO:  IPautofw is a legacy method of port forwarding.  It is mainly a hack which is
             better handled by per-protocol modules.  NOT recommended.

    * IP: ipportfw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPPORTFW) [Y/m/n/?]
      - YES: Enables IPPORTFW.

             With this option, external computers on the Internet can directly communicate to
             specified internal MASQed machines.  This feature is typically used to access
             internal SMTP, TELNET, and WWW servers.  FTP port forwarding will need an additional
             patch as described in the FAQ section.  Additional information on port forwarding is
             available in the Forwards section of this HOWTO.

    * IP: ip fwmark masq-forwarding support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_MFW) [Y/m/n/?]
      - NO:  This allows to do IP forwarding from IPCHAINS directly.  Currently, this code is
             EXPERIMENTAL and the recommended method is to use IPMASQADM and IPPORTFW.

    * IP: optimize as router not host (CONFIG_IP_ROUTER) [Y/n/?]
      - YES:  This optimizes the kernel for the network subsystem though it isn't known if it
              makes a siginificant performance difference.

    * IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [N/y/m/?]
      - NO:   This OPTIONAL selection is to enable PPTP and GRE tunnels through the IP MASQ box

    * IP: TCP syncookie support (not enabled per default) (CONFIG_SYN_COOKIES) [Y/n/?]
      YES: HIGHLY recommended for basic network security

    * IP: Drop source routed frames (CONFIG_IP_NOSR) [Y/n/?]
      - YES: HIGHLY recommended for basic network security

    * Network device support (CONFIG_NETDEVICES) [Y/n/?]
      - YES: Enables the Linux Network sublayer

    * Dummy net driver support (CONFIG_DUMMY) [M/n/y/?]
      - YES:  Though OPTIONAL, this option can help when debugging problems

    * /proc filesystem support (CONFIG_PROC_FS) [Y/n/?]
      - YES:  Required to enable the Linux network forwarding system




  NOTE: These are just the components you need for IP Masquerade, select
  whatever other options you need for your specific setup.


  o  After compiling the kernel, you should compile and install the IP
     MASQ modules by doing:


         make modules; make modules_install







  o  Then you should add a few lines into your /etc/rc.d/rc.local file
     to load the IP Masquerade modules and enable IP MASQ automatically
     after each reboot:



               .
               .
               .
               #rc.firewall script - Start IPMASQ and the firewall
               /etc/rc.d/rc.firewall
               .
               .
               .





  3.2.  Assigning Private Network IP Addresses to the Internal LAN


  Since all INTERNAL MASQed machines should NOT have official Internet
  assigned addressees, there must be specific and accepted way to
  allocate address to those machines without conflicting with anyone
  else's Internet addresses.

  From the original IP Masquerade FAQ:

  RFC 1918 is the official document on which IP addresses are to be used
  on a non-connected or "private" network.  There are 3 blocks of
  numbers set aside specifically for this purpose




       Section 3: Private Address Space

       The Internet Assigned Numbers Authority (IANA) has reserved the
       following three blocks of the IP address space for private networks:

                     10.0.0.0        -   10.255.255.255
                     172.16.0.0      -   172.31.255.255
                     192.168.0.0     -   192.168.255.255

       We will refer to the first block as "24-bit block", the second as
       "20-bit block", and to the third as "16-bit" block".  Note that the
       first block is nothing but a single class A network number, while the
       second block is a set of 16 contiguous class B network numbers, and
       third block is a set of 255 contiguous class C network numbers.




  For the record, my preference is to use the 192.168.0.0 network with a
  255.255.255.0 Class-C subnet mask and this HOWTO reflects this.  But,
  any of the above private networks are valid but just be SURE to use
  the correct subnet-mask.

  So, if you're using a Class-C network, you should number your TCP/IP
  enabled machines as 192.168.0.1, 192.168.0.2, 192.168.0.3, ...,
  192.168.0.x

  192.168.0.1 is usually the internal gateway or Linux MASQ machine to
  get out to the external network.  Please note that 192.168.0.0 and
  192.168.0.255 are the Network and Broadcast address respectively
  (these addresses are RESERVED). Avoid using these addresses on your
  machines or your network will not work properly.




  3.3.  Configuring IP Forwarding Policies

  At this point, you should have your kernel and other required packages
  installed.  All network IP addresses, gateway, and DNS addresses
  should be configured on your Linux MASQ server as well.  If you don't
  know how to configure your Linux network cards, please consult the
  HOWTOs listed in either the ``'' or ``'' sections.

  Now, the only thing left to do is to configure the IP firewalling
  tools to both FORWARD and MASQUERADE the appropriate packets to the
  appropriate machine:


       ** This can be accomplished in many different ways.  The
       following suggestions and examples worked for me, but you
       may have different ideas or needs.



       ** This section ONLY provides you with the bare minimum
       firewall ruleset to get the IP Masquerade feature working.
       Once IP MASQ has been successfully tested (as described
       later in this HOWTO), please refer to the ``'' section for
       more secure firewall rulesets.  In addition, check out the
       IPFWADM (2.0.x) and/or IPCHAINS(2.2.x) man pages for more
       details.




  3.3.1.  Linux 2.0.x Kernels


  Create the file /etc/rc.d/rc.firewall with the following initial
  SIMPLE ruleset:












































  # rc.firewall - Initial SIMPLE IP Masquerade setup for 2.0.x kernels using IPFWADM
  #
  # Load all required IP MASQ modules
  #
  #   NOTE:  Only load the IP MASQ modules you need.  All current available IP MASQ modules
  #          are shown below but are commented out from loading.

  # Needed to initially load modules
  #
  /sbin/depmod -a

  # Supports the proper masquerading of FTP file transfers using the PORT method
  #
  /sbin/modprobe ip_masq_ftp

  # Supports the masquerading of RealAudio over UDP.  Without this module,
  #       RealAudio WILL function but in TCP mode.  This can cause a reduction
  #       in sound quality
  #
  #/sbin/modprobe ip_masq_raudio

  # Supports the masquerading of IRC DCC file transfers
  #
  #/sbin/modprobe ip_masq_irc

  # Supports the masquerading of Quake and QuakeWorld by default.  This modules is
  #   for for multiple users behind the Linux MASQ server.  If you are going to play
  #   Quake II and/or Quake I/II on other server ports, use the second example.
  #
  #Quake I / QuakeWorld (ports 26000 and 27000)
  #/sbin/modprobe ip_masq_quake
  #
  #Quake I / QuakeWorld / and Quake II (ports 26000, 27000, 27910)
  #/sbin/modprobe ports=ip_masq_quake 26000,27000,27910

  # Supports the masquerading of the CuSeeme video conferencing software
  #
  #/sbin/modprobe ip_masq_cuseeme

  #Supports the masquerading of the VDO-live video conferencing software
  #
  #/sbin/modprobe ip_masq_vdolive


  #CRITICAL:  Enable IP forwarding since it is disabled by default since
  #
  #           Redhat Users:  you may try changing the options in /etc/sysconfig/network from:
  #
  #                       FORWARD_IPV4=false
  #                             to
  #                       FORWARD_IPV4=true
  #
  echo "1" > /proc/sys/net/ipv4/ip_forward

  # Dynamic IP users:
  #
  #   If you get your Internet IP address dynamically from SLIP, PPP, or DHCP, enable this following
  #       option.  This enables dynamic-ip address hacking in IP MASQ, making the life
  #       with DialD and similar programs much easier.
  #
  #echo "1" > /proc/sys/net/ipv4/ip_dynaddr


  # MASQ timeouts
  #
  #   2 hrs timeout for TCP session timeouts
  #  10 sec timeout for traffic after the TCP/IP "FIN" packet is received
  #  60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall timeout in ICQ itself)
  #
  /sbin/ipfwadm -M -s 7200 10 60



  # Enable simple IP forwarding and Masquerading
  #
  #  NOTE:  The following is an example for an internal LAN address in the 192.168.0.x
  #         network with a 255.255.255.0 or a "24" bit subnet mask.
  #
  #         Please change this network number and subnet mask to match your internal LAN setup
  #
  ipfwadm -F -p deny
  ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0


  # DHCP:  For people who receive their external IP address from either DHCP or BOOTP
  #        such as ADSL or Cablemodem users, it is necessary to use the following
  #        before the deny command.  The "bootp_client_net_if_name" should be replaced
  #        the name of the link that the DHCP/BOOTP server will put an address on to?
  #        This will be something like "eth0", "eth1", etc.
  #
  #        This example is currently commented out.
  #
  #
  #ipfwadm -I -a accept -S 0/0 68 -D 0/0 67 -W bootp_clients_net_if_name -P udp




  Once you are finished with editing the /etc/rc.d/rc.firewall ruleset,
  make it executable by typing in "chmod 700 /etc/rc.d/rc.firewall"



  You could have also enabled IP Masquerading on a PER MACHINE basis
  instead of the above method enabling an ENTIRE TCP/IP network.  For
  example, say if I wanted only the 192.168.0.2 and 192.168.0.8 hosts to
  have access to the Internet and NOT any of the other internal
  machines.  I would change the in the "Enable simple IP forwarding and
  Masquerading" section (shown above) of the /etc/rc.d/rc.firewall
  ruleset.



       # Enable simple IP forwarding and Masquerading
       #
       #  NOTE:  The following is an example to only allow IP Masquerading for the 192.168.0.2
       #         and 192.168.0.8 machines with a 255.255.255.0 or a "24" bit subnet mask.
       #
       #         Please use the following in ADDITION to the simple ruleset above for specific
       #         MASQ networks.  Also change the network numbers and subnet masks to match your
       #         internal LAN setup
       #
       ipfwadm -F -p deny
       ipfwadm -F -a m -S 192.168.0.2/32 -D 0.0.0.0/0
       ipfwadm -F -a m -S 192.168.0.8/32 -D 0.0.0.0/0





  What appears to be a common mistake with new IP Masq users is to make
  the first command:
  ipfwadm -F -p masquerade



  Do NOT make your default policy be MASQUERADING.  Otherwise someone
  who can manipulate their routing tables will be able to tunnel
  straight back through your gateway, using it to masquerade their OWN
  identity!




  Again, you can add these lines to the /etc/rc.d/rc.firewall file, one
  of the other rc files you prefer, or do it manually every time you
  need IP Masquerade.

  Please see the ``'' section for a detailed guide on IPFWADM and a
  stronger IPFWADM ruleset example.




  3.3.2.  Linux 2.2.x Kernels


  Please note that IPFWADM is no longer the firewall tool  for
  manipulating IP Masquerading rules for both the 2.1.x and 2.2.x
  kernels.  These new kernels now use the IPCHAINS tool.  For a more
  detailed reason for this change, please see the ``'' section.


  Create the file /etc/rc.d/rc.firewall with the following initial
  SIMPLE ruleset:

































  #!/bin/sh
  #
  # rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels using IPCHAINS
  #
  # Load all required IP MASQ modules
  #
  #   NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ modules
  #          are shown below but are commented out from loading.

  # Needed to initially load modules
  #
  /sbin/depmod -a

  # Supports the proper masquerading of FTP file transfers using the PORT method
  #
  /sbin/modprobe ip_masq_ftp

  # Supports the masquerading of RealAudio over UDP.  Without this module,
  #       RealAudio WILL function but in TCP mode.  This can cause a reduction
  #       in sound quality
  #
  #/sbin/modprobe ip_masq_raudio

  # Supports the masquerading of IRC DCC file transfers
  #
  #/sbin/modprobe ip_masq_irc

  # Supports the masquerading of Quake and QuakeWorld by default.  This modules is
  #   for for multiple users behind the Linux MASQ server.  If you are going to play
  #   Quake II and/or Quake I/II on other server ports, use the second example.
  #
  #Quake I / QuakeWorld (ports 26000 and 27000)
  #/sbin/modprobe ip_masq_quake
  #
  #Quake I / QuakeWorld / and Quake II (ports 26000, 27000, 27910)
  #/sbin/modprobe ports=ip_masq_quake 26000,27000,27910

  # Supports the masquerading of the CuSeeme video conferencing software
  #
  #/sbin/modprobe ip_masq_cuseeme

  #Supports the masquerading of the VDO-live video conferencing software
  #
  #/sbin/modprobe ip_masq_vdolive


  #CRITICAL:  Enable IP forwarding since it is disabled by default since
  #
  #           Redhat Users:  you may try changing the options in /etc/sysconfig/network from:
  #
  #                       FORWARD_IPV4=false
  #                             to
  #                       FORWARD_IPV4=true
  #
  echo "1" > /proc/sys/net/ipv4/ip_forward


  # Dynamic IP users:
  #
  #   If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this following
  #       option.  This enables dynamic-ip address hacking in IP MASQ, making the life
  #       with Diald and similar programs much easier.
  #
  #echo "1" > /proc/sys/net/ipv4/ip_dynaddr


  # MASQ timeouts
  #
  #   2 hrs timeout for TCP session timeouts
  #  10 sec timeout for traffic after the TCP/IP "FIN" packet is received
  #  60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall timeout in ICQ itself)
  #
  ipchains -M -S 7200 10 60


  # Enable simple IP forwarding and Masquerading
  #
  #  NOTE:  The following is an example for an internal LAN address in the 192.168.0.x
  #         network with a 255.255.255.0 or a "24" bit subnet mask.
  #
  #         Please change this network number and subnet mask to match your internal LAN setup
  #
  ipchains -P forward DENY
  ipchains -A forward -s 192.168.0.0/24 -j MASQ


  # DHCP:  For people who receive their external IP address from either DHCP or BOOTP
  #        such as ADSL or Cablemodem users, it is necessary to use the following
  #        before the deny command.  The "bootp_client_net_if_name" should be replaced
  #        the name of the link that the DHCP/BOOTP server will put an address on to?
  #        This will be something like "eth0", "eth1", etc.
  #
  #        This example is currently commented out.
  #
  #
  #ipchains -A input -j ACCEPT -w bootp_clients_net_if_name -s 0/0 68 -d 0/0 67 -p udp





  Once you are finished with editing the /etc/rc.d/rc.firewall ruleset,
  make it executable by typing in chmod 700 /etc/rc.d/rc.firewall



  You could have also enabled IP Masquerading on a PER MACHINE basis
  instead of the above method enabling an ENTIRE TCP/IP network. For
  example, say if I wanted only the 192.168.0.2 and 192.168.0.8 hosts to
  have access to the Internet and NOT any of the other internal
  machines. I would change the in the "Enable simple IP forwarding and
  Masquerading" section (shown above) of the /etc/rc.d/rc.firewall
  ruleset.




       #!/bin/sh
       #
       # Enable simple IP forwarding and Masquerading
       #
       #  NOTE:  The following is an example to only allow IP Masquerading for the 192.168.0.2
       #         and 192.168.0.8 machines with a 255.255.255.0 or a "24" bit subnet mask.
       #
       #         Please change this network number and subnet mask to match your internal LAN setup
       #
       ipchains -P forward deny
       ipchains -A forward -s 192.168.0.2/32 -j MASQ
       ipchains -A forward -s 192.168.0.8/32 -j MASQ



  What appears to be a common mistake with new IP Masq users is to make
  the first command:

  ipchains -P forward masquerade

  Do NOT make your default policy be MASQUERADING.  Otherwise someone
  who can manipulate their routing tables will be able to tunnel
  straight back through your gateway, using it to masquerade their OWN
  identity!



  Again, you can add these lines to the /etc/rc.d/rc.firewall file, one
  of the other rc files you prefer, or do it manually every time you
  need IP Masquerade.

  Please see the ``'' section for a detailed guide on IPCHAINS and a
  strong IPCHAINS ruleset example.  For additional details on IPCHAINS
  usage, please refer to the Linux IP CHAINS HOWTO





  4.  Configuring the other internal to-be MASQed machines

  Besides setting the appropriate IP address for each internal MASQed
  machine, you should also set each internal machine with the
  appropriate gateway IP address of the Linux MASQ server and required
  DNS servers. In general, this is rather straight forward. You simply
  enter the address of your Linux host (usually 192.168.0.1) as the
  machine's gateway address.

  For the Domain Name Service, you can add in any DNS servers that are
  available. The most apparent one should be the one that your Linux
  server is using. You can optionally add any "domain search" suffix as
  well.

  After you have properly reconfigured the internal MASQed machines,
  remember to restart their appropriate network services or reboot them.

  The following configuration instructions assume that you are using a
  Class C network with 192.168.0.1 as your Linux MASQ server's address.
  Please note that 192.168.0.0 and 192.168.0.255 are reserved TCP/IP
  address.


  As it stands, the following Platforms have been tested as internal
  MASQed machines:


  o  Linux 1.2.x, 1.3.x, 2.0.x, 2.1.x, 2.2.x

  o  Solaris 2.51, 2.6, 7

  o  Windows 95, OSR2, 98

  o  Windows NT 3.51, 4.0, 2000 (both workstation and server)

  o  Windows For Workgroup 3.11 (with TCP/IP package)

  o  Windows 3.1 (with the Netmanage Chameleon package)

  o  Novell 4.01 Server with the TCP/IP service


  o  OS/2 (including Warp v3)

  o  Macintosh OS (with MacTCP or Open Transport)

  o  DOS (with NCSA Telnet package, DOS Trumpet works partially)

  o  Amiga (with AmiTCP or AS225-stack)

  o  VAX Stations 3520 and 3100 with UCX (TCP/IP stack for VMS)

  o  Alpha/AXP with Linux/Redhat

  o  SCO Openserver (v3.2.4.2 and 5)

  o  IBM RS/6000 running AIX


  4.1.  Configuring Microsoft Windows 95


  1. If you haven't installed your network card and adapter driver, do
     so now.  Description of this is beyond the scope of this document.


  2. Go to the 'Control Panel' --> 'Network'.


  3. Click on Add --> Protocol --> Manufacture: Microsoft --> Protocol:
     'TCP/IP protocol' if you don't already have it.


  4. Highlight the TCP/IP item bound to your Windows95 network card and
     select 'Properties'.  Now goto the 'IP Address' tab and set IP
     Address to 192.168.0.x, (1 < x < 255), and then set the Subnet Mask
     to 255.255.255.0


  5. Now select the "Gateway" tab and add 192.168.0.1 as your gateway
     under 'Gateway' and hit "Add".


  6. Under the 'DNS Configuration' tab, make sure to put in a name for
     this machine and enter in your official domain name.  If you don't
     have your own domain, put in the domain of your ISP.  Now, add all
     of the DNS server that your Linux host uses (usually found in
     /etc/resolv.conf).  Usually these DNS servers are located at your
     ISP though you can be running either your own CACHING or
     Authoritative DNS server on your Linux MASQ server as well.
     Optionally, you can add any appropriate domain search suffixes as
     well.


  7. Leave all the other settings as they are unless you know what
     you're doing.


  8. Click 'OK' on all dialog boxes and restart system.


  9. Ping the linux box to test the network connection: 'Start/Run',
     type: ping 192.168.0.1
     (This is only an INTERNAL LAN connection test, you can't ping the
     outside world yet.)  If you don't see "replies" to your PINGs,
     please verify your network configuration.


  10.
     You can optionally create a HOSTS file in the C:\Windows directory
     so that you can ping the "hostname" of the machines on your LAN
     without the need for a DNS server.  There is an example called
     HOSTS.SAM in the C:\windows directory.


  4.2.  Configuring Windows NT


  1. If you haven't installed your network card and adapter driver, do
     so now.  Description of this is beyond the scope of this document.


  2. Go to 'Control Panel' --> 'Network' --> Protocols


  3. Add the TCP/IP Protocol and related Components from the 'Add
     Software' menu if you don't have TCP/IP service installed already.


  4. Under 'Network Software and Adapter Cards' section, highlight the
     'TCP/IP Protocol' in the 'Installed Network Software' selection
     box.


  5. In 'TCP/IP Configuration', select the appropriate adapter, e.g.
     [1]Novell NE2000 Adapter.  Then set the IP Address to 192.168.0.x
     (1 < x < 255), then set Subnet Mask to 255.255.255.0 and Default
     Gateway to 192.168.0.1


  6. Do not enable 'Automatic DHCP Configuration', put anything in those
     'WINS Server' input areas, and Enable IP Forwardings unless you're
     either in a Windows NT domain and you know EXACTLY what you're
     doing.


  7. Click 'DNS', fill in the appropriate information that your Linux
     host uses (usually found in /etc/resolv.conf) and then click 'OK'
     when you're done.


  8. Click 'Advanced', be sure to DISABLE 'DNS for Windows Name
     Resolution' and 'Enable LMHOSTS lookup' unless you known what these
     options do.  If you want to use a LMHOSTS file, it is stored in
     C:\winnt\system32\drivers\etc.


  9. Click 'OK' on all dialog boxes and restart system.


  10.
     Ping the linux box to test the network connection: 'File/Run',
     type: ping 192.168.0.1
     (This is only an INTERNAL LAN connection test, you can't ping the
     outside world yet.) If you don't see "replies" to your PINGs,
     please verify your network configuration.


  4.3.  Configuring Windows for Workgroup 3.11


  1. If you haven't installed your network card and adapter driver, do
     so now.  Description of this is beyond the scope of this document.

  2. Install the TCP/IP 32b package if you don't have it already.


  3. In 'Main'/'Windows Setup'/'Network Setup', click on 'Drivers'.


  4. Highlight 'Microsoft TCP/IP-32 3.11b' in the 'Network Drivers'
     section, click 'Setup'.


  5. Set the IP Address to 192.168.0.x (1 < x < 255), then set the
     Subnet Mask to 255.255.255.0 and Default Gateway to 192.168.0.1


  6. Do not enable 'Automatic DHCP Configuration' or put anything in
     those 'WINS Server' input areas unless you're in a Windows NT
     domain and you know what you're doing.


  7. Click 'DNS', fill in the appropriate information your Linux host
     uses (usually found in /etc/resolv.conf).  Then click 'OK' when
     you're done with it.


  8. Click 'Advanced', check 'Enable DNS for Windows Name Resolution'
     and 'Enable LMHOSTS lookup' found in c:\windows.


  9. Click 'OK' on all dialog boxes and restart system.


  10.
     Ping the linux box to test the network connection: 'File/Run',
     type: ping 192.168.0.1


  4.4.  Configuring UNIX Based Systems


  1. If you haven't installed your network card and recompile your
     kernel with the appropriate adapter driver, do so now.  Description
     of this is beyond the scope of this document.

  2. Install TCP/IP networking, such as the net-tools package, if you
     don't have it already.


  3. Set IPADDR to 192.168.0.x (1 < x < 255), then set NETMASK to
     255.255.255.0, GATEWAY to 192.168.0.1, and BROADCAST to
     192.168.0.255

     For example with Redhat Linux systems, you can edit the
     /etc/sysconfig/network-scripts/ifcfg-eth0 file, or simply do it
     through the Control Panel.  These changes are different for other
     UNIXes such as SunOS, BSDi, Slackware Linux, Solaris, SuSe, Debian,
     etc...).  Please refer to your UNIX documentation for more
     information.


  4. Add your domain name service (DNS) and domain search suffix in
     /etc/resolv.conf and for the appropreiate UNIX versions, edit the
     /etc/nsswitch.conf file to enable DNS services.


  5. You may want to update your /etc/networks file depending on your
     settings.
  6. Restart the appropriate services, or simply restart your system.


  7. Issue a ping command: ping 192.168.0.1  to test the connection to
     your gateway machine.
     (This is only an INTERNAL LAN connection test, you can't ping the
     outside world yet.)  If you don't see "replies" to your PINGs,
     please verify your network configuration.


  4.5.  Configuring DOS using NCSA Telnet package


  1. If you haven't installed your network card, do so now.  Description
     of this is beyond the scope of this document.


  2. Load the appropriate packet driver. For example: using a NE2000
     Ethernet card set for I/O port 300 and IRQ 10, issue nwpd 0x60 10
     0x300


  3. Make a new directory, and then unpack the NCSA Telnet package:
     pkunzip tel2308b.zip


  4. Use a text editor to open the config.tel file


  5. Set myip=192.168.0.x (1 < x < 255), and netmask=255.255.255.0


  6. In this example, you should set hardware=packet, interrupt=10,
     ioaddr=60


  7. You should have at least one individual machine specification set
     as the gateway, i.e. the Linux host:



       name=default
       host=yourlinuxhostname
       hostip=192.168.0.1
       gateway=1





  8. Have another specification for a domain name service:



       name=dns.domain.com ; hostip=123.123.123.123; nameserver=1




  Note: substitute the appropriate information about the DNS that your
  Linux host uses


  9. Save your config.tel file


  10.
     Telnet to the linux box to test the network connection: telnet
     192.168.0.1  If you don't receive a LOGIN prompt, please verify
     your network configuration.


  4.6.  Configuring MacOS Based System Running MacTCP


  1. If you haven't installed the appropriate driver software for your
     Ethernet adapter, do so now.  Description of this is beyond the
     scope of this document.


  2. Open the MacTCP control panel.  Select the appropriate network
     driver (Ethernet, NOT EtherTalk) and click on the 'More...' button.


  3. Under 'Obtain Address:', click 'Manually'.


  4. Under 'IP Address:', select class C from the popup menu. Ignore the
     rest of this section of the dialog box.


  5. Fill in the appropriate information under 'Domain Name Server
     Information:'.


  6. Under 'Gateway Address:', enter 192.168.0.1


  7. Click 'OK' to save the settings.  In the main window of the MacTCP
     control panel, enter the IP address of your Mac (192.168.0.x, 1 < x
     < 255) in the 'IP Address:' box.


  8. Close the MacTCP control panel.  If a dialog box pops up notifying
     you to do so, restart the system.


  9. You may optionally ping the Linux box to test the network
     connection.  If you have the freeware program MacTCP Watcher, click
     on the 'Ping' button, and enter the address of your Linux box
     (192.168.0.1) in the dialog box that pops up.  (This is only an
     INTERNAL LAN connection test, you can't ping the outside world
     yet.)  If you don't see "replies" to your PINGs, please verify your
     network configuration.


  10.
     You can optionally create a Hosts file in your System Folder so
     that you can use the hostnames of the machines on your LAN.  The
     file should already exist in your System Folder, and should contain
     some (commented-out) sample entries which you can modify according
     to your needs.



  4.7.  Configuring MacOS Based System Running Open Transport


  1. If you haven't installed the appropriate driver software for your
     Ethernet adapter, do so now.  Description of this is beyond the
     scope of this document.

  2. Open the TCP/IP Control Panel and choose 'User Mode ...' from the
     Edit menu. Make sure the user mode is set to at least 'Advanced'
     and click the 'OK' button.


  3. Choose 'Configurations...' from the File menu.  Select your
     'Default' configuration and click the 'Duplicate...' button.  Enter
     'IP Masq' (or something to let you know that this is a special
     configuration) in the 'Duplicate Configuration' dialog, it will
     probably say something like 'Default copy'.  Then click the 'OK'
     button, and the 'Make Active' button


  4. Select 'Ethernet' from the 'Connect via:' pop-up.


  5. Select the appropriate item from the 'Configure:' pop-up.  If you
     don't know which option to choose, you probably should re-select
     your 'Default' configuration and quit.  I use 'Manually'.


  6. Enter the IP address of your Mac (192.168.0.x, 1 < x < 255) in the
     'IP Address:' box.


  7. Enter 255.255.255.0 in the 'Subnet mask:' box.


  8. Enter 192.168.0.1 in the 'Router address:' box.


  9. Enter the IP addresses of your domain name servers in the 'Name
     server addr.:' box.


  10.
     Enter the name of your Internet domain (e.g. 'microsoft.com') in
     the 'Starting domain name' box under 'Implicit Search Path:'.


  11.
     The following procedures are optional.  Incorrect values may cause
     erratic behavior.  If you're not sure, it's probably better to
     leave them blank, unchecked and/or un-selected.  Remove any
     information from those fields, if necessary.  As far as I know
     there is no way through the TCP/IP dialogs, to tell the system not
     to use a previously select alternate "Hosts" file.  If you know, I
     would be interested.

     Check the '802.3' if your network requires 802.3 frame types.


  12.
     Click the 'Options...' button to make sure that the TCP/IP is
     active.  I use the 'Load only when needed' option.  If you run and
     quit TCP/IP applications many times without rebooting your machine,
     you may find that unchecking the 'Load only when needed' option
     will prevent/reduce the effects on your machines memory management.
     With the item unchecked the TCP/IP protocol stacks are always
     loaded and available for use.  If checked, the TCP/IP stacks are
     automatically loaded when needed and un-loaded when not.  It's the
     loading and unloading process that can cause your machines memory
     to become fragmented.



  13.
     You may ping the Linux box to test the network connection.  If you
     have the freeware program MacTCP Watcher, click on the 'Ping'
     button, and enter the address of your Linux box (192.168.0.1) in
     the dialog box that pops up.  (This is only an INTERNAL LAN
     connection test, you can't ping the outside world yet.)   If you
     don't see "replies" to your PINGs, please verify your network
     configuration.


  14.
     You can optionally create a Hosts file in your System Folder so
     that you can use the hostnames of the machines on your LAN.  The
     file may or may not already exist in your System Folder.  If so, it
     should contain some (commented-out) sample entries which you can
     modify according to your needs.  If not, you can get a copy of the
     file from a system running MacTCP, or just create your own (it
     follows a subset of the Unix /etc/hosts file format, described on
     RFC952).  Once you've created the file, open the TCP/IP control
     panel, click on the 'Select Hosts File...' button, and open the
     Hosts file.


  15.
     Click the close box or choose 'Close' or 'Quit' from the File menu,
     and then click the 'Save' button to save the changes you have made.


  16.
     The changes take effect immediately, but rebooting the system won't
     hurt.


  4.8.  Configuring Novell network using DNS


  1. If you haven't installed the appropriate driver software for your
     Ethernet adapter, do so now.  Description of this is beyond the
     scope of this document.


  2. Downloaded tcpip16.exe from The Novell LanWorkPlace page
     <ftp.novell.com/pub/updates/unixconn/lwp5>


  3.

     edit c:\nwclient\startnet.bat


     SET NWLANGUAGE=ENGLISH
     LH LSL.COM
     LH KTC2000.COM
     LH IPXODI.COM
     LH tcpip
     LH VLM.EXE
     F:




  4.

     edit c:\nwclient\net.cfg


     Link Driver KTC2000
             Protocol IPX 0 ETHERNET_802.3
             Frame ETHERNET_802.3
             Frame Ethernet_II
             FRAME Ethernet_802.2

     NetWare DOS Requester
                FIRST NETWORK DRIVE = F
                USE DEFAULTS = OFF
                VLM = CONN.VLM
                VLM = IPXNCP.VLM
                VLM = TRAN.VLM
                VLM = SECURITY.VLM
                VLM = NDS.VLM
                VLM = BIND.VLM
                VLM = NWP.VLM
                VLM = FIO.VLM
                VLM = GENERAL.VLM
                VLM = REDIR.VLM
                VLM = PRINT.VLM
                VLM = NETX.VLM

     Link Support
             Buffers 8 1500
             MemPool 4096

     Protocol TCPIP
             PATH SCRIPT     C:\NET\SCRIPT
             PATH PROFILE    C:\NET\PROFILE
             PATH LWP_CFG    C:\NET\HSTACC
             PATH TCP_CFG    C:\NET\TCP
             ip_address      192.168.0.xxx
             ip_router       192.168.0.1




  Change the IP address in the above "ip_address" field (192.168.0.x, 1 < x < 255)
  and finally create c:\bin\resolv.cfg:

  SEARCH DNS HOSTS SEQUENTIAL
  NAMESERVER xxx.xxx.xxx.xxx
  NAMESERVER yyy.yyy.yyy.yyy



  5. Now edit the above "NAMESERVER" entries and replace them with the
     correct IP addresses for your local DNS server.


  6. Issue a ping command: ping 192.168.0.1  to test the connection to
     your gateway machine.
     (This is only an INTERNAL LAN connection test, you can't ping the
     outside world yet.)  If you don't see "replies" to your PINGs,
     please verify your network configuration.



  4.9.  Configuring OS/2 Warp


  1. If you haven't installed the appropriate driver software for your
     Ethernet adapter, do so now.  Description of this is beyond the
     scope of this document.


  2. Install the TCP/IP protocol if you don't have it already.


  3. Go to Programs/TCP/IP (LAN) / TCP/IP Settings


  4. In 'Network' add your TCP/IP Address (192.168.0.x) and set your
     netmask (255.255.255.0)


  5. Under 'Routing' press 'Add'. Set the Type to 'default' and type the
     IP Address of your Linux Box in the Field 'Router Address'.
     (192.168.0.1).


  6. Set the same DNS (Nameserver) Address that your Linux host uses in
     'Hosts'.


  7. Close the TCP/IP control panel. Say yes to the following
     question(s).



  8. Reboot your system


  9. You may ping the Linux box to test the network configuration. Type
     'ping 192.168.0.1' in a 'OS/2 Command prompt Window'. When ping
     packets are received all is ok.


  4.10.  Configuring Other Systems

  The same logic should apply to setting up other platforms.  Consult
  the sections above.  If you're interested in writing about any of
  systems that have not been covered yet, please send a detail setup
  instruction to ambrose@writeme.com and dranch@trinnet.net.


  5.  Testing IP Masquerade



  Finally, it's time to give IP Masquerading an official try after all
  this hard work.  If you haven't already rebooted your Linux box, do so
  to make sure the machines boots ok, executes the /etc/rc.d/rc.firewall
  ruleset, etc. Next, make sure that both the internal LAN connection
  and connection of your Linux hosts to the Internet is okay.

  Now do the following:


  o  One:  From an internal MASQed computer, try pinging your local IP
     address (i.e. ping 192.168.0.10 ).  This will verify that TCP/IP is
     correctly working on the local machine.  If this doesn't work, make
     sure that TCP/IP is correctly configured on the MASQed PC as
     described earlier in this HOWTO.


  o  Two:  On the MASQ server itself, ping then internal IP address of
     the MASQ network (i.e. ping 192.168.0.1).  Now Then ping the
     external IP address connected to the Internet.  This address might
     be your PPP, Ethernet, etc. address connected to your ISP.  If you
     don't know what this IP address is, run the Linux command
     "/sbin/ifconfig" on the MASQ server to get the Internet address.
     This will confirm that the MASQ server has full network
     connectivity.


  o  Three:  Back on a internal MASQed computer, try pinging the IP
     address of the Masquerading Linux box's internal Ethernet card,
     (i.e. ping 192.168.0.1).  This will prove that your internal
     network and routing is ok.  If this fails, make sure Ethernet cards
     of the MASQ server and the MASQed computer have "link".  This is
     usually a LED light on either the back of each Ethernet card and
     also on the Ethernet hub/switch (if you are using one).


  o  Four:  From an internal MASQed computer, ping the IP address of the
     MASQ server's external TCP/IP address obtained in item TWO above.
     This address might be your PPP, Ethernet, etc. address connected to
     your ISP.  This ping test will prove that masquerading is working
     (ICMP Masquerading specifically).  If it doesn't work, make sure
     that you enabled "ICMP Masquerading" in the kernel and "IP
     Forwarding" in your /etc/rc.d/rc.firewall script.  Also make sure
     that the /etc/rc.d/rc.firewall ruleset loaded ok.  Try run the
     /etc/rc.d/rc.firewall script manually for now to see if it runs ok.

  If you still can't get things to work, take a look at the output from

  o  "ifconfig" : Make sure your Internet connection is UP and you have
     the correct IP address for the Internet connection


  o  "netstat -rn" : Make sure your default gateway (the column one with
     the IP address in the Gateway column) is set


  o  "cat /proc/sys/net/ipv4/ip_forward" : Make sure it says "1" so that
     Linux forwarding is enabled


  o  "/sbin/ipfwadm -F -l" for 2.0.x or "/sbin/ipchains -F -L" for 2.2.x
     users : Make sure you have MASQ enabled


  o  Five:  From an internal MASQed computer, now ping a static TCP/IP
     address out on the Internet (i.e. ping 152.19.254.81 (this is
     http://www.metalab.unc.edu - home of the LDP).  If this works, that
     means that ICMP Masquerading is working over the Internet.  If it
     didn't work, again check your Internet connection.  If this still
     doesn't work, make sure you are using the simple rc.firewall
     ruleset and that you have ICMP Masqurading compiled into the Linux
     kernel.


  o  Six:  Now try TELNETing to a remote IP address (i.e. telnet
     152.2.254.81 (www.metalab.unc.edu - Note that this might take a
     while to get a login prompt since this is a VERY busy server.)  Did
     you get a login prompt after a while?  If that worked, that means
     that TCP Masquerading is running ok.  If not, try TELNETing to some
     other hosts you think will support TELNET like 198.182.196.55
     (www.linux.org).  If this still doesn't work, make sure you are
     using the simple rc.firewall ruleset for now.


  o  Seven:  Now try TELNETing to a remote HOSTNAME (i.e. "telnet
     www.metalab.unc.edu" (152.2.254.81).  If this works, this means
     that DNS is working fine as well.  If this didn't work but step
     FOUR did work, make sure that you have valid DNS servers configured
     on your MASQed computer.
  o  Eight:  As a last test, try browsing some 'INTERNET' WWW sites on
     one of your MASQed machines, and see if you can reach them.  For
     example, access the Linux Documentation Project site.  If this
     works, you can be fairly certain that everything is working FINE!

  If you see The Linux Documentation Project homepage, then
  CONGRATULATIONS! It's working!  If that WWW site comes up correctly,
  then all other standard network tolls such as PING, TELNET, SSH, and
  with their related IP MASQ modules loaded: FTP, Real Audio, IRC DCCs,
  Quake I/II, CuSeeme, VDOLive, etc. should work fine!  If FTP, IRC,
  RealAudio, Quake I/II, etc. aren't working or are performing poorly,
  make sure their associated Masquerading modules are loaded by running
  "lsmod" and also be sure you are loading the module with any non-
  default server ports.  If you don't see your needed module, make sure
  your /etc/rc.d/rc.firewall script is loading them (i.e. remove the #
  character for a give IP MASQ module).



  6.  Other IP Masquerade Issues and Software Support



  6.1.  Problems with IP Masquerade

  Some TCP/IP application protocols will not currently work with Linux
  IP Masquerading because they either assume things about port numbers
  or encode TCP/IP addresses and/or port numbers in their data stream.
  These latter protocols need specific proxies or IP MASQ modules built
  into the masquerading code to make them work.



  6.2.  Incoming services

  By default, Linux IP Masquerading cannot handle incoming services at
  all but there are a few ways of allowing them.

  If you do not require high levels of security then you can simply
  forward or redirect IP ports.  There are various ways of doing this
  though the most stable method is to use IPPORTFW.  For more
  information, please see the ``'' section.

  If you wish to have some level of authorization on incoming
  connections then you will need to either configure TCP-wrappers or
  Xinetd to then allow only specific IP addresses through.  The TIS
  Firewall Toolkit is a good place to look for tools and information.

  More details on incoming security can be found in the TrinityOS
  <http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri> document
  and at IP Masquerade Resource <http://ipmasq.cjb.net>.





  6.3.  Supported Client Software and Other Setup Note




       ** The Linux Masquerade Application list
       <http://dijon.nais.com/~nevo/masq/> has a lot of good infor-
       mation regarding applications that work through Linux IP
       masquerading.  Unfortunately, this services hasn't been well
       maintained but if you are interesting in taking over this
  site, please email either ambrose@writeme.com and/or
  dranch@trinnet.net.


  Generally, any application that uses standard TCP and UDP should work.
  If you have any suggestion, hints, etc., please see the IP Masquerade
  Resource <http://ipmasq.cjb.net/> for more details.


  6.3.1.  Network Clients that -Work- with IP Masquerade

  General Clients:


     Archie
        all supported platforms, file searching client (not all archie
        clients are supported)


     FTP
        all supported platforms, with the ip_masq_ftp.o kernel module
        for active FTP connections.


     Gopher client
        all supported platforms


     HTTP
        all supported platforms, WWW surfing


     IRC
        all IRC clients on various supported platforms, DCC is supported
        via the ip_masq_irc.o module


     NNTP (USENET)
        all supported platforms, USENET news client


     PING
        all platforms, with ICMP Masquerading kernel option


     POP3
        all supported platforms, email clients


     SSH
        all supported platforms, Secure TELNET/FTP clients


     SMTP
        all supported platforms, email servers like Sendmail, Qmail,
        PostFix, etc.


     TELNET
        all supported platforms, remote session


     TRACEROUTE
        UNIX and Windows based platforms , some variations may not work


     VRML
        Windows(possibly all supported platforms), virtual reality
        surfing


     WAIS client
        all supported platforms


  Multimedia and Communication Clients:


     Alpha Worlds
        Windows, Client-Server 3D chat program


     CU-SeeMe
        all supported platforms, with the ip_masq_cuseeme module loaded,
        please see the ``'' section for more details.


     ICQ
        all supported clients.  Requires the Linux kernel to be compiled
        with IPPORTFW support and ICQ is configured to be behind a NON-
        SOCKS proxy.  A full description of this configuration is in the
        ``'' section.


     Internet Phone 3.2
        Windows, Peer-to-peer audio communications, people can reach you
        only if you initiate the call, but people cannot call you
        without a specific port forwarding setup.  See the ``'' section
        for more details.


     Internet Wave Player
        Windows, network streaming audio


     Powwow
        Windows, Peer-to-peer Text audio whiteboard communications,
        people can reach you only if you initiate the call, but people
        cannot call you without a specific port forwarding setup.  See
        the ``'' se ction for more details.


     Real Audio Player
        Windows, network streaming audio, higher quality available with
        the ip_masq_raudio UDP module


     True Speech Player 1.1b
        Windows, network streaming audio


     VDOLive
        Windows, with the ip_masq_vdolive patch


     Worlds Chat 0.9a
        Windows, Client-Server 3D chat program



  Games - See the ``'' section for more details on the LooseUDP patch

     Battle.net
        Works but requires TCP ports 116 and 118 and UDP port 6112
        IPPORTFWed to the game machine.  See the ``'' section for more
        details.  Please note that FSGS and Bnetd servers still require
        IPPORTFW since they haven't been re-written to be NAT-friendly.


     BattleZone 1.4
        Works with LooseUDP patch and new NAT-friendly .DLLs from
        Activision


     Dark Reign 1.4
        Works with LooseUDP patch or requires TCP ports 116 and 118 and
        UDP port 6112 IPPORTFWed to the game machine.  See the ``''
        section for more details.


     Diablo
        Works with LooseUDP patch or requires TCP ports 116 and 118 and
        UDP port 6112 IPPORTFWed to the game machine.  See the ``''
        section for more details.


     Heavy Gear 2
        Works with LooseUDP patch or requires TCP ports 116 and 118 and
        UDP port 6112 IPPORTFWed to the game machine.  See the ``''
        section for more details.


     Quake I or II
        Works right out of the box but requires the ip_masq_quake module
        if there are more than one Quake I/II player behind a MASQ box.
        Also, this module only supports Quake I and QuakeWorld by
        default.  If you need to support Quake II or non-default server
        ports, please see the module install section of the ``'' and
        ``'' rulesets.


     StarCraft
        Works with the LooseUDP patch and IPPORTFWing TCP and UDP ports
        6112 to the internal MASQed game machine.  See the ``'' section
        for more details.


     WorldCraft
        Works with LooseUDP patch


  Other Clients:


     Linux net-acct package
        Linux, network administration-account package


     NCSA Telnet 2.3.08
        DOS, a suite containing telnet, ftp, ping, etc.


     PC-anywhere for Windows
        MS-Windows, Remotely controls a PC over TCP/IP, only work if it
        is a client but not a host without a specific port forwarding
        setup.  See the ``'' section for more details.


     Socket Watch
        uses NTP - network time protocol


  6.3.2.  Clients that do not Work:



     All H.323 programs
        - MS Netmeeting, Intel Internet Phone Beta 2 - Connects but
        voice travels one way (out).  Check out Equivalence's PhonePatch
        <http://www.equival.com.au/phonepatch/index.html> H.323 gateway
        for one possible solution.


     Intel Streaming Media Viewer Beta 1
        Cannot connect to server


     Netscape CoolTalk
        Cannot connect to opposite side


     WebPhone
        Cannot work at present (it makes invalid assumptions about
        addresses).




  6.4.  Stronger IP Firewall (IPFWADM) Rulesets



  This section provides a more in-depth guide on using the 2.0.x
  firewall tool, IPFWADM.

  This example is for a firewall/masquerade system behind a PPP link
  with a static PPP address (dynamic PPP instructions are included but
  disabled).  The trusted interface is 192.168.0.1 and the PPP interface
  IP address has been changed to protect the guilty :).  I have listed
  each incoming and outgoing interface individually to catch IP spoofing
  as well as stuffed routing and/or masquerading. Anything not
  explicitly allowed is FORBIDDEN (well.. rejected actually).  If your
  IP MASQ box breaks after implementing this rc.firewall script, be sure
  that you edited it for your configuration and check your
  /var/log/messages or /var/adm/messages SYSLOG file for any firewall
  errors.

  For more comprehensive examples of a strong IP Masqueraded IPFWADM
  rulesets for PPP, Cablemodem users, etc., please see TrinityOS -
  Section 10 <http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri>
  and GreatCircle's Firewall WWW page

  NOTE: If you get a dynamically assigned TCP/IP address from your ISP
  (PPP, ADSL, Cablemodems, etc.), you CANNOT load this strong ruleset
  upon boot.  You will either need to reload this firewall ruleset EVERY
  TIME you get a new IP address or make your /etc/rc.d/rc.firewall
  ruleset more intelligent.  To do this for PPP users, carefully read
  and un-comment out the properly lines in the "Dynamic PPP IP fetch"
  section below.   You can also find more details in the TrinityOS -
  Section 10 <http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri>
  doc for more details on Strong rulesets and Dynamic IP addresses.

  Please also be aware that there are several GUI Firewall creation
  tools available as well.  Please see the ``'' section for full
  details.

  Lastly, if you are using a STATIC PPP IP address, change the "ppp-ip =
  "your.static.PPP.address"" line to reflect your address.

  ----------------------------------------------------------------




























































  #!/bin/sh
  #
  # /etc/rc.d/rc.firewall: An example STRONG IPFWADM firewall rules
  #

  PATH=/sbin:/bin:/usr/sbin:/usr/bin

  # testing, wait a bit then clear all firewall rules.
  # uncomment following lines if you want the firewall to automatically
  # disable after 10 minutes.
  # (sleep 600; \
  # ipfwadm -I -f; \
  # ipfwadm -I -p accept; \
  # ipfwadm -O -f; \
  # ipfwadm -O -p accept; \
  # ipfwadm -F -f; \
  # ipfwadm -F -p accept; \
  # ) &

  # Load all required IP MASQ modules
  #
  #   NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ modules
  #          are shown below but are commented from loading.

  # Needed to initially load modules
  #
  /sbin/depmod -a

  # Supports the proper masquerading of FTP file transfers using the PORT method
  #
  /sbin/modprobe ip_masq_ftp

  # Supports the masquerading of RealAudio over UDP.  Without this module,
  #       RealAudio WILL function but in TCP mode.  This can cause a reduction
  #       in sound quality
  #
  #/sbin/modprobe ip_masq_raudio

  # Supports the masquerading of IRC DCC file transfers
  #
  #/sbin/modprobe ip_masq_irc

  # Supports the masquerading of Quake and QuakeWorld by default.  This modules is
  #   for for multiple users behind the Linux MASQ server.  If you are going to play
  #   Quake II and/or Quake I/II on other server ports, use the second example.
  #
  #Quake I / QuakeWorld (ports 26000 and 27000)
  #/sbin/modprobe ip_masq_quake
  #
  #Quake I / QuakeWorld / and Quake II (ports 26000, 27000, 27910)
  #/sbin/modprobe ports=ip_masq_quake 26000,27000,27910

  # Supports the masquerading of the CuSeeme video conferencing software
  #
  #/sbin/modprobe ip_masq_cuseeme

  #Supports the masquerading of the VDO-live video conferencing software
  #
  #/sbin/modprobe ip_masq_vdolive


  #CRITICAL:  Enable IP forwarding since it is disabled by default since
  #
  #           Redhat Users:  you may try changing the options in /etc/sysconfig/network from:
  #
  #                       FORWARD_IPV4=false
  #                             to
  #                       FORWARD_IPV4=true
  #
  echo "1" > /proc/sys/net/ipv4/ip_forward


  # Specify your Static IP address here.
  #
  ppp-ip = "your.static.PPP.address"


  # Dynamic IP users:
  #
  #   If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this following
  #       option.  This enables dynamic-ip address hacking in IP MASQ, making the life
  #       with Diald and similar programs much easier.
  #
  #echo "1" > /proc/sys/net/ipv4/ip_dynaddr

  # Specify your Static IP address here.  If you have a DYNAMIC IP address, you need to
  #   make this ruleset understand your IP address everytime you get a new IP.  To do
  #   this, enable the following one-line script.  (Please note that the different single
  #   and double quote characters MATTER).  Now, run the command:
  #
  #       ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up
  #
  #   The /etc/ppp/ip-up script is always run when a PPP connection comes up.  Because of
  #     this, we can make the ruleset go and get the new PPP IP address and update the
  #     strong firewall ruleset.
  #
  #ppp-ip = "`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"


  # MASQ timeouts
  #
  #   2 hrs timeout for TCP session timeouts
  #  10 sec timeout for traffic after the TCP/IP "FIN" packet is received
  #  60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall timeout in ICQ itself)
  #
  /sbin/ipfwadm -M -s 7200 10 60


  #############################################################################
  # Incoming, flush and set default policy of reject. Actually the default policy
  # is irrelevant because there is a catch all rule with deny and log.
  #
  ipfwadm -I -f
  ipfwadm -I -p reject

  # local interface, local machines, going anywhere is valid
  #
  ipfwadm -I -a accept -V 192.168.0.1 -S 192.168.0.0/24 -D 0.0.0.0/0

  # remote interface, claiming to be local machines, IP spoofing, get lost
  #
  ipfwadm -I -a reject -V $ppp-ip -S 192.168.0.0/24 -D 0.0.0.0/0 -o

  # remote interface, any source, going to permanent PPP address is valid
  #
  ipfwadm -I -a accept -V $ppp-ip -S 0.0.0.0/0 -D $ppp-ip/32

  # loopback interface is valid.
  #
  ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0

  # catch all rule, all other incoming is denied and logged. pity there is no
  # log option on the policy but this does the job instead.
  #
  ipfwadm -I -a reject -S 0.0.0.0/0 -D 0.0.0.0/0 -o


  #############################################################################
  # Outgoing, flush and set default policy of reject. Actually the default policy
  # is irrelevant because there is a catch all rule with deny and log.
  #
  ipfwadm -O -f
  ipfwadm -O -p reject

  # local interface, any source going to local net is valid
  #
  ipfwadm -O -a accept -V 192.168.0.1 -S 0.0.0.0/0 -D 192.168.0.0/24

  # outgoing to local net on remote interface, stuffed routing, deny
  #
  ipfwadm -O -a reject -V $ppp-ip -S 0.0.0.0/0 -D 192.168.0.0/24 -o

  # outgoing from local net on remote interface, stuffed masquerading, deny
  #
  ipfwadm -O -a reject -V $ppp-ip -S 192.168.0.0/24 -D 0.0.0.0/0 -o

  # outgoing from local net on remote interface, stuffed masquerading, deny
  #
  ipfwadm -O -a reject -V $ppp-ip -S 0.0.0.0/0 -D 192.168.0.0/24 -o

  # anything else outgoing on remote interface is valid
  #
  ipfwadm -O -a accept -V $ppp-ip -S $ppp-ip /32 -D 0.0.0.0/0

  # loopback interface is valid.
  #
  ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0

  # catch all rule, all other outgoing is denied and logged. pity there is no
  # log option on the policy but this does the job instead.
  #
  ipfwadm -O -a reject -S 0.0.0.0/0 -D 0.0.0.0/0 -o


  #############################################################################
  # Forwarding, flush and set default policy of deny. Actually the default policy
  # is irrelevant because there is a catch all rule with deny and log.
  #
  ipfwadm -F -f
  ipfwadm -F -p deny

  # Masquerade from local net on local interface to anywhere.
  #
  ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.0/24 -D 0.0.0.0/0
  #
  # catch all rule, all other forwarding is denied and logged. pity there is no
  # log option on the policy but this does the job instead.
  #
  ipfwadm -F -a reject -S 0.0.0.0/0 -D 0.0.0.0/0 -o





  With IPFWADM, you can block traffic to a particular site using the -I,
  -O or -F rules.  Remember that the set of rules are scanned top to
  bottom and "-a" means "append" to the existing set of rules.  So with
  this in mind, any specific restrictions need to come before global
  rules. For example:

  Using -I rules. Probably the fastest but it only stops the local
  machines, the firewall itself can still access the "forbidden" site.
  Of course you might want to allow that combination.


  In the /etc/rc.d/rc.firewall ruleset:

  ... start of -I rules ...

  # reject and log local interface, local machines going to 204.50.10.13
  #
  ipfwadm -I -a reject -V 192.168.0.1 -S 192.168.0.0/24 -D 204.50.10.13/32 -o

  # local interface, local machines, going anywhere is valid
  #
  ipfwadm -I -a accept -V 192.168.0.1 -S 192.168.0.0/24 -D 0.0.0.0/0

  ... end of -I rules ...




  Using -O rules. Slowest because the packets go through masquerading
  first but this rule even stops the firewall accessing the forbidden
  site.


  ... start of -O rules ...

  # reject and log outgoing to 204.50.10.13
  #
  ipfwadm -O -a reject -V $ppp-ip -S $ppp-ip/32 -D 204.50.10.13/32 -o

  # anything else outgoing on remote interface is valid
  #
  ipfwadm -O -a accept -V $ppp-ip -S $ppp-ip/32 -D 0.0.0.0/0

  ... end of -O rules ...



  Using -F rules. Probably slower than -I and this still only stops
  masqueraded machines (i.e. internal), firewall can still get to
  forbidden site.


  ... start of -F rules ...

  # Reject and log from local net on PPP interface to 204.50.10.13.
  #
  ipfwadm -F -a reject -W ppp0 -S 192.168.0.0/24 -D 204.50.10.13/32 -o

  # Masquerade from local net on local interface to anywhere.
  #
  ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.0/24 -D 0.0.0.0/0

  ... end of -F rules ...



  No need for a special rule to allow 192.168.0.0/24 to go to
  204.50.11.0, it is covered by the global rules.


  There is more than one way of coding the interfaces in the above
  rules.  For example instead of -V 192.168.255.1 you can code -W eth0,
  instead of -V $ppp-ip , you can use -W ppp0. Personal choice and
  documentation more than anything.



  6.5.  IP Firewalling Chains (ipchains)

  This is the firewall ruleset manipulation tool primarily intended for
  2.2.x kernels though there is a patch for this to work on 2.0.x
  kernels.

  We will update this section to give several examples on ipchains usage
  soon.

  Until then, please see the Linux IP Firewalling Chains page
  <http://www.rustcorp.com/linux/ipchains/> and TrinityOS
  <http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri> and
  GreatCircle's Firewall WWW page doc for more details.

  NOTE: If you get a dynamically assigned TCP/IP address from your ISP
  (PPP, ADSL, Cablemodems, etc.), you CANNOT load a strong ruleset upon
  boot.  You will need to reload the firewall ruleset EVERY TIME you get
  a new IP address and make your /etc/rc.d/rc.firewall ruleset more
  intelligent.  To do this, please see TrinityOS - Section 10
  <http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri> for more
  details on Strong rulesets and Dynamic IP addresses. I'll give you a
  hint though:  /etc/ppp/ip-up for PPP users.


  6.6.  IP Masquerading multiple internal networks

  Masquerading more than one internal network is fairly simple.  You
  need to first make sure that all of your networks are running
  correctly (both internal and external).  You then need to enable
  traffic to pass to both the other internal interfaces and to be MASQed
  to the Internet.

  Next, you need to enable Masquerading on the INTERNAL interfaces.
  This example shows two internal interfaces eth1 (192.168.0.1) and eth2
  (192.168.1.1) will be MASQed out of interface eth0.  In your
  rc.firewall ruleset next to the existing MASQ enable line, add the
  following:


    #Enable internal interfaces to communication between each other
    ipfwadm -F -a -V 192.168.0.1 -D 192.168.1.0/24
    ipfwadm -F -a -V 192.168.1.1 -D 192.168.0.0/24

    #Enable internal interfaces to MASQ out to the Internet
    ipfwadm -F -a masq -W eth0 -S 192.168.0.0/24 -D 0.0.0.0/0
    ipfwadm -F -a masq -W eth0 -S 192.168.1.0/24 -D 0.0.0.0/0





  6.7.  IP Masquerade and Dial-on-Demand Connections



  1. If you would like to setup your network to automatically dial up
     the Internet, ether the Diald demand dial-up or new versions of the
     PPPd packages will be of great utility.  Diald is the recommended
     solution due to its more granular configuration.
  2. To setup Diald, please check out the Setting Up Diald for Linux
     Page <http://home.pacific.net.sg/~harish/diald.config.html> or
     TrinityOS - Section 23
     <http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri>


  3. Once Diald and IP Masq have been setup properly, any MASQed client
     machines that initiate a web, telnet or ftp session will make the
     Linux box dynamically bring up its Internet link.


  4. There is a timeout that will occur with the first connection.  This
     is inevitable if you are using analog modems.  The time taken to
     establish the modem link and the PPP connections may cause your
     client program (WWW browser, etc.).  This isn't common though.  If
     this does happen, just retry that Internet traffic request (say a
     WWW page) again and it should come up fine.  You can also try
     setting echo "1" > /proc/sys/net/ipv4/ip_dynaddr kernel option to
     help with this initial setup.




  6.8.  IPPORTFW, IPMASQADM, IPAUTOFW, REDIR, UDPRED, and other Port
  Forwarding tools


  IPPORTFW, IPAUTOFW, REDIR, UDPRED, and other programs are generic TCP
  and/or UDP port forwarding tools for Linux IP Masquerade.  These tools
  are typically used with or as a replacement for specific IP MASQ
  modules like the current ones for FTP, Quake, etc. With port
  forwarders, you can now re-direct data connections from the Internet
  to an internal, privately addressed machine behind your IP MASQ
  server.  This forwarding ability includes network protocols such as
  TELNET, WWW, SMTP, FTP (with a special patch - see below), ICQ, and
  many others.

  NOTE:  If you are just looking to do port forwarding without IP
  Masquerading, you will STILL NEED to enable IP Masquerading in both
  the kernel AND in either your IPFWADM or IPCHAINS ruleset to then be
  able to use Linux's port forwarding tools.

  So why all the different choices?  IPAUTOFW, REDIR, and UDPRED (all
  URLs are in the ``'' section) were the first tools available to IP
  MASQ users to allow this functionality.  Later, as Linux IP Masquerade
  matured, these tools were eventually replaced by IPPORTFW which is a
  more intelligent solution.  Because of the availablity of the newer
  tools, it is *HIGHLY DISCOURAGED* to use the old tools such as
  IPAUTOFW and REDIR because they don't properly notify the Linux kernel
  of their presence and can ultimately CRASH your Linux server with
  extreme use.

  Before jumping right into installing either the 2.0.x IPPORTFW or
  2.2.x version of IPMASQADM with IPPORTFW support, network security can
  be an issue with any port forwarder.  The reason for this is because
  these tools basically create a hole in the packet firewall for the
  forwarded TCP/UDP ports.  Though this doesn't pose any threat to your
  Linux machine, it might be an issue to the internal machine that this
  traffic is being forwarded to.  No worries though, this is what Steven
  Clarke (the author of IPPORTFW) had to say about that:






          "Port Forwarding is only called within masquerading functions so it
          fits inside the same IPFWADM/IPCHAINS rules. Masquerading is an extension to
          IP forwarding. Therefore, ipportfw only sees a packet if it fits
          both the input and masquerading ipfwadm rule sets."




  With this said, it's important to have a strong firewall ruleset.
  Please see the ``'' section for more details on strong rulesets.


  So, to install IPPORTFW forwarding support for either a 2.0.x or 2.2.x
  kernel, you need to re-compile the Linux kernel to support IPPORTFW.

  o  2.0.x users will need to apply a simple kernel option patch (see
     below)

  o  2.2.x kernel users will already have the IPPORTFW kernel option
     available via IPMASQADM



  6.8.1.  IPPORTFW on 2.0.x kernels


  First, make sure you have the newest 2.0.x kernel uncompressed into
  /usr/src/linux.  If you haven't already done this, please see the ``''
  section for full details.  Next, download the "ipportfw.c" program and
  the "subs-patch-x.gz" kernel patch from the ``'' section into the
  /usr/src/ directory.

  NOTE:  Please replace the "x" in the "subs-patch-x.gz" file name with
  the most current version available on the site.


  Now, copy the IPPORTFW patch (subs-patch-x.gz) into the Linux
  directory


               cp /usr/src/subs-patch-1.37.gz /usr/src/linux




  Next, apply the kernel patch to create the IPPORTFW kernel option:


               cd /usr/src/linux
               zcat subs-patch-1.3x.gz | patch -p1






  Next, if you plan on port forwarding FTP traffic to an internal
  server, you will have to apply a NEW IP_MASQ_FTP module patch found in
  the ``'' section.  More details regarding this are later in this
  section.


  Ok, time to compile the kernel as shown in the ``'' section.  Be sure
  to say YES to the IPPORTFW option now available when you configure the
  kernel.  Once the compile is complete and you have rebooted, return to
  this section.
  Now with a newly compiled kernel, please compile and install the
  actual "IPPORTFW" program


               cd /usr/src
               gcc ipportfw.c -o ipportfw
               mv ipportfw /usr/local/sbin






  Now, for this example, we are going to allow ALL WWW Internet traffic
  (port 80) hitting your Internet TCP/IP address to then be forwarded to
  the internal Masqueraded machine at IP address 192.168.0.10.

  NOTE:  Once you enable a port forwarder on port 80, that port can no
  longer be used by the Linux IP Masquerade server.  TO be more
  specific, if you have a WWW server already running on the MASQ server
  and then you port forward port 80 to an internal MASQed computer, ALL
  internet users will see the WWW pages pages from the -INTERNAL- WWW
  server and not the pages on your IP MASQ server.  The only work around
  for this is to port forward some other port, say 8080, to your
  internal MASQ machine.  Though this will work, all Internet users will
  have to append :8080 to the URL to then contact the internal MASQed
  WWW server.

  Anyway, to enable port forwarding, edit the /etc/rc.d/rc.firewall
  ruleset.  Add the follow lines but be sure to replace the word
  "$extip" with your Internet IP address.

  NOTE:  If you use get a DYNAMIC TCP/IP address from your ISP (PPP,
  ADSL, Cablemodems, etc.), you will NEED to make your
  /etc/rc.d/rc.firewall ruleset more intelligent.  To do this, please
  see TrinityOS - Section 10
  <http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri> for more
  details on strong rulesets and Dynamic IP addresses.



               /etc/rc.d/rc.firewall
               --

               #echo "Enabling IPPORTFW Redirection on the external LAN.."
               #
               /usr/local/sbin/ipportfw -C
               /usr/local/sbin/ipportfw -A -t$extip/80 -R 192.168.0.10/80

               --




  That's it!  Just re-run your /etc/rc.d/rc.firewall ruleset and test it
  out!


  Port Forwarding FTP servers:


  If you plan on port forwarding FTP to an internal machine, things get
  more complicated.  The reason for this is because the standard
  IP_MASQ_FTP kernel module wasn't written for this.  Fortunately, Fred
  Viles wrote a modified IP_MASQ_FTP module to make things work.  If you
  are curious what EXACTLY is the issues, download the following archive
  and Fred documents it quite well.  Also understand that this patch is
  somewhat experimental and should be treated as such.

  So, to get it working, you need to:



  o  Apply the IPPORTFW kernel patch as shown earlier in this section
     FIRST.


  o  Download the "msqsrv-patch-36" from Fred Viles's FTP server in the
     ``'' section and put it into /usr/src/linux.


  o  Patch the kernel with this new code by running "cat msqsrv-patch-36
     | patch -p1"


  o  Next, replace the original "ip_masq_ftp.c" kernel module with the
     new one


  o  mv /usr/src/linux/net/ipv4/ip_masq_ftp.c
     /usr/src/linux/net/ipv4/ip_masq_ftp.c.orig

  o  mv /usr/src/linux/ip_masq_ftp.c
     /usr/src/linux/net/ipv4/ip_masq_ftp.c


  o  Lastly build and install the kernel with this new code in place.

  Once this is complete, edit the /etc/rc.d/rc.firewall ruleset and add
  the follow lines but be sure to replace the word "$extip" with your
  Internet IP address.

  NOTE:  If you use get a DYNAMIC TCP/IP address from your ISP (PPP,
  ADSL, Cablemodems, etc.), you will NEED to make your
  /etc/rc.d/rc.firewall ruleset more intelligent.  To do this, please
  see TrinityOS - Section 10
  <http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri> for more
  details on strong rulesets and Dynamic IP addresses.

  This example, like above, will allow ALL FTP Internet traffic (port
  21) hitting your Internet TCP/IP address to then be forwarded to the
  internal Masqueraded machine at IP address 192.168.0.10.

  NOTE:  Once you enable a port forwarder on port 21, that port can no
  longer be used by the Linux IP Masquerade server.  To be more
  specific, if you have a FTP server already running on the MASQ server,
  a port forward will now give all Internet users the FTP files from the
  -INTERNAL- FTP server and not the files on your IP MASQ server.



               /etc/rc.d/rc.firewall
               --

               #echo "Enabling IPPORTFW Redirection on the external LAN.."
               #
               /usr/local/sbin/ipportfw -C
               /usr/local/sbin/ipportfw -A -t$extip/21 -R 192.168.0.10/21

               --


  6.8.2.  IPMASQADM with IPPORTFW support on 2.2.x kernels


  First, make sure you have the newest 2.2.x kernel uncompressed into
  /usr/src/linux.  If you haven't already done this, please see the ``''
  section for full details.  Next, download the "ipmasqadm.c" program
  from the ``'' section into the /usr/src/ directory.

  Next, you'll need to compile the 2.2.x kernel as shown in the ``''
  section.   Be sure to say YES to the IPPORTFW option when you
  configure the kernel.  Once the kernel compile is complete and you
  have rebooted, return to this section.

  Now, compile and install the IPMASQADM tool:



               cd /usr/src
               tar xzvf ipmasqadm-x.tgz
               cd ipmasqadm-x
               make
               make install






  Now, for this example, we are going to allow ALL WWW Internet traffic
  (port 80) hitting your Internet TCP/IP address to then be forwarded to
  the internal Masqueraded machine at IP address 192.168.0.10.

  NOTE:  At this time, it is beleived that this modified IP_MASQ_FTP
  module for port forwarded FTP connections will NOT work for the 2.2.x
  kernels.  If you feel experimental, please try porting it to the 2.2.x
  kernels and email Ambrose and David your results.

  NOTE: Once you enable a port forwarder on port 80, that port can no
  longer be used by the Linux IP Masquerade server.  To be more
  specific, if you have a WWW server already running on the MASQ server,
  a port forward will now give all Internet users the WWW pages from the
  -INTERNAL- WWW server and not the pages on your IP MASQ server.

  Anyway, to enable port forwarding, edit the /etc/rc.d/rc.firewall
  ruleset.  Add the follow lines but be sure to replace the word
  "$extip" with your Internet IP address.

  NOTE:  If you use get a DYNAMIC TCP/IP address from your ISP (PPP,
  ADSL, Cablemodems, etc.), you will NEED to make your
  /etc/rc.d/rc.firewall ruleset more intelligent.  TO do this, please
  see TrinityOS - Section 10
  <http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri> for more
  details on strong rulesets and Dynamic IP addresses.  I'll give you a
  hint though:  /etc/ppp/ip-up for PPP users.












          /etc/rc.d/rc.firewall
          --

          #echo "Enabling IPPORTFW Redirection on the external LAN.."
          #
          /usr/sbin/ipmasqadm ipportfw -C
          /usr/sbin/ipmasqadm ipportfw -A -t$extip/80 -R 192.168.0.10/80

          --




  That's it!  Just re-run your /etc/rc.d/rc.firewall ruleset and test it
  out!



  6.9.  CU-SeeMe and Linux IP-Masquerade


  Linux IP Masquerade supports CuSeeme via the "ip_masq_cuseeme" kernel
  module.  This kernel modules should be loaded in the
  /etc/rc.d/rc.firewall script.  Once the "ip_masq_cuseeme" module is
  installed, you should be able to both initiate and receive CuSeeme
  connections to remote reflectors and/or users.

  NOTE:  It is recommended to use the IPPORTFW tool instead of the old
  IPAUTOFW tool for running CuSeeme.

  If you need more explicit information on configuring CuSeeme, see
  Michael Owings's CuSeeMe page <http://www.swampgas.com/vc/ipmcus.htm>
  for a Mini-HOWTO or The IP Masquerade Resources for a mirror of the
  Mini-HOWTO.



  6.10.  Mirabilis ICQ

  With the following configuration, ICQ messaging, URLs, chat, file
  transfer, etc. will ALL work fine!


  o  First, you need to be running a Linux kernel with IPPPORTFW
     enabled.  Please see the ``'' section for more details.


  o  Next, you need to add the following lines to your
     /etc/rc.d/rc.firewall file.  This example assumes that 10.1.2.3 is
     your external Internet IP address and your internal MASQed ICQ
     machine is 192.168.0.10:

     The following example is for a 2.0.x kernel:













       /usr/local/sbin/ipportfw -A -t10.1.2.3/2000 -R 192.168.0.10/2000
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2001 -R 192.168.0.10/2001
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2002 -R 192.168.0.10/2002
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2003 -R 192.168.0.10/2003
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2004 -R 192.168.0.10/2004
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2005 -R 192.168.0.10/2005
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2006 -R 192.168.0.10/2006
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2007 -R 192.168.0.10/2007
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2008 -R 192.168.0.10/2008
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2009 -R 192.168.0.10/2009
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2010 -R 192.168.0.10/2010
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2011 -R 192.168.0.10/2011
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2012 -R 192.168.0.10/2012
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2013 -R 192.168.0.10/2013
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2014 -R 192.168.0.10/2014
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2015 -R 192.168.0.10/2015
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2016 -R 192.168.0.10/2016
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2017 -R 192.168.0.10/2017
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2018 -R 192.168.0.10/2018
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2019 -R 192.168.0.10/2019
       /usr/local/sbin/ipportfw -A -t10.1.2.3/2020 -R 192.168.0.10/2020





  o  Once your new rc.firewall is ready, reload the ruleset to make sure
     things are ok by simple typing in "/etc/rc.d/rc.firewall".  If you
     get any errors, you either don't have IPPORTFW support in the
     kernel or you made a typo in the rc.firewall file.


  o  Now, in ICQ's Preferences-->Connection, configure it to be "Behind
     a LAN" and "Behind a firewall or Proxy".  Now, click on "Firewall
     Settings" and configure it to be "I don't use a SOCK5 proxy",
     enable "Firewall session timeouts" and set it for "30" seconds.
     Finally, click on Next and configure ICQ to "Use the following TCP
     listen ports.." from "2000" to "2020".  Now click done.

     Now ICQ will tell you that you have to restart ICQ for the changes
     to take effect.  To be honest, I had to REBOOT the Windows9x
     machine to get things to work right but other people say otherwise.
     So.. try it both ways.




  6.11.  Gamers:  The LooseUDP patch


  The LooseUDP patch allows NAT-friendly games that usually use UDP
  connections to both WORK and perform quite well behind a Linux IP
  Masquerade server.  Currently, LooseUDP is available as a patch for
  2.0.36+ kernels and it is already built into 2.2.3+ kernels.  To get
  this running, only a few things are required:


  o  Have the newest 2.0.x or 2.2.x kernel sources uncompressed in the
     /usr/src/linux directory


  o  ABSOLUTELY REQUIRED for v2.0.x:  Download and install the IPPORTFW
     patch from the ``'' section and as described in the ``'' Section of
     the HOWTO.


  o  Download the LooseUDP patch from the ``'' section

  Now, put the LooseUDP patch in the /usr/src/linux directory.   Once
  this is done, type in:


       zcat loose-udp-2.0.36.patch.gz | patch -p1


  Now, depending on your version of "patch", You will then see the
  following text:



       patching file `CREDITS'
       patching file `Documentation/Configure.help'
       patching file `include/net/ip_masq.h'
       patching file `net/ipv4/Config.in'
       patching file `net/ipv4/ip_masq.c'




  If you see the text "Hunk FAILED" only ONCE and ONLY ONCE at the very
  beginning of the patching, don't be alarmed.  You probably have an old
  patch file (this as been fixed) but it still works.  If it fails
  completely, make sure you have applied the IPPORTFW kernel patch
  FIRST.

  Once the patch is installed, re-configure the kernel as shown in the
  ``'' section and be sure to say "Y" to the "IP: loose UDP port
  managing (EXPERIMENTAL) (CONFIG_IP_MASQ_LOOSE_UDP) [Y/n/?]" option.

  Once you are running the new LooseUDP enabled kernel, you should be
  good to go for most NAT-friendly games.  Some URLs have been given for
  patches to make games like BattleZone and others NAT friendly.  Please
  see the ``'' section for more details.



  7.  Frequently Asked Questions



  If you can think of any useful FAQ suggestions, please send it to
  ambrose@writeme.com and dranch@trinnet.net.  Please clearly state the
  question and an appropriate answer (if you have it).  Thank you!




  7.1.  What Linux Distributions support IP Masquerading out of the box?

  If your Linux distribution doesn't support IP MASQ out of the box,
  don't worry.  All you have to do is re-compile a kernel as shown above
  in this HOWTO.

  NOTE:  If you can help us fill out this table, please email
  ambrose@writeme.com or dranch@trinnet.net.


  o  Caldera       < v1.2 : NO

  o  Caldera         v1.3+: YES


  o  Debian          v?   :  ?

  o  DLX Linux       v?   :  ?

  o  DOS Linux       v?   :  ?

  o  Hal91 Linux     v?   :  ?

  o  Linux Mandrake  v5.3 : YES

  o  Linux PPC       vR4  :  NO

  o  Linux Pro       v?   :  ?

  o  LinuxWare       v?   :  ?

  o  MkLinux         v?   :  ?

  o  MuLinux         v3rl : YES

  o  Redhat          v4.x : NO

  o  Redhat          v5.0 : YES

  o  Redhat          v5.1 : YES

  o  Redhat          v5.2 : YES

  o  Slackware       v3.0 :  ?

  o  Slackware       v3.1 :  ?

  o  Slackware       v3.2 :  ?

  o  Slackware       v3.3 :  ?

  o  Slackware       v3.4 :  ?

  o  Slackware       v3.5 :  ?

  o  Slackware       v3.6 :  ?

  o  Stampede Linux  v?   :  ?

  o  SuSE            v5.3 :  ?

  o  SuSE            v6.0 :  ?

  o  Tomsrbt Linux   v?   :  ?

  o  TriLinux        v?   :  ?

  o  TurboLinux      v?   :  ?

  o  Yggdrasil Linux v?   :  ?



  7.2.  What are the minimum hardware requirements and any limitations
  for IP Masquerade?  How well does it perform?


  A 486/66 box with 16MB of RAM was more than sufficient to fill a
  1.54Mb/s T1 100%!  MASQ has also be known run quite well on 386SX-16s
  with 8MB or RAM.  Yet, it should be noted that Linux IP Masquerade
  starts thrashing with more than 500 MASQ entries.
  The only application that I known that can temporarily break Linux IP
  Masquerade is GameSpy.  Why?  When it refreshes its lists, it creates
  10,000s of quick connections in a VERY short time.  Until these
  sessions timeout, the MASQ tables become "FULL".

  While we are at it:

  There is a hard limit of 4096 concurrent connections each for TCP &
  UDP.  This limit can be changed by fiddling the values in
  /usr/src/linux/net/ipv4/ip_masq.h - a upwards limit of 32000 should by
  OK.  If you want to change the limit - you need to change the
  PORT_MASQ_BEGIN & PORT_MASQ_END values to get an appropriately sized
  range above 32K and below 64K.



  7.3.  I've checked all my configurations, I still can't get IP Mas-
  querade to work.  What should I do?


  o  Stay calm.  Get yourself a cup of tea, coffee, soda, etc., and have
     a rest.  Once your mind is clear, try the suggestions mentioned
     below.  Setting up Linux IP Masquerading is NOT hard but there are
     several concepts that will be new to you.


  o  Again, go through all the steps in the ``'' section.  99% of all
     first-time Masquerade users who have problems haven't looked here.


  o  Check the IP Masquerade Mailing List Archives
     <http://home.indyramp.com/lists/masq/>, most likely your question
     or problem is a common one and can be found in a simple Archive
     search.


  o  Check out the TrinityOS
     <http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri>
     document.  It covers IP Masquerading for both the 2.0.x and 2.2.x
     kernels and MANY other topics including PPPd, DialD, DHCP, DNS,
     Sendmail, etc.


  o  Make sure that you aren't running ROUTED or GATED.  To verify, run
     "ps aux | grep -e routed -e gated"


  o  Post your question to the IP Masquerade Mailing List (see next the
     FAQ section for details).  Please only use this if you cannot find
     the answer from the IP Masquerading Archive.  Be sure to include
     all the information requested in the ``'' section in your email!!


  o  Post your question to a related Linux NNTP newsgroup.


  o  Send email to ambrose@writeme.com and dranch@trinnet.net.   You
     have a better chance of getting a reply from the IP Masquerading
     Email list than either of us.


  o  Check your configurations again :-)




  7.4.  How do I join the IP Masquerade Mailing List?

  Join the Linux IP Masquerading mailing list by sending an email to
  masq-subscribe@tiffany.indyramp.com.


  o  The subject and body of the message are IGNORED. Once subscribed,
     this list will give you every message on the list as it comes out.
     There is also a DIGEST version of the list that sends a
     conglomeration of the weekly emails on the list in one BIG email.
     The digest also puts less of a load on the list server. Note that
     you can only post to the MASQ list from an account/address you
     originally subscribed from.

  For more commands, email masq-help@tiffany.indyramp.com.


  7.5.  How does IP Masquerade differ from Proxy or NAT services?
















































  Proxy:  Proxy servers are available for: Win95, NT, Linux, Solaris, etc.

                  Pro:    + (1) IP address ; cheap
                          + Optional caching for better performance (WWW, etc.)

                  Con:    - All applications behind the proxy server must both SUPPORT
                            proxy services (SOCKS) and be CONFIGURED to use the Proxy
                            server
                          - Screws up WWW counters and WWW statistics

           A proxy server uses only (1) public IP address, like IP MASQ, and acts
           as a translator to clients on the private LAN (WWW browser, etc.).
           This proxy server receives requests like TELNET, FTP, WWW,
           etc. from the private network on one interface.  It would then in turn,
           initiate these requests as if someone on the local box was making the
           requests.   Once the remote Internet server sends back the requested
           information, it would re-translate the TCP/IP addresses back to the
           internal MASQ client and send traffic to the internal requesting host.
           This is why it is called a PROXY server.

                  Note:  ANY applications that you might want to use on the
                          internal machines *MUST* have proxy server support
                          like Netscape and some of the better TELNET and FTP
                          clients.  Any clients that don't support proxy servers
                          won't work.

           Another nice thing about proxy servers is that some of them
           can also do caching (Squid for WWW).  So, imagine that you have 50
           proxied hosts all loading Netscape at once.  If they were installed
           with the default homepage URL, you would have 50 copies of the same
           Netscape WWW page coming over the WAN link for each respective computer.
           With a caching proxy server, only one copy would be downloaded by the proxy
           server and then the proxied machines would get the WWW page from the
           cache.  Not only does this save bandwidth on the Internet connection,
           it will be MUCH MUCH faster for the internal proxied machines.



  MASQ:    IP Masq is available on Linux and a few ISDN routers such
   or      as the Zytel Prestige128, Cisco 770, NetGear ISDN routers, etc.
  1:Many
   NAT
                  Pro:    + Only (1) IP address needed (cheap)
                          + Doesn't require special application support
                          + Uses firewall software so your network can become
                            more secure

                  Con:    - Requires a Linux box or special ISDN router
                            (though other products might have this..  )
                          - Incoming traffic cannot access your internal LAN
                            unless the internal LAN initiates the traffic or
                            specific port forwarding software is installed.
                            Many NAT servers CANNOT provide this functionality.
                          - Special protocols need to be uniquely handled by
                            firewall redirectors, etc.  Linux has full support
                            for this (FTP, IRC, etc.) capabilty but many routers
                            do NOT (NetGear DOES).

           Masq or 1:Many NAT is similar to a proxy server in the sense that the
           server will do IP address translating and fake out the remote server
           (WWW for example) as if the MASQ server made the request instead of an
           internal machine.

           The major difference between a MASQ and PROXY server is that MASQ servers
           don't need any configuration changes to all the client machines.  Just
           configure them to use the linux box as their default gateway and everything
           will work fine.  You WILL need to install special Linux modules for things
           like RealAudio, FTP, etc. to work)!

           Also, many people use IP MASQ for TELNET, FTP, etc. *AND* also setup a caching
           proxy on the same Linux box for WWW traffic for the additional performance.


  NAT:     NAT servers are available on Windows 95/NT, Linux, Solaris, and some of the
           better ISDN routers (not Ascend)

                  Pro:    + Very configurable
                          + No special application software needed

                  Con:    - Requires a subnet from your ISP (expensive)

           Network Address Translation is a name for a box that would have a pool of
           valid IP addresses on the Internet interface that it can use.  When on the
           Internal network wanted to goto the Internet, it associates an available
           VALID IP address from the Internet interface to the original requesting PRIVATE
           IP address.  After that, all traffic is re-written from the NAT public IP
           address to the NAT private address.  Once the associated PUBLIC NAT address
           becomes idle for some pre-determined amount of time, the PUBLIC IP address
           is returned back into the public NAT pool.

           The major problem with NAT is, once all of the free public IP addresses are
           used, any additional private users requesting Internet service are out of
           luck until a public NAT address becomes free.





  7.6.  Are there any GUI firewall creation/management tools?


  Yes!  They vary in user interface, complexity, etc. but they are quite
  good though most are only for the IPFWADM tool so far.  Here is a
  short list of available tools in alphabetical order.  If you know of
  any others or have any thoughts on which ones are good/bad/ugly,
  please email Ambrose or David.


  o  John Hardin's IPFWADM Dot file generator - a IPCHAINS version is in
     the works


  o  Sonny Parlin's FWCONFIG
     <http://www.mindstorm.com/~sparlin/fwconfig.shtml> for IPFWADM


  o  William Stearns's Mason <http://www.pobox.com/~wstearns/mason/> - A
     Build-a-ruleset on-the-fly type system



  7.7.  Does IP Masquerade work with dynamically assigned IP addresses?

  Yes, it works with either dynamic IP addressed assigned by your ISP
  via either PPP or a DHCP/BOOTp server.  As long as you have an valid
  Internet IP address, it should work.  Of course, static IP works too.
  Yet, if you plan on implementing a strong IPFWADM/IPCHAINS ruleset
  and/or plan on using a Port forwarder, your ruleset will have to be
  re-executed everytime your IP address changes.  Please see the top of
  TrinityOS - Section 10
  <http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri> for
  additional help with strong firewall rulesets and Dynamic IP
  addresses.


  7.8.  Can I use a cable modem (both bi-directional and with modem
  returns), DSL, satellite link, etc. to connect to the Internet and use
  IP Masquerade?


  Yes, as long as Linux supports that network interface, it should work.
  If you receive a dynamic IP address, please see the URL under the
  "Does IP Masquerade work with dynamically assigned IP" FAQ item above.


  7.9.  Can I use Diald or the Dial-on-Demand feature of PPPd with IP
  MASQ?


  Definitely!  IP Masquerading is totally transparent to Diald or PPP.
  The only thing that might become an issue is if you use STRONG
  firewall rulesets with dynamic IP addresses.  See the FAQ item, "Does
  IP Masquerade work with dynamically assigned IP addresses?" above for
  more details.


  7.10.  What applications are supported with IP Masquerade?

  It is very difficult to keep track of a list of "working
  applications".  However, most of the normal Internet applications are
  supported, such as WWW browsing (Netscape, MSIE, etc.), FTP (such as
  WS_FTP), TELNET, SSH, RealAudio, POP3 (incoming email - Pine, Eudora,
  Outlook), SMTP (outgoing email), etc.  A somewhat more complete list
  of MASQ-compatible clients can be found in the ``'' section of this
  HOWTO.

  Applications involving more complicated protocols or special
  connection methods such as video conferencing software need special
  helper tools.

  For more detail, please see this page about applications that work
  through Linux IP masquerading <http://dijon.nais.com/~nevo/masq/> by
  Lee Nevo.


  7.11.  How can I get IP Masquerade running on Redhat, Debian, Slack-
  ware, etc.?

  No matter what Linux distribution you have, the procedures for setting
  up IP Masquerade mentioned in this HOWTO should apply.  Some
  distributions may have GUI or special configuration files that make
  the setup easier.  We try our best to write the HOWTO as general as
  possible.



  7.12.  TELNET connections seem to break if I don't use them often.
  Why is that?

  IP Masq, by default, sets its timers for TCP session, TCP FIN, and UDP
  traffic to 15 minutes.  It is recommend to use the following settings
  (as already shown in this HOWTO's /etc/rc.d/rc.firewall ruleset) for
  most users:

  Linux 2.0.x with IPFWADM:



  # MASQ timeouts
  #
  #   2 hrs timeout for TCP session timeouts
  #  10 sec timeout for traffic after the TCP/IP "FIN" packet is received
  #  60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall timeout in ICQ itself)
  #
  /sbin/ipfwadm -M -s 7200 10 60




  Linux 2.2.x with IPCHAINS:


  # MASQ timeouts
  #
  #   2 hrs timeout for TCP session timeouts
  #  10 sec timeout for traffic after the TCP/IP "FIN" packet is received
  #  60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall timeout in ICQ itself)
  #
  /ipchains -M -S 7200 10 60





  7.13.  When my Internet connection first comes up, nothing works.  If
  I try again, everything then works fine.  Why is this?

  The reason is because you have a dynamic IP address and when your
  Internet connection first comes up, IP Masquerade doesn't know its IP
  address.  There is a solution to this.  In your /etc/rc.d/rc.firewall
  ruleset, add the following:


  # Dynamic IP users:
  #
  #   If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this following
  #       option.  This enables dynamic-ip address hacking in IP MASQ, making the life
  #       with Diald and similar programs much easier.
  #
  echo "1" > /proc/sys/net/ipv4/ip_dynaddr




  7.14.  IP MASQ seems to be working fine but some sites don't work.
  This usually happens with WWW surfing.

  There is two possible reasons for this.  The first one is VERY common
  and the second is very UNCOMMON.


  o  As of the 2.0.36 and 2.2.2 Linux kernels, there is a an elusive BUG
     in the Masquerade code that has problems with packets that have the
     DF or "Don't Fragment" bit set.  Basically, when a MASQ box connect
     to the Internet with an MTU of anything less than 1500, some
     packets will have the DF field set.  Though changing the MTU 1500
     on the Linux box will seemingly fix the problem, the bug is still
     there.  What is believed to be happening is that the MASQ code is
     not properly re-writing the returning ICMP packets with the ICMP 3
     sub 4 code back to the originating MASQed computer.  Because of
     this, the packets get dropped.  If you are a network programmer and
     you think you can fix this.. PLEASE TRY!

     No worries though.  A perfectly good workaround is to change your
     Internet link's MTU to 1500.  Now some users will balk at this
     because it can hurt some latency specific programs like TELNET and
     games but the impact is only slight.  On the flip site, most HTTP
     and FTP traffic will SPEED UP!

     To fix this, first see what your MTU for your Internet link is now.
     To do this, run "/bin/ifconfig".  Now look at the lines that
     corresponds to your Internet connection and look for the MTU.  This
     NEEDs to be set to 1500.  Usually, Ethernet links will default to
     this but PPP will default to 576.


  o  To fix the MTU issue on your PPP link, edit your /etc/ppp/options
     file and towards the top, add the lines "mtu 1500" and "mru 1500".
     Save your new changes and then restart PPP.  Like above, verify
     that your PPP link now has the correct MTU and MTU.


  o  To fix the MTU issue on your Ethernet link to your ADSL,
     Cablemodem, etc, you need to edit your network startup scripts.
     Please see the TrinityOS - Section 16
     <http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri> document
     for network optimizations.


  o  Lastly, though this isn't a common problem, some people have found
     this is their solution.  With PPP users, what port is your PPPd
     code connecting to?  A /dev/cua* port or a /dev/ttyS* port?  It
     NEEDS to be a /dev/ttyS* port.  The cua style is OLD and it breaks
     some things in very odd ways.


  7.15.  IP Masquerading seems slow

  There might be a few reasons for this:

  o  Make sure you don't have both your INTERNAL and EXTERNAL networks
     running on the same network card with the IP Alias feature.  If you
     ARE doing this, it is highly recommended to get another network
     card so that the internal and external networks have their own
     interface.


  o  If you have an external modem, make sure you have a good serial
     cable.  Also, many PCs have cheesy ribbon cables connecting the
     serial port from the motherboard or I/O card to the serial port
     connection.  If you have one of these, make sure it is in good
     condition.  Personally, I have ferrite coils (those grey-black
     metal like rings) around ALL of my ribbon cables.


  o  Make sure your MTU is set to 1500 as described in the FAQ section
     of this HOWTO above


  o  Make sure that your serial port is a 16550A or better UART.  Run
     "dmesg | more" to verify


  o  Make sure that your serial port for your PPP connection is running
     at 115200 (or faster if both your modem and serial port can handle
     it.. a.k.a  ISDN terminal adapters)


  o  2.0.x kernels:  The 2.0.x kernels are kind of an odd ball because
     you can't directly tell the kernel to clock the serial ports at
     115200.  So, in one of your startup scripts like the
     /etc/rc.d/rc.local or /etc/rc.d/rc.serial file, execute the
     following commands for a modem on COM2:


  o  setserial /dev/ttyS1 spd_vhi


  o  In your PPPd script, edit the actual pppd execution line to include
     the speed "38400" per the pppd man page.


  o  2.2.x kernels:  Unlike the 2.0.x kernels, both the 2.1.x and 2.2.x
     kernels don't have this "spd_vhi" issue.


  o  So, in your PPPd script, edit the actual pppd execution line to
     include the speed "115200" per the pppd man page.


  o  Set the TCP Sliding window to at least 8192


  o  Though this is COMPLETELY out of the scope of this document, this
     helps QUITE A BIT on ANY network link you have be it an internal or
     external PPP, Ethernet, TokenRing, etc. link.  For more details,
     check out the Network Optimization section of TrinityOS - Section
     16 for full details.


  o  Setup IRQ-Tune for your serial ports

  o  On most PC hardware, the use of Craig Estey's IRQTUNE
     <http://www.best.com/~cae/irqtune/> tool and significantly increase
     serial port performance including SLIP and PPP connections.


  7.16.  Now that I have IP Masquerading up, I'm getting all sorts of
  weird notices and errors in the SYSLOG log files.  How do I read the
  IPFWADM/IPCHAINS firewall errors?

  There is probably two common things that you are going to see:

  o  MASQ: Failed TCP Checksum error:  You will see this error when a
     packet coming from the Internet gets corrupt in the data section of
     the packet but the rest of it "seems" ok.  When the Linux box
     receives this packet, it will calculate the CRC of the packet and
     determine that its corrupt.  On most machines running OSes like
     Microsoft Windows, they just silently drop the packets but Linux IP
     MASQ reports it.  If you get a LOT of them over your PPP link,
     first follow the FAQ entry above for "Masq is slow".


  o  If all of those tips don't help, try adding the line "-vj" to your
     /etc/ppp/options file and restart PPPd.


  o  Firewall hits:  Being on the Internet with a decent firewall, you
     are going to be surprised how many people are going to try to get
     into your Linux box!  So what do all these firewall logs mean?

     From the TrinityOS - Section 10
     <http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri> doc:



             In the below rulesets, any lines that either DENY or REJECT any
             traffic also have a "-o" to LOG this firewall hit to the SYSLOG
             messages file found either in:

                     Redhat:         /var/log
                     Slackware:      /var/adm

             If you look at one of these firewall logs, do would see something like:

             ---------------------------------------------------------------------
             IPFWADM:
             Feb 23 07:37:01 Roadrunner kernel: IP fw-in rej eth0 TCP 12.75.147.174:1633
                100.200.0.212:23 L=44 S=0x00 I=54054 F=0x0040 T=254

             IPCHAINS:
             Packet log: input DENY eth0 PROTO=17 12.75.147.174:1633 100.200.0.212:23
               L=44 S=0x00 I=54054 F=0x0040 T=254
             ---------------------------------------------------------------------

       There is a LOT of information in this just one line.  Lets break out this example
       so refer back to the original firewall hit as you read this.  Please note that this
       example is for IPFWADM though it is DIRECTLY readable for IPCHAINS users.

             --------------

             - This firewall "hit" occurred on "Feb 23 07:37:01"

             - This hit was on the "RoadRunner" computer.

             - This hit occurred on the "IP" or TCP/IP protocol

             - This hit came IN to ("fw-in") the firewall
                     * Other logs can say "fw-out" for OUT or "fw-fwd" for FORWARD

             - This hit was then "rejECTED".
                     * Other logs can say "deny" or "accept"

             - This firewall hit was on the "eth0" interface (Internet link)

             - This hit was a "TCP" packet

             - This hit came from IP address "12.75.147.174" on return port "1633".

             - This hit was addressed to "100.200.0.212" on port "23" or TELNET.
                     * If you don't know that port 23 is for TELNET, look at your
                              /etc/services file to see what other ports are used for.

             - This packet was "44" bytes long

             - This packet did NOT have any "Type of Service" (TOS) set
                     --Don't worry if you don't understand this.. not required to know
                     * divide this by 4 to get the Type of Service for ipchains users

             - This packet had the "IP ID" number of "18"
                     --Don't worry if you don't understand this.. not required to know

             - This packet had a 16bit fragment offset including any TCP/IP packet
               flags of "0x0000"
                     --Don't worry if you don't understand this.. not required to know
                     * A value that started with "0x2..." or "0x3..." means the "More
                       Fragments" bit was set so more fragmented packet will be coming in
                       to complete this one BIG packet.
                     * A value which started with "0x4..." or "0x5..." means that the
                       "Don't Fragment" bit is set.
                     * Any other values is the Fragment offset (divided by 8) to be later
                       used to recombine into the original LARGE packet
             - This packet had a TimeToLive (TTL) of 20.
                     * Every hop over the Internet will subtract (1) from this number.  Usually,
                       packets will start with a number of (255) and if that number ever reaches
                       (0), it means that realistically the packet was lost and will be deleted.








  7.17.  Can I configure IP MASQ to allow Internet users to directly
  contact internal MASQed servers?

  Yes!  With IPPORTFW, you can allow ALL or only a select few Internet
  hosts to contact ANY of your internal MASQed computers.  This topic is
  completely covered in the ``'' section of this HOWTO.


  7.18.  IRC won't work properly for MASQed IRC users.  Why?

  The main possible reason is because most common Linux distribution's
  IDENT or "Identity" servers can't deal with IP Masqueraded links.  Do
  worries though, there are IDENTs out there that will work.

  Installing this software is beyond the scope of this HOWTO but each
  tool has its own documentation.  Here are some of the URLs:

  o  Mident <ftp://ftp.code.org/pub/linux/midentd/> is heavily used by
     most IRC users out there.


  o  Sident <http://insecurity.net/sidentd.gz>


  o  Other Idents including Oidentd
     <ftp://sunsite.unc.edu/pub/Linux/system/network/daemons/>

  Please note that some Internet IRCs servers still won't allow multiple
  connections from the same host even if they get Ident info and the
  users are different though.  Complain to the remote sys admin.  :)


  7.19.  mIRC doesn't work with DCC Sends

  This is a configuration problem on your copy of mIRC.  To fix this,
  first disconnect mIRC from the IRC server.  Now in mIRC, go to File
  --> Setup and click on the "IRC servers tab".  Make sure that it is
  set to port 6667.  If you require other ports, see below.  Next, goto
  File --> Setup --> Local Info and clear the fields for Local Host and
  IP Address.  Now select the checkboxes for "LOCAL HOST" and "IP
  address" (IP address may be checked but disabled).  Next under "Lookup
  Method", configure it for "normal".  It will NOT work if "server" is
  selected.  That's it.  Try to the IRC server again.

  If you require IRC server ports other than 6667, (for example, 6969)
  you need to edit the /etc/rc.d/rc.firewall startup file where you load
  the IRC MASQ modules.  Edit this file and the line for "modprobe
  ip_masq_irc" and add to this line "ports=6667,6969".  You can add
  additional ports as long as they are separated with commas.

  Finally, close down any IRC clients on any MASQed machines and re-load
  the IRC MASQ module:


  /sbin/rmmod ip_masq_irc /etc/rc.d/rc.firewall


  7.20.  Can IP Masquerade work with only ONE Ethernet network card?

  Yes. with the "IP Alias" kernel compile-time feature but it IS NOT
  recommended.  Providing a secure firewall becomes very difficult with
  a single NIC card.  In addition to this, you will experience an
  abnormal amount of errors on this link since incoming packets will
  almost simultaneously be sent out at the same time.  Because of all
  this and NIC cards now cost less than $10, I highly recommend to just
  get a NIC card for each MASQed network segment.

  If you are still interested in doing this, you need to enable the "IP
  Alias" feature in the kernel, re-compile, and reboot.   Now running
  the new kernel, you need to configure Linux to use the new interface
  (i.e. /dev/eth0:1, etc.).  After that, you can treat it as a normal
  Ethernet interface.



  7.21.  I'm trying to use the NETSTAT command to show my Masqueraded
  connections but its not working

  There is a problem with the "netstat" program.  After a Linux reboot,
  running "netstat -M" works fine but after a MASQed computer runs some
  successful ICMP traffic like ping, traceroute, etc., you might see
  something like:


  masq_info.c: Internal Error `ip_masquerade unknown type'.



  The workaround for this is to use the "/sbin/ipfwadm -M -l" command.
  You will also notice that once the listed ICMP masquerade entries
  timeout, "netstat" works again.



  7.22.  I would like to get Microsoft PPTP (GRE tunnels) and/or IPSEC
  (Linux SWAN) tunnels running through IP MASQ

  This IS possible.  Though it is somewhat out of the scope of this
  document, check out John Hardin's PPTP Masq page for all the details.


  7.23.  I want to get the XYZ network game to work through IP MASQ but
  it won't work.  Help!

  First, check Lee Nevo's MASQ Applications page
  <http://dijon.nais.com/~nevo/masq/>.  If your solution isn't listed
  there, try patching your Linux kernel with Glenn Lamb's LooseUDP
  <ftp://ftp.netcom.com/pub/mu/mumford/loose-udp-2.0.36.patch.gz> patch
  which is covered in the ``'' section above.  Also check out Dan
  Kegel's NAT Page <http://www.alumni.caltech.edu/~dank/peer-nat.html>
  for more information.

  If you are technically inclined, use the program "tcpdump" and sniff
  your network.  Try to find out what protocols and port numbers your
  XYZ game is using.  With this information in hand, subscribe to the IP
  Masq email list and email your results for help.




  7.24.  IP MASQ works fine for a while but then it stops working.  A
  reboot seems to fix this for a while.  Why?

  I bet you are using IPAUTOFW and/or you have it compiled into the
  kernel huh??  This is a know problem with IPAUTOFW.  It is recommend
  to NOT even install IPAUTOFW into the Linux kernel and use IPPORTFW
  instead.  This is covered in more detail in the ``'' section.


  7.25.  Internal MASQed computers cannot send SMTP mail!


  Though this isn't a Masquerading issue per se, many people do this.
  The issue is that you are probably using your Linux box as a SMTP
  relay server and get the following error:


       "error from mail server: we do not relay"


  Newer versions of Sendmail and other Mail Transfer Agents (MTAs) dis-
  able relaying by default (this is a good thing).  So do the following
  to fix this:


  o  Sendmail:  Enable specific relaying for your internal MASQed
     machines by editing the /etc/sendmail.cw file and add the hostname
     and domain name of your internal MASQed machine.  You should also
     check to see that the /etc/hosts file has the IP address and Fully
     Qualified Domain Name (FQDN) configured in it.  Once this is done,
     you need to restart Sendmail for it to re-read its configuration
     files.  This is covered in TrinityOS - Section 25
     <http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri>


  7.26.  Why do the new 2.1.x and 2.2.x kernels use IPCHAINS instead of
  IPFWADM?

  IPCHAINS supports the following features that IPFWADM doesn't:


  o  "Quality of Service" (QoS  support)


  o  A TREE style chains system vs. LINEAR system like IPFWADM  (Eg.
     this allows something like "if it is ppp0, jump to this chain
     (which contains its own difference set of rules)"


  o  IPCHAINS also has the "replace" command (in addition to "insert"
     and "add").


  7.27.  I've just upgraded to the 2.2.x kernels, why isn't IP Masquer-
  ade working?

  There are several things you should check assuming your Linux IP Masq
  box already have proper connection to the Internet and your LAN:


  o  Make sure you have the necessary features and modules are compiled
     and loaded.  See earlier sections for detail.


  o  Check /usr/src/linux/Documentation/Changes and make sure you have
     the minimal requirement for the network tools installed.
  o  Make sure you followed all the tests in the ``'' section of the
     HOWTO.


  o  You should use ipchains <http://www.rustcorp.com/linux/ipchains/>
     to manipulate IP Masq and firewalling rules.


  o  The standard IPAUTOFW and IPPORTFW port forwarders have been
     replaced by IPMASQADM <http://juanjox.linuxhq.com/>.  You'll need
     to apply these patches to the kernel, re-compile the kernel,
     compile the new IPMASQADM tool and then convert your old
     IPAUTOFW/IPPORTFW firewall rulesets to the new syntax.  This is
     completely covered in the ``'' section.


  o  Go through all setup and configuration again!  A lot of time it's
     just a typo or a simple mistake you are overlooking.


  7.28.  I've just upgraded to a 2.0.36+ kernels later, why isn't IP
  Masquerade working?

  There are several things you should check assuming your Linux IP Masq
  box already have proper connection to the Internet and your LAN:


  o  Make sure you have the necessary features and modules are compiled
     and loaded.  See earlier sections for detail.


  o  Check /usr/src/linux/Documentation/Changes and make sure you have
     the minimal requirement for the network tools installed.


  o  Make sure you followed all the tests in the ``'' section of the
     HOWTO.


  o  You should use ipfwadm <http://www.xos.nl/> to manipulate IP Masq
     and firewalling rules.  If you want to use IPCHAINS, you'll need to
     apply a patch the 2.0.x kernels.


  o  Go through all setup and configuration again!  A lot of time it's
     just a typo or a simple mistake you overlooked.


  7.29.  I need help with EQL connections and IP Masq

  EQL has nothing to do with IP Masq though they are commonly teamed up
  on Linux boxes.  Because of this, I recommend to check out the NEW
  version of Robert Novak's EQL HOWTO for all your EQL needs.


  7.30.  I can't get IP Masquerade to work!  What options do I have for
  Windows Platforms?

  Giving up a free, reliable, high performance solution that works on
  minimal hardware and pay a fortune for something that needs more
  hardware, lower performance and less reliable?  (IMHO.  And yes, I
  have real life experience with these ;-)

  Okay, it's your call.  Do a web search on "MS Proxy Server",
  "Wingate", "WinProxy", or goto www.winfiles.com
  <http://www.winfiles.com>.  And definitely DON'T tell anyone I sent
  you.


  7.31.  I want to help on IP Masquerade development.  What can I do?

  Join the Linux IP Masquerading DEVELOPERS list and ask the great
  developers there, by sending an email to masq-dev-
  subscribe@tiffany.indyramp.com (or for a digest format, use masq-dev-
  digest-subscribe@tiffany.indyramp.com).

  DON'T ask NON-IP-Masquerade development related questions there!!!!


  7.32.  Where can I find more information on IP Masquerade?

  You can find more information on IP Masquerade at the Linux IP
  Masquerade Resource <http://ipmasq.cjb.net/> that both David Ranch and
  Ambrose Au maintain.

  You can also find more information at Dranch's Linux page
  <http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html> where
  the TrinityOS and other Linux documents are kept.

  You may also find more information at The Semi-Original Linux IP
  Masquerading Web Site <http://www.indyramp.com/masq/> maintained by
  Indyramp Consulting, who also provides the IP Masq mailing lists.


  7.33.  I want to translate this HOWTO to another language, what should
  I do?

  Make sure the language you want to translate to is not already covered
  by someone else.  But, most of the translated HOWTOs are now OLD and
  need to be updated.  A list of available HOWTO translations are
  available at the Linux IP Masquerade Resource
  <http://ipmasq.cjb.net/>.

  If a copy of a current IP MASQ HOWTO isn't in your proposed language,
  please download the newest copy of the IP-MASQ HOWTO SGML code from
  the Linux IP Masquerade Resource <http://ipmasq.cjb.net/>.  From
  there, begin your work while maintaining good SGML coding.  For more
  help on SGML, check out www.sgmltools.org <http://www.sgmltools.org>


  7.34.  This HOWTO seems out of date, are you still maintaining it?
  Can you include more information on ...?  Are there any plans for mak-
  ing this better?

  Yes, this HOWTO is still being maintained.  In the past, we've been
  guilty of being too busy working on two jobs and don't have much time
  to work on this, my apology.  As of v1.50, David Ranch has begun to
  revamp the document and get it current again.

  If you think of a topic that could be included in the HOWTO, please
  send email to ambrose@writeme.com and dranch@trinnet.net.  It will be
  even better if you can provide that information.  We will then include
  the information into the HOWTO once it is both found appropriate and
  tested.  Many thanks for your contributions!

  We have a lot of new ideas and plans for improving the HOWTO, such as
  case studies that will cover different network setup involving IP
  Masquerade, more on security via strong IPFWADM/IPCHAINS firewall
  rulesets, IPCHAINS usage, more FAQ entries, etc.  If you think you can
  help, please do!  Thanks.


  7.35.  I got IP Masquerade working, it's great!  I want to thank you
  guys, what can I do?


  o  Can you translate the newer version of the HOWTO to another
     language?

  o  Thank the developers and appreciate the time and effort they spent
     on this.

  o  Join the IP Masquerade email list and support new MASQ users

  o  Send an email to us and let us know how happy you are

  o  Introduce other people to Linux and help them when they have
     problems.


  8.  Miscellaneous



  8.1.  Useful Resources


  o  IP Masquerade Resource page <http://ipmasq.cjb.net/> should have
     enough information for setting up IP Masquerade


  o  IP masquerade mailing list archive
     <http://www.indyramp.com/masq/list/> contains some of the recent
     messages sent to the mailing list.


  o  David Ranch's Linux page including the TrinityOS Linux document
     <http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html>.
     Topics such as IP MASQ, strong IPFWADM/IPCHAINS rulesets, PPP,
     Diald, Cablemodems, DNS, Sendmail, Samba, NFS, Security, etc. are
     covered.


  o  The IP Masquerading Applications page
     <http://dijon.nais.com/~nevo/masq/>: A comprehensive list of
     applications that work or can be tuned to work through a Linux IP
     masquerading server.


  o  This Linux IP Masquerade mini HOWTO <http://ipmasq.cjb.net/ipmasq-
     HOWTO.html> for kernel 2.2.x and 2.0.x


  o  IP Masquerade HOWTO for kernel 1.2.x <http://ipmasq.cjb.net/ipmasq-
     HOWTO-1.2.x.txt> if you're using an older kernel


  o  IP masquerade FAQ <http://www.indyramp.com/masq/ip_masquerade.txt>
     has some general information


  o  Paul Russel's http://www.rustcorp.com/linux/ipchains/ doc and its
     possibly older backup at Linux IPCHAINS HOWTO.  This HOWTO has lots
     of information for IPCHAINS usage, as well as source and binaries
     for the ipchains tool.



  o  X/OS Ipfwadm page <http://www.xos.nl/linux/ipfwadm/> contains
     sources, binaries, documentation, and other information about the
     ipfwadm package


  o  Check out the GreatCircle's Firewall mailing list for a great
     resource for strong firewall rulesets.


  o  The LDP Network Administrator's Guide
     <http://metalab.unc.edu/mdw/LDP/nag/nag.html> is a MUST for the
     beginner Linux administrator trying to set up a network.


  o  The Linux NET-3 HOWTO
     <http://metalab.unc.edu/mdw/HOWTO/NET-3-HOWTO.html> is also another
     comprehensive document on how to setup and configure Linux
     networking.


  o  Linux ISP Hookup HOWTO <http://metalab.unc.edu/mdw/HOWTO/ISP-
     Hookup-HOWTO.html> and Linux PPP HOWTO
     <http://metalab.unc.edu/mdw/HOWTO/PPP-HOWTO.html> gives you
     information on how to connect your Linux host to the Internet


  o  Linux Ethernet-Howto <http://metalab.unc.edu/mdw/HOWTO/Ethernet-
     HOWTO.html> is a good source of information about setting up a LAN
     running over Ethernet.


  o  You may also be interested in Linux Firewalling and Proxy Server
     HOWTO <http://metalab.unc.edu/mdw/HOWTO/Firewall-HOWTO.html>


  o  Linux Kernel HOWTO <http://metalab.unc.edu/mdw/HOWTO/Kernel-
     HOWTO.html> will guide you through the kernel compilation process


  o  Other Linux HOWTOs <http://metalab.unc.edu/mdw/HOWTO/HOWTO-
     INDEX-3.html> such as Kernel HOWTO


  o  Posting to the USENET newsgroup: comp.os.linux.networking



  8.2.  Linux IP Masquerade Resource


  The Linux IP Masquerade Resource  <http://ipmasq.cjb.net/> is a
  website dedicated to Linux IP Masquerade information also maintained
  by David Ranch and Ambrose Au.  It has the latest information related
  to IP Masquerade and may have information that is not being included
  in the HOWTO.

  You may find the Linux IP Masquerade Resource at the following
  locations:

  o  http://ipmasq.cjb.net/, Primary Site, redirected to
     http://ipmasq.cjb.net/


  o  http://ipmasq2.cjb.net/, Secondary Site, redirected to
     http://www.geocities.com/SiliconValley/Heights/2288/

  8.3.  Thanks to the following people..


  In Alphabetical order:

  o  Gabriel Beitler, gabrielb@voicenet.com
     on providing section 3.3.8 (setting up Novell)


  o  Juan Jose Ciarlante, irriga@impsat1.com.ar
     on contributing his work on his IPMASQADM port forward tool, his
     work on the 2.1.x and 2.2.x kernel code, the original LooseUDP
     tool, etc.


  o  Steven Clarke, steven@monmouth.demon.co.uk
     on contributing his IPPORTFW IP port forwarder tool


  o  Ed Doolittle, dolittle@math.toronto.edu
     on suggestion to -V option in ipfwadm command for improved security


  o  Matthew Driver, mdriver@cfmeu.asn.au
     on helping extensively on this HOWTO, and providing section 3.3.1
     (setting up Windows 95)


  o  Ken Eves, ken@eves.com
     on the FAQ that provides invaluable information for this HOWTO


  o  John Hardin, jhardin@wolfenet.com
     for his PPTP and IPSEC forwarding tools


  o  Ed. Lott, edlott@neosoft.com
     for a long list of tested system and software


  o  Nigel Metheringham, Nigel.Metheringham@theplanet.net
     on contributing his version of IP Packet Filtering and IP
     Masquerading HOWTO, which make this HOWTO a better and technical
     in-depth document
     section 4.1, 4.2, and others


  o  Keith Owens, kaos@ocs.com.au
     on providing an excellent guide on ipfwadm section 4.2
     on correction to ipfwadm -deny option which avoids a security hole,
     and clarified the status of ping over IP Masquerade


  o  Michael Owings, mikey@swampgas.com
     on providing section for CU-SeeMe and Linux IP-Masquerade Teeny
     How-To


  o  Rob Pelkey, rpelkey@abacus.bates.edu
     on providing section 3.3.6 and 3.3.7 (setting up MacTCP and Open
     Transport)


  o  Harish Pillay, h.pillay@ieee.org
     on providing section 4.5 (dial-on-demand using Diald)

  o  Mark Purcell, purcell@rmcs.cranfield.ac.uk
     on providing section 4.6 (IPautofw)


  o  David Ranch, dranch@trinnet.net
     help updating and maintaining this HOWTO and the Linux IP
     Masquerade Resource Page, the TrinityOS document , ..., too many to
     list here :-)


  o  Paul Russell, rusty@rustcorp.com.au
     for all his work on IP CHAINS and IP Masquerade in general


  o  Ueli Rutishauser, rutish@ibm.net
     on providing section 3.3.9 (setting up OS/2 Warp)


  o  Fred Viles, fv@episupport.com


  o  John B. (Brent) Williams, forerunner@mercury.net
     on providing section 3.3.7 (setting up Open Transport)


  o  Enrique Pessoa Xavier, enrique@labma.ufrj.br
     on the BOOTp setup suggestion


  o  All the people on the IP-MASQ email list, masq@tiffany.indyramp.com
     for their help and support for all the new Linux MASQ users.


  o  Other code and documentation developers of IP Masquerade for this
     great feature



       o  Delian Delchev, delian@wfpa.acad.bg

       o  David DeSimone (FuzzyFox), fox@dallas.net

       o  Jeanette Pauline Middelink, middelin@polyware.iaf.nl

       o  Miquel van Smoorenburg, miquels@q.cistron.nl

       o  Jos Vos, jos@xos.nl

       o  And more who I may have failed to mention here (please
          let me know)



  o  All users sending feedback and suggestion to the mailing list,
     especially the ones who reported errors in the document and the
     clients that are supported and not supported


  o  We apologize if we have omitted any important names, not included
     information that some fellow users have sent us yet, etc.  There
     are many suggestions and ideas sent but there isn't have enough
     time to verify and integrate these changes.  Both Ambrose Au and
     David Ranch are trying their best to incorporate all the
     information sent to me into the HOWTO.  I thank you for the effort,
     and I hope you understand our situation.

  8.4.  Reference


  o  Original IP masquerade FAQ by Ken Eves

  o  IP masquerade mailing list archive by Indyramp Consulting

  o  IP Masquerade WWW site by Ambrose Au

  o  Ipfwadm page by X/OS

  o  Various networking related Linux HOWTOs

  o  Some topics covered in TrinityOS by David Ranch


  8.5.  Changes


  o  1.65 - 3/29/99 - Dranch: Typo fixes, clarifications of required
     2.2.x kernel options, added dynamic PPP IP address support to the
     strong firewall section, additional quake II module ports, noted
     that the LooseUDP patch is built into later 2.2.x kernels and its
     from Glenn Lamb and not Dan Kegel, added more game info in the
     compatibility section.


  o  1.62 - Dranch:  Make the final first-draft changes to the doc and
     now announce it the the MASQ email list.


  o  1.61 - Dranch:  Make editorial changes, cleaned things up and fixed
     some errors in the Windows95 and NT setups.


  o  1.58 - Dranch:  Addition of the port forwarding sections; LooseUDP
     setup; Ident servers for IRC users, how to read firewall logs,
     deleted the CuSeeme Mini-HOWTO since it is rarely used.


  o  1.55 - Dranch: Complete overhaul, feature and FAQ addition, and
     editing sweep of the v1.50 HOWTO.  Completed the 2.2.x kernel and
     IPCHAINS configurations.  Did a conversion from IPAUTOFW to
     IPPORTFW for the examples that applied.  Added many URLs to various
     other documentation and utility sites.  There are so many changes..
     I hope everyone likes it.  Final publishing of this new rev of the
     HOWTO to the LDP project won't happen until the doc is looked over
     and approved by the IP MASQ email list (then v2.00).


  o  1.50 - Ambrose: A serious update to the HOWTO and the initial
     addition of the 2.2.0 and IPCHAINS configurations.


  o  1.20 - Ambrose: One of the more recent HOWTO versions that solely
     dealt with < 2.0.x kernels and IPFWADM.










