2.6. Requirements for IP Masquerade on Linux 2.4.x" ** Please refer to IP
Masquerade Resource for the latest information. ** " The newest 2.4.x kernels are now using both a completely new TCP/IP network
stack as well as a new NAT sub-system called NetFilter. Within this NetFilter
suite of tools, we now have a tool called IPTABLES for the 2.4.x kernels much
like there was IPCHAINS for the 2.2.x kernels and IPFWADM for the 2.0.x kernels.
The new IPTABLES system is far more powerful (combines several functions into
one place like true NAT functionality), offers better security (stateful
inspection), and better performance with the new 2.4.x TCP/IP stack. But this
new suite of tools can be a bit complicated in comparison to older generation
kernels. Hopefully, if you follow along with this HOWTO carefully, setting up
IPMASQ won't be too bad. If you find anything unclear, downright wrong, etc.
please email David about it. Unlike the migration to IPCHAINS from
IPFWADM, the new NetFilter tool has kernel modules that can actually
support older IPCHAINS and IPFWADM rulesets with minimal changes. So
re-writing your old MASQ or firewall ruleset scripts is not longer required.
BUT.. with the 2.4.x kernels, you cannot
use the old 2.2.x MASQ modules like ip_masq_ftp, ip_masq_irc, etc.
AND IPCHAINS is incompatible with the
new IPTABLES modules like ip_conntrack_ftp, etc. So, what does this mean?
It basically means that if you want to use IPMASQ or PORTFW functionality under
a 2.4.x kernel, you shouldn't use IPCHAINS rules but IPTABLES ones instead.
Please also keep in mind that there might be several benefits in performing a
full ruleset re-write to take advantage of the newer IPTABLES features like
stateful tracking, etc. but that is dependant upon how much time you have to
migrate your old rulesets. Please see Section 7.40 for
additional details.
Some new 2.4.x functionalities include the following: PROs:
Lots of new protocols modules like: amanda, eggdrop, ipsec, ipv6, portscan,
pptp, quota, rsh, talk, and tftp
TRUE 1:1 NAT functionality for those who have TCP/IP addresses and subnets
to use (no more iproute2 commands) Stateful application level (FTP, IRC, etc.) and stateful protocol level
(TCP/UDP/ICMP) network traffic inspection Built-in PORT Forwarding (no more ipmasqadm or ipportfw commands) The built-in PORTFW'ing support works for both external and internal
traffic. This means that users that have PORTFW for external traffic and
REDIR for internal port redirection do not need to use two tools any more! PORT Forwarding of FTP traffic to internal hosts is now completely supported
and is handled in the conn_trak_ftp module Full Policy-Based routing features (source-based TCP/IP address routing) Compatibility with Linux's FastRoute feature for significantly faster packet
forwarding (a.k.a Linux network switching). Note that this feature is still not compatible with packet filtering
for strong firewall rulesets. Fully supports TCP/IP v4, v6, and even DECnet (ack!) Supports wildcard interface names like "ppp*" for serial interfaces like
ppp0, ppp1, etc Supports filtering on both input and output INTERFACES (not just IP addresses) Source Ethernet MAC filtering Denial of Service (DoS) packet rate limiting Packet REJECTs now have user-selectable return ICMP messages Variable levels of logging (different packets can go to different SYSLOG
levels) Other features like traffic mirroring, securing traffic per login, etc.
CONs:
Netfilter is an entirely new architechure thus most of the older 2.2.x
MASQ kernel modules written to make non-NAT friendly network applications
work through IPMASQ need to be re-written for the 2.4.x kernels. Because of
this, if you specifically need functionality from some of these modules
(see below), you should stay with a 2.2.x kernel until these modules have
been either ported or the application has been updated to use NAT-friendly
protocols. If you are curious on the porting status of a given module,
please email the author of the module and NOT David or Ambrose. We don't
code.. we just document. :-) Here is the status of the known IP Masq kernel modules or patches as found
on the IPMASQ WWW site's Application
Support Matrix. In addition, you should also setup out the
Netfilter Patch-o-Matic URL as well. If you have the time and
knowledge to help in the porting of code, your efforts would be highly
appreciated: Status = Module name = Description and notes
--------- ----------- ----------------------------------
Ported CuSeeme Used for Video conferencing
NotPorted DirectPlay Used for online Microsoft-based games
Ported FTP Used for file transfers
- NOTEs: Built into the kernel and
fully supports PORTFWed FTP
ReWritten H.323 Used for Video conferencing
NotPorted ICQ Used for Instant messaging
* No longer required for modern ICQ clients
Ported Irc Used for Online chat rooms
Ported Quake Used for online Quake games
Ported PPTP Allow for multiple clients to the same server
NotPorted Real Audio Used for Streaming video / audio
* No longer required for modern RealVideo clients
NotPorted VDO Live Used for Streaming audio? |
Documentation on how to perform MASQ module porting is available at
http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO.html. If you have the time and knowledge, your talent would highly be
appreciated in porting these modules.
If you'd like to read up more on NetFilter and IPTables, please see:
http://www.netfilter.org/documentation/index.html#HOWTO
and more specifically http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html Linux 2.4.x IP Masquerade requirements include: Any decent computer hardware. See Section 7.2 for more
details.
The 2.4.x kernel source is available from http://www.kernel.org/.
NOTE: Most modern Linux distributions,
Section 7.1, that
natively come with 2.4.x kernels are typically modular kernels and have
all the IP Masquerade functionality already included. In such cases,
there is no need to compile a new Linux kernel. If you are UPGRADING your
kernel, you should be aware of other programs that might be required and/or
need to be upgraded as well (mentioned later in this HOWTO).
The program "iptables" version 1.2.4 or newer ( 1.2.7a or newer is highly
recommended ) archive available from
http://www.netfilter.org/
NOTE #1: All versions of IPTABLES less than 1.2.3 have a FTP module issue
that can bypass any existing firewall rulesets. ALL IPTABLES users are
highly recommended to upgrade to the newest version. The URL is above.
NOTE #2: All versions of IPTABLES less than 1.2.2 have a FTP "port" security
vulnerability in the ip_conntrack_ftp module. All IPTABLES users are highly
recommended to upgrade to the newest version. The URL is above.
This tool, much like the older IPCHAINS and IPFWADM tools enables the various
Masquerding code, more advanced forms of NAT, packet filtering, etc. It also
makes use of additional MASQ modules like the FTP and IRC modules. Additional
information on version requirements for the newest IPTABLES howto, etc. is
located at the
Unreliable IPTABLES HOWTOs
page.
Loadable kernel modules, preferably 2.1.121 or higher, are available from
http://home.pi.se/blox/modutils/index.html or
ftp://ftp.kernel.org/pub/linux/utils/kernel/modutils
A properly configured and running TCP/IP network running on the Linux machine
as covered in
Linux NET HOWTO and the
Network Administrator's Guide . Also check out the
TrinityOS document which is also authored by David Ranch. TrinityOS is a
very comprehensive guide for Linux networking. Some topics include IP MASQ, security,
DNS, DHCP, Sendmail, PPP, Diald, NFS, IPSEC-based VPNs, and performance sections,
to name a few. There are over Fifty sections in all! Connectivity to the Internet for your Linux host covered in
Linux ISP
Hookup HOWTO, Linux PPP HOWTO, and
TrinityOS. Other helpful HOWTOs could include:
Linux DHCP
mini-HOWTO,
Linux Cable Modem mini-HOWTO and
http://www.tldp.org/HOWTO/DSL-HOWTO/index.html Know how to configure, compile, and install a new Linux kernel as described in
the Linux Kernel
HOWTO. This HOWTO does cover kernel compiling but only for IP
Masquerade related options.
|
|