IPMASQADM(8)IPMASQADM(8)NAME
ipmasqadm - IP Masquerading additional modules administration
SYNOPSIS
ipmasqadm <module> [module-specific-options]
ipmasqadm <module> -h
ipmasqadm autofw options
ipmasqadm portfw options
ipmasqadm mfw options
DESCRIPTION
Ipmasqadm is used to configure extra masquerading funcionality, usually
provided by additional kernel modules.
All in-firewall forwarding takes place by reverse-masquerading so you
must create firewall rules that must match desired forwarding as-is the
connection had been outgoing (instead of incoming).
Kernel must have been compiled with
CONFIG_EXPERIMENTAL=y
CONFIG_IP_MASQUERADE=y
CONFIG_IP_MASQUERADE_MOD=y
and
CONFIG_IP_MASQUERADE_IPAUTOFW=y/m
CONFIG_IP_MASQUERADE_IPPORTFW=y/m
CONFIG_IP_MASQUERADE_MFW=y/m
for respective modules.
If you need to forward one (or more) ports to internal hosts, consider
using mfw module.
In short:
Short ipmasqadm kernel kernel
descr. module module option
─────────────────────────────────────────────────────────────────────────
Auto autofw.so ip_masq_autofw.o CONFIG_IP_MASQUERADE_IPAUTOFW
Port portfw.so ip_masq_portfw.o CONFIG_IP_MASQUERADE_IPPORTFW
Fwmark mfw.so ip_masq_mfw.o CONFIG_IP_MASQUERADE_MFW
MODULE autofw - Auto-forwarding
This module is, under some circustances, capable of handling applica‐
tion protocolos that don't have support as specific masq modules. Ker‐
nel must have been compiled with
autofw -h
Command help. By now please refer to it.
For lot of useful info about using autofw please visit
http://ipmasq.home.ml.org
MODULE portfw - Port-forwarding
This module is able to forward to-firewall packets to internal hosts,
based on address and port specification.
portfw -h
Command help. By now please refer to it.
MODULE mfw - fwmark-forwarding
This module allows forwarding to-firewall packets to internal hosts,
based on fwmark matching. See ipchains(8) for setting up firewall
rules with fwmarking. Also please note that because this module acts
only in first packet connection, it makes sense to add -y ipchains
switch to TCP fwmark rules.
COMMANDS
mfw -A -m fwmark -r address [port] [-p pref]
Append one rule to the end of fwmark list of forwarding hosts.
Packets fwmarked will create a masq-tunnel for redirecting fur‐
ther connection traffic to address port. This will happen at
most pref times before scheduling another entry with same fwmark
value.
If no port is specified, redirection will use original packet
destination port.
mfw -I -m fwmark -r address [port] [-p pref]
Same as -A option, except that the rule is inserted at the head.
mfw -D -m fwmark [-r address [port] ]
Delete specified rule(s).
mfw -E -m fwmark [-r address [port] ] -p pref
Edit specified rule(s), currently -p value can be changed.
mfw -S -m fwmark
Force scheduling in fwmark redirect entries.
mfw -F Flush all rules.
mfw -L [-n]
List rules, optionally showing only addresses (no names).
EXAMPLES
Redirect all web traffic to internals hostA and hostB, where hostB will
serve 2 times hostA connections. Forward rules already masq internal
hosts to outside (typical).
ipchains -I input -p tcp -y -d yours.com/32 80 -m 1
ipmasqadm mfw -I -m 1 -r hostA 80 -p 10
ipmasqadm mfw -I -m 1 -r hostB 80 -p 20
Redirect ssh traffic from external clientA to internal hostB, also show
forward masq rule to allow only hostB incoming connections to ssh port.
ipchains -I forward -p tcp -d clientA/32 -s hostB/32 22 -j MASQ
ipchains -I input -p tcp -y -s clientA/32 -d 0/0 22 -m 2
ipmasqadm mfw -I -m 2 -r hostB 22
Redirect all traffic from external clientA to internal hostB, also show
forward masq rule to allow this for hostB only (clean, simple ... just
*grin*)
ipchains -I forward -d clientA/32 -s hostB/32 -j MASQ
ipchains -I input -s clientA/32 -m 3
ipmasqadm mfw -I -m 3 -r hostB
FILES
/usr/lib/ipmasqadm/*.so
Modules used for ipmasqadm kernel interfacing.
/proc/net/ipmasq/* Masquerading modules internal state files.
BUGS
By 2.2, there is no way to share port numbers with normal sockets. Cur‐
rently masq modules take precedence before sockets.
Also because redirections are actually masq tunnels they have same
propierties: idle timeouts, max. number of entries, etc.
Kernel module autoloading will work for -A and -I switches, and not for
-L, so you will see warnings about missing /proc/net/ip_masq/... if
you list entries when module is not (auto)loaded. This will change in
futur releases.
CAVEATS
Protocols that use control and data connections are always a headache
when crossing firewalls. Examples of these are ftp, irc, real audio,
etc. Because we are reverse-masq forwarding problems get reversed; for
example: ftp from outside to an internal forwarded server will not work
in PASV mode because server will send its internal address to outside
client, in contrast, traditional non-passive connections will success
(think about this a little, please). Support for bidirectional helper
modules is in the works.
NOTES
This is my first man page, just in case you didn't notice ... ;)
Consider it pre-alpha quality.
SEE ALSOipchains(8)AUTHOR
Juan Jose Ciarlante <jjciarla@raiz.uncu.edu.ar>
December 1998 IPMASQADM(8)