" ** Please refer to IP Masquerade Resource for the latest information. ** "
The newest 2.4.x kernels are now using both a completely new TCP/IP network stack as well as a new NAT sub-system called NetFilter. Within this NetFilter suite of tools, we now have a tool called IPTABLES for the 2.4.x kernels much like there was IPCHAINS for the 2.2.x kernels and IPFWADM for the 2.0.x kernels. The new IPTABLES system is far more powerful (combines several functions into one place like true NAT functionality), offers better security (stateful inspection), and better performance with the new 2.4.x TCP/IP stack. But this new suite of tools can be a bit complicated in comparison to older generation kernels. Hopefully, if you follow along with this HOWTO carefully, setting up IPMASQ won't be too bad. If you find anything unclear, downright wrong, etc. please email David about it.
Unlike the migration to IPCHAINS from IPFWADM, the new NetFilter tool has kernel modules that can actually support older IPCHAINS and IPFWADM rulesets with minimal changes. So re-writing your old MASQ or firewall ruleset scripts is not longer required. BUT.. with the 2.4.x kernels, you cannot use the old 2.2.x MASQ modules like ip_masq_ftp, ip_masq_irc, etc. AND IPCHAINS is incompatible with the new IPTABLES modules like ip_conntrack_ftp, etc. So, what does this mean? It basically means that if you want to use IPMASQ or PORTFW functionality under a 2.4.x kernel, you shouldn't use IPCHAINS rules but IPTABLES ones instead. Please also keep in mind that there might be several benefits in performing a full ruleset re-write to take advantage of the newer IPTABLES features like stateful tracking, etc. but that is dependant upon how much time you have to migrate your old rulesets. Please see Section 7.38 for addutional details.
Some new 2.4.x functionalities include the following:
PROs:
Lots of new protocols modules like: amanda, eggdrop, ipsec, ipv6, portscan, pptp, quota, rsh, talk, and tftp
TRUE 1:1 NAT functionality for those who have TCP/IP addresses and subnets to use (no more iproute2 commands)
TRUE 1:1 NAT functionality for those who have TCP/IP addresses and subnets to use (no more iproute2 commands)
Built-in PORT Forwarding (no more ipmasqadm or ipportfw commands)
The built-in PORTFW'ing support works for both external and internal traffic. This means that users that have PORTFW for external traffic and REDIR for internal port redirection do not need to use two tools any more!
PORT Forwarding of FTP traffic to internal hosts is now completely supported and is handled in the conn_trak_ftp module
Full Policy-Based routing features (source-based TCP/IP address routing)
Compatibility with Linux's FastRoute feature for significantly faster packet forwarding (a.k.a Linux network switching).
Note that this feature is still not compatible with packet filtering for strong firewall rulesets.
Fully supports TCP/IP v4, v6, and even DECnet (ack!)
Supports wildcard interface names like "ppp*" for serial interfaces like ppp0, ppp1, etc
Supports filtering on both input and output INTERFACES (not just IP addresses)
Source Ethernet MAC filtering
Denial of Service (DoS) packet rate limiting
Stateful TCP/UDP/ICMP network traffic inspection
Packet REJECTs now have user-selectable return ICMP messages
Variable levels of logging (different packets can go to different SYSLOG levels)
Other features like traffic mirroring, securing traffic per login, etc.
CONs:
Netfilter is an entirely new architechure thus most of the older 2.2.x MASQ kernel modules written to make non-NAT friendly network applications work through IPMASQ need to be re-written for the 2.4.x kernels. Because of this, if you specifically need functionality from some of these modules (see below), you should stay with a 2.2.x kernel until these modules have been ported. If you are curious on the porting status of a given module, please email the author of the module and NOT David or Ambrose. We don't code.. we just document. :-)
Here is the status of the known IP Masq kernel modules or patches as found on the IPMASQ WWW site's Application Support Matrix. If you have the time and knowledge to help in the porting of code, your efforts would be highly appreciated:
Status = Module name = Description and notes --------- ----------- ---------------------------------- NotPorted CuSeeme Used for Video conferencing NotPorted DirectPlay Used for online Microsoft-based games Ported FTP Used for file transfers - NOTEs: Built into the kernel and fully supports PORTFWed FTP ReWritten H.323 Used for Video conferencing NotPorted ICQ Used for Instant messaging - No longer needed for modern ICQ clients Ported Irc Used for Online chat rooms Ported Quake Used for online Quake games Ported PPTP Allow for multiple clients to the same server NotPorted Real Audio Used for Streaming video / audio NotPorted VDO Live Used for Streaming audio? |
Documentation on how to perform MASQ module porting is available at http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO.html (mirror at Samba.org), If you have the time and knowledge, your talent would highly be appreciated in porting these modules.
If you'd like to read up more on NetFilter and IPTables, please see: http://www.netfilter.org/documentation/index.html#HOWTO (mirror at Samba.org), and more specifically http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html
Linux 2.4.x IP Masquerade requirements include:
Any decent computer hardware. See Section 7.2 for more details.
The 2.4.x kernel source is available from http://www.kernel.org/.
NOTE: Most modern Linux Section 7.1 that natively come with 2.4.x kernels are typically modular kernels and have all the IP Masquerade functionality already included. In such cases, there is no need to compile a new Linux kernel. If you are UPGRADING your kernel, you should be aware of other programs that might be required and/or need to be upgraded as well (mentioned later in this HOWTO).
The program "iptables" version 1.2.4 or newer ( 1.2.7a is recommended ) archive available from http://www.netfilter.org/ (mirror at Samba.org),.
NOTE #1: All versions of IPTABLES less than 1.2.3 have a FTP module issue that can bypass any existing firewall rulesets. ALL IPTABLES users are highly recommended to upgrade to the newest version. The URL is above.
NOTE #2: All versions of IPTABLES less than 1.2.2 have a FTP "port" security vulnerability in the ip_conntrack_ftp module. All IPTABLES users are highly recommended to upgrade to the newest version. The URL is above.
This tool, much like the older IPCHAINS and IPFWADM tools enables the various Masquerding code, more advanced forms of NAT, packet filtering, etc. It also makes use of additional MASQ modules like the FTP and IRC modules. Additional information on version requirements for the newest IPTABLES howto, etc. is located at the Unreliable IPTABLES HOWTOs page (mirror at Samba.org).
Loadable kernel modules, preferably 2.1.121 or higher, are available from http://www.pi.se/blox/modutils/index.html or ftp://ftp.kernel.org/pub/linux/utils/kernel/modutils
A properly configured and running TCP/IP network running on the Linux machine as covered in Linux NET-3-4 HOWTO and the Network Administrator's Guide . Also check out the TrinityOS document which is also authored by David Ranch. TrinityOS is a very comprehensive guide for Linux networking. Some topics include IP MASQ, security, DNS, DHCP, Sendmail, PPP, Diald, NFS, IPSEC-based VPNs, and performance sections, to name a few. There are over Fifty sections in all!
Connectivity to the Internet for your Linux host covered in Linux ISP Hookup HOWTO, Linux PPP HOWTO, and TrinityOS. Other helpful HOWTOs could include: Linux DHCP mini-HOWTO, Linux Cable Modem mini-HOWTO and http://www.linuxdoc.org/HOWTO/DSL-HOWTO/index.html
Know how to configure, compile, and install a new Linux kernel as described in the Linux Kernel HOWTO. This HOWTO does cover kernel compiling but only for IP Masquerade related options.
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |