8. Miscellaneous

8.1 Useful Resources

• IP Masquerade Resource page Will have all the current information for setting up IP Masquerade on 2.0.x, 2.2.x, and even old 1.2 kernels!
  

• IP Masquerade mailing list Archives contains the recent messages sent to the mailing lists.

• David Ranch's Linux page including the TrinityOS Linux document and current versions of the IP-MASQ-HOWTO.. Topics such as IP MASQ, strong IPFWADM/IPCHAINS rulesets, PPP, Diald, Cablemodems, DNS, Sendmail, Samba, NFS, Security, etc. are covered.

• The IP Masquerading Applications page: A comprehensive list of applications that work or can be tuned to work through a Linux IP masquerading server.

• For people setting up IP Masq on MkLinux, email Taro Fukunaga at tarozax@earthlink.net for a copy of his short MkLinux version of this HOWTO.

• IP masquerade FAQ has some general information

• Paul Russel's http://www.rustcorp.com/linux/ipchains/ doc and its possibly older backup at Linux IPCHAINS HOWTO. This HOWTO has lots of information for IPCHAINS usage, as well as source and binaries for the ipchains tool.

• X/OS Ipfwadm page contains sources, binaries, documentation, and other information about the ipfwadm package

• Check out the GreatCircle's Firewall mailing list for a great resource for strong firewall rulesets.

• The LDP Network Administrator's Guide is a MUST for the beginner Linux administrator trying to set up a network.

• The Linux NET-3 HOWTO is also another comprehensive document on how to setup and configure Linux networking.

• Linux ISP Hookup HOWTO and Linux PPP HOWTO gives you information on how to connect your Linux host to the Internet

• Linux Ethernet-Howto is a good source of information about setting up a LAN running over Ethernet.

• You may also be interested in Linux Firewalling and Proxy Server HOWTO

• Linux Kernel HOWTO will guide you through the kernel compilation process

• Other Linux HOWTOs such as Kernel HOWTO

• Posting to the USENET newsgroup: comp.os.linux.networking

8.2 Linux IP Masquerade Resource

The Linux IP Masquerade Resource is a website dedicated to Linux IP Masquerade information also maintained by David Ranch and Ambrose Au. It has the latest information related to IP Masquerade and may have information that is not being included in the HOWTO.

You may find the Linux IP Masquerade Resource at the following locations:

• http://ipmasq.cjb.net/, Primary Site, redirected to http://ipmasq.cjb.net/

• http://ipmasq2.cjb.net/, Secondary Site, redirected to http://www.geocities.com/SiliconValley/Heights/2288/

8.3 Thanks to the following people..

In Alphabetical order:

• Gabriel Beitler, gabrielb@voicenet.com
  on providing section 3.3.8 (setting up Novell)

• Juan Jose Ciarlante, irriga@impsat1.com.ar
  on contributing his work on his IPMASQADM port forward tool, his work on the 2.1.x and 2.2.x kernel code, the original LooseUDP patch, etc.

• Steven Clarke, steven@monmouth.demon.co.uk
  on contributing his IPPORTFW IP port forwarder tool

• Andrew Deryabin, djsf@usa.net
  on contributing his ICQ MASQ module

• Ed Doolittle, dolittle@math.toronto.edu
  on suggestion to -V option in ipfwadm command for improved security

• Matthew Driver, mdriver@cfmeu.asn.au
  on helping extensively on this HOWTO, and providing section 3.3.1 (setting up Windows 95)

• Ken Eves, ken@eves.com
  on the FAQ that provides invaluable information for this HOWTO

• John Hardin, jhardin@wolfenet.com
  for his PPTP and IPSEC forwarding tools

• Glenn Lamb, mumford@netcom.com
  for the LooseUDP patch

• Ed. Lott, edlott@neosoft.com
  for a long list of tested system and software

• Nigel Metheringham, Nigel.Metheringham@theplanet.net
  on contributing his version of IP Packet Filtering and IP Masquerading HOWTO, which make this HOWTO a better and technical in-depth document
  section 4.1, 4.2, and others

• Keith Owens, kaos@ocs.com.au
  on providing an excellent guide on ipfwadm section 4.2
  on correction to ipfwadm -deny option which avoids a security hole, and clarified the status of ping over IP Masquerade

• Michael Owings, mikey@swampgas.com
  on providing section for CU-SeeMe and Linux IP-Masquerade Teeny How-To

• Rob Pelkey, rpelkey@abacus.bates.edu
  on providing section 3.3.6 and 3.3.7 (setting up MacTCP and Open Transport)

• Harish Pillay, h.pillay@ieee.org
  on providing section 4.5 (dial-on-demand using Diald)

• Mark Purcell, purcell@rmcs.cranfield.ac.uk
  on providing section 4.6 (IPautofw)

• David Ranch, dranch@trinnet.net
  help updating and maintaining this HOWTO and the Linux IP Masquerade Resource Page, the TrinityOS document , ..., too many to list here :-)

• Paul Russell, rusty@rustcorp.com.au
  for all his work on IP CHAINS, IP Masquerade kernel patches, etc

• Ueli Rutishauser, rutish@ibm.net
  on providing section 3.3.9 (setting up OS/2 Warp)

• Steve Grevemeyer, grevemes@tsmservices.com
  for taking over the IP Masq Applications page from Lee Nevo and updating it to a full DB backend.

• Fred Viles, fv@episupport.com
  for his patches for proper port forarding of FTP.

• John B. (Brent) Williams, forerunner@mercury.net
  on providing section 3.3.7 (setting up Open Transport)

• Enrique Pessoa Xavier, enrique@labma.ufrj.br
  on the BOOTp setup suggestion

• All the people on the IP-MASQ email list, masq@tiffany.indyramp.com
  for their help and support for all the new Linux MASQ users.

• Other code and documentation developers of IP Masquerade for this great feature

  • Delian Delchev, delian@wfpa.acad.bg
  • David DeSimone (FuzzyFox), fox@dallas.net
  • Jeanette Pauline Middelink, middelin@polyware.iaf.nl
  • Miquel van Smoorenburg, miquels@q.cistron.nl
  • Jos Vos, jos@xos.nl
  • And more who I may have failed to mention here (please let me know)

• All users sending feedback and suggestion to the mailing list, especially the ones who reported errors in the document and the clients that are supported and not supported

• We apologize if we have omitted any important names, not included information that some fellow users have sent us yet, etc. There are many suggestions and ideas sent but there isn't have enough time to verify and integrate these changes. Both Ambrose Au and David Ranch are trying their best to incorporate all the information sent to me into the HOWTO. I thank you for the effort, and I hope you understand our situation.

8.4 Reference

• Original IP masquerade FAQ by Ken Eves
• IP masquerade mailing list archive by Indyramp Consulting
• IP Masquerade WWW site by Ambrose Au
• Ipfwadm page by X/OS
• Various networking related Linux HOWTOs
• Some topics covered in TrinityOS by David Ranch

8.5 Changes

• TO do - HOWTO:
  • Add the scripted IPMASQADM example to the Forwarders section. Also confirm the syntax.
  • Add a little section on having multiple subnets behind a MASQ server
  • Confirm the IPCHAINS ruleset and make sure it is consistant with the IPFWADM ruleset

  TO DO - WWW page:

  • Update all PPTP urls from lowrent to ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
  • Update the PPTP patch on the masq site
  • Update the portfw FTP patch

  Changes from 1.80 to 1.81 - 01/09/00

  • Updated the ICQ section to reflect that the new ICQ Masq module supports file transfer and real-time chat. The 2.0.x module still has those limitations.
  • Updated Steven E. Grevemeyer's email address. He is the maintainer of the IP Masq Applications page.
  • Fixed a few lines that were missing the work AREN'T for the "setsockopt" errors.
  • Updated a error the strong IPCHAINS ruleset where it was using the variable name "ppp_ip" instead of "extip".
  • Fixed a "." vs a "?" typo in section 3.3.1 in the DHCP comment section.
  • Added a missing ")" to the ICQ portfw script and changed the evaluation from -lt to -le
  • Updated the Quake Module syntax to NOT use the "ports=" verbage

  Changes from 1.79 to 1.80 - 12/26/99

  • Fixed a space typo when setting the "ppp_ip" address.
  • Fixed a typo in the simple IPCHAINS ruleset. "deny" to "DENY"
  • Updated the URLs for Bjorn's "modutils" for Linux
  • Added verbage about NetFilter and IPTables and gave URLs until it is added to this HOWTO or a different HOWTO.
  • Updated the simple /etc/rc.d/rc.firewall examples to notify users about the old Quake module bug.
  • Updated the STRONG IPFWADM /etc/rc.d/rc.firewall to clarify users about dynamic IP addresses (PPP & DHCP), newer DHCPCD syntax, and the old Quake module bug.
  • Updated the STRONG IPCHAINS /etc/rc.d/rc.firewall to ADD a missing section on dynamic IP addresses (PPP & DHCP) and the old Quake module bug.
  • Added a note in the "Applications that DO NOT work" section that there IS a beta module for Microsoft NetMeeting (H.323 based) v2.x on 2.0.x kernels. There is NO versions available for Netmeeting 3.x and/or 2.2.x kernels as of yet.

  Changes from 1.78 to 1.79 - 10/21/99

  • Updated the HOWTO name to reflect that it isn't a MINI anymore!

  Changes from 1.77 to 1.78 - 8/24/99

  • Fixed a typeo in "Section 6.6 - Multiple Internal Networks" where the -a policy was ommited.
  • Deleted the 2.2.x kernel configure option "Drop source routed frames" since it is now enabled by default and the kernel compile option was removed.
  • Updated the 2.2.x and all other IPCHAINS sections to notify users of the IPCHAINS fragmentation bug.
  • Updated all the URLs point at Lee Nevo's old IP Masq Applications page to Seg's new page.

  Changes from 1.76 to 1.77 - 7/26/99

  • Fixed a typo in the Port fowarding section that used "ipmasqadm ipportfw -C" instead of "ipmasqadm portfw -f"

  Changes from 1.75 to 1.76 - 7/19/99

  • Updated the "ipfwadm: setsockopt failed: Protocol not available" message in the FAQ to be more clear instead of making the user hunt for the answer in the Forwarders section.
  • Fixed incorrect syntax in section 6.7 for IPMASQADM and "portfw"

  Changes from 1.72 to 1.75 - 6/19/99

  • Fixed the quake module port setup order for the weak IPFWADM & IPCHAINS ruleset and the strong IPFWADM ruleset as well.
  • Added a user report about port forwarding ICQ 4000 directly in and using ICQ's default settings WITHOUT enabling the "Non-Sock" proxy setup.
  • Updated the URLs for the IPMASQADM tool
  • Added references to Taro Fukunaga, tarozax@earthlink.net for his MkLinux port of the HOWTO
  • Updated the blurb about Sonny Parlin's FWCONFIG tool to note new IPCHAINS support
  • Noted that Fred Vile's patch for portfw'ed FTP access is ONLY available for the 2.0.x kernels
  • Updated the 2.2.x kernel step with a few clarifications on the Experiemental tag
  • Added Glen Lamb's name to the credits for the LooseUDP patch
  • Added a clarification on installing the LooseUDP patch that it should use "cat" for non-compressed patches.
  • Fixed a typo in the IPAUTO FAQ section
  • I had the DHCP client port numbers reversed for the IPFWADM and IPCHAINS rulesets. The order I had was if your Linux server was a DHCP SERVER.
  • Added explict /sbin path to all weak and strong ruleset examples.
  • Made some clarifications in the strong IPFWADM section regarding Dynamic IP addresses for PPP and DHCP users. I also noted that the strong rulesets should be re-run when PPP comes up or when a DHCP lease is renewed.
  • Added reference in the 2.2.x requirements, updated the ICQ FAQ section, and added Andrew Deryabin to credits section for his ICQ MASQ module.
  • Added some clarifcation in the FAQ section why the 2.1.x and 2.2.x kernels went to IPCHAINS.
  • Added a little FAQ section on Microsoft File/Print/Domain services (Samba) through a MASQ server. I also added a URL to a Microsoft Knowledge base document for more details.
  • Added clarification in the FAQ section that NO Debian distribution supports IP masq out of the box.
  • Updated the supported MASQ distributions in the FAQ section.
  • Added to the Aliased NIC section of the FAQ that you CANNOT masq out of an aliased interface.
  • Wow.. never caught this before but the "ppp-ip" variable in the strong ruleset section is an invalid variable name! It has been renamed to "ppp_ip"
  • In both the IPFWADM and IPCHAINS simple ruleset setup areas, I had a commented out section on enabling DHCP traffic. Problem is, it was below the final reject line! Doh! I moved both up a section.
  • In the simple IPCHAINS setup, the #ed out line for DHCP users, I was using the IPFWADM "-W" command instead of IPCHAINS's "-i" parameter.
  • Added a little blurb to the Forwarders section the resolution to the famous "ipfwadm: setsockopt failed: Protocol not available" error. This also includes a little /proc test to let people confirm if IPPORTFW is enabled in the kernel. I also added this error to a FAQ section for simple searching.
  • Added a Strong IPCHAINS ruleset to the HOWTO
  • Added a FAQ section explaining the "kernel: ip_masq_new(proto=UDP): no free ports." error.
  • Added an example of scripting IPMASQADM PORTFW rules
  • Updated a few of the Linux Documentation Project (LDP) URLs
  • Added Quake III support in the module loading sections of all the rc.firewall rulesets.
  • Fixed the IPMASQADM forwards for ICQ

• 1.72 - 4/14/99 - Dranch: Added a large list of Windows NAT/Proxy alternatives with rough pricing and URLs to the FAQ.

• 1.71 - 4/13/99 - Dranch: Added IPCHAINS setups for multiple internal MASQed networks. Changed the ICQ setup to use ICQ's default 60 second timeout and change IPFWADM/IPCHAINS timeout to 160 seconds. Updated the MASQ and MASQ-DEV email list and archive subscription instructions.

• 1.70 - 3/30/99 - Dranch: Added two new FAQ sections that cover SMTP/POP-3 timeout problems and how to masquerade multiple internal networks out different external IP addresses with IPROUTE2.

• 1.65 - 3/29/99 - Dranch: Typo fixes, clarifications of required 2.2.x kernel options, added dynamic PPP IP address support to the strong firewall section, additional quake II module ports, noted that the LooseUDP patch is built into later 2.2.x kernels and its from Glenn Lamb and not Dan Kegel, added more game info in the compatibility section.

• 1.62 - Dranch: Make the final first-draft changes to the doc and now announce it the the MASQ email list.

• 1.61 - Dranch: Make editorial changes, cleaned things up and fixed some errors in the Windows95 and NT setups.

• 1.58 - Dranch: Addition of the port forwarding sections; LooseUDP setup; Ident servers for IRC users, how to read firewall logs, deleted the CuSeeme Mini-HOWTO since it is rarely used.

• 1.55 - Dranch: Complete overhaul, feature and FAQ addition, and editing sweep of the v1.50 HOWTO. Completed the 2.2.x kernel and IPCHAINS configurations. Did a conversion from IPAUTOFW to IPPORTFW for the examples that applied. Added many URLs to various other documentation and utility sites. There are so many changes.. I hope everyone likes it. Final publishing of this new rev of the HOWTO to the LDP project won't happen until the doc is looked over and approved by the IP MASQ email list (then v2.00).

• 1.50 - Ambrose: A serious update to the HOWTO and the initial addition of the 2.2.0 and IPCHAINS configurations.

• 1.20 - Ambrose: One of the more recent HOWTO versions that solely dealt with < 2.0.x kernels and IPFWADM.