the first without peering inside the protocols themselves. The helper modules do just that; they actually look inside the datagrams and allow masquerading to work for supported protocols that otherwise would be impossible to masquerade. The supported protocols are:
| Module | Protocol |
|---|---|
| ip_masq_ftp | FTP |
| ip_masq_irc | IRC |
| ip_masq_raudio | RealAudio |
| ip_masq_cuseeme | CU-See-Me |
| ip_masq_vdolive | For VDO Live |
| ip_masq_quake | IdSoftware's Quake |
You must load these modules manually using the insmod command to implement them. Note that these modules cannot be loaded using the kerneld daemon. Each of the modules takes an argument specifying what ports it will listen on. For the RealAudio(TM) module you might use:[66]
# insmod ip_masq_raudio.o ports=7070,7071,7072
The ports you need to specify depend on the protocol. An IP masquerade mini-HOWTO written by Ambrose Au explains more about the IP masquerade modules and how to configure them. [67]
The
Configuring IP Masquerade
If you've already read the firewall and accounting chapters, it probably comes as no surprise that the ipfwadm, ipchains, and iptables commands are used to configure the IP masquerade rules as well.
Masquerade rules are a special class of filtering rule. You can masquerade only datagrams that are received on one interface that will be routed to another interface. To configure a masquerade rule you construct a rule very similar to a firewall forwarding rule, but with special options that tell the kernel to masquerade the datagram. The ipfwadm command uses the
Let's look at an example. A computing science student at Groucho Marx University has a number of computers at home internetworked onto a small Ethernet-based local area network. She has chosen to use one of the reserved private Internet network addresses for her network. She shares her accomodation with other students, all of whom have an interest in using the Internet. Because student living conditions are very frugal, they cannot afford to use a permanent Internet connection, so instead they use a simple dial-up PPP Internet connection. They would all like to be able to share the connection to chat on IRC, surf the Web, and retrieve files by FTP directly to each of their computers - IP masquerade is the answer.
The student first configures a Linux machine to support the dial-up link and to act as a router for the LAN. The IP address she is assigned when she dials up isn't important. She configures the Linux router with IP masquerade and uses one of the private network addresses for her LAN: 192.168.1.0. She ensures that each of the hosts on the LAN has a default route pointing at the Linux router.
The following ipfwadm commands are all that are required to make masquerading work in her configuration:
# ipfwadm -F -p deny
# ipfwadm -F -a accept -m -S 192.168.1.0/24 -D 0/0
or with ipchains:
# ipchains -P forward -j deny
# ipchains -A forward -s 192.168.1.0/24 -d 0/0 -j MASQ
or with iptables:
# iptables -t nat -P POSTROUTING DROP
# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
Now whenever any of the LAN hosts try to connect to a service on a remote host, their datagrams will be automatically masqueraded by the Linux masquerade router. The first rule in each example prevents the Linux machine from routing any other datagrams and also adds some security.
To list the masquerade rules you have created, use the -l argument to the ipfwadm command, as we described in earlier while discussing firewalls.
To list the rule we created earlier we use:
# ipfwadm -F -l -e
which should display something like:
# ipfwadm -F -l -e
IP firewall forward rules, default policy: accept
pkts bytes type prot opt tosa tosx ifname ifaddress…
0 0 acc/m all -- 0xFF 0x00 any any…
The ' /m ' in the output indicates this is a masquerade rule.
To list the masquerade rules with the ipchains command, use the -L argument. If we list the rule we created earlier with ipchains, the output will look like:
# ipchains -L
Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
target prot opt source destination ports
