man ipmasqadm (Administration système) - IP Masquerading additional modules administration
NAME
ipmasqadm - IP Masquerading additional modules administration
SYNOPSIS
ipmasqadm <module> [module-specific-options]
ipmasqadm <module> -h
ipmasqadm autofw options
ipmasqadm portfw options
ipmasqadm mfw options
DESCRIPTION
Ipmasqadm is used to configure extra masquerading funcionality, usually provided by additional kernel modules.
All in-firewall forwarding takes place by reverse-masquerading so you must create firewall rules that must match desired forwarding as-is the connection had been outgoing (instead of incoming).
Kernel must have been compiled with
CONFIG_EXPERIMENTAL=y
CONFIG_IP_MASQUERADE=y
CONFIG_IP_MASQUERADE_MOD=y
and
CONFIG_IP_MASQUERADE_IPAUTOFW=y/m
CONFIG_IP_MASQUERADE_IPPORTFW=y/m
CONFIG_IP_MASQUERADE_MFW=y/m
for respective modules.
If you need to forward one (or more) ports to internal hosts, consider using mfw module.
In short: c c c c c c c c l l l l. Short ipmasqadm kernel kernel descr. module module option _ Auto autofw.so ip_masq_autofw.o CONFIG_IP_MASQUERADE_IPAUTOFW Port portfw.so ip_masq_portfw.o CONFIG_IP_MASQUERADE_IPPORTFW Fwmark mfw.so ip_masq_mfw.o CONFIG_IP_MASQUERADE_MFW
MODULE autofw - Auto-forwarding
This module is, under some circustances, capable of handling application protocolos that don't have support as specific masq modules. Kernel must have been compiled with
autofw -h
- Command help. By now please refer to it.
For lot of useful info about using autofw please visit http://ipmasq.home.ml.org
MODULE portfw - Port-forwarding
This module is able to forward to-firewall packets to internal hosts, based on address and port specification.
portfw -h
- Command help. By now please refer to it.
MODULE mfw - fwmark-forwarding
This module allows forwarding to-firewall packets to internal hosts, based on fwmark matching. See ipchains(8) for setting up firewall rules with fwmarking. Also please note that because this module acts only in first packet connection, it makes sense to add -y ipchains switch to TCP fwmark rules.
COMMANDS
- mfw -A -m fwmark -r address [port] [-p pref]
- Append one rule to the end of fwmark list of forwarding hosts. Packets fwmarked will create a masq-tunnel for redirecting further connection traffic to address port. This will happen at most pref times before scheduling another entry with same fwmark value. If no port is specified, redirection will use original packet destination port.
- mfw -I -m fwmark -r address [port] [-p pref]
- Same as -A option, except that the rule is inserted at the head.
- mfw -D -m fwmark [-r address [port] ]
- Delete specified rule(s).
- mfw -E -m fwmark [-r address [port] ] -p pref
- Edit specified rule(s), currently -p value can be changed.
- mfw -S -m fwmark
- Force scheduling in fwmark redirect entries.
- mfw -F
- Flush all rules.
- mfw -L [-n]
- List rules, optionally showing only addresses (no names).
EXAMPLES
Redirect all web traffic to internals hostA and hostB, where hostB will serve 2 times hostA connections. Forward rules already masq internal hosts to outside (typical).
ipchains -I input -p tcp -y -d yours.com/32 80
-m 1
ipmasqadm mfw -I
-m 1
-r hostA 80 -p 10
ipmasqadm mfw -I
-m 1
-r hostB 80 -p 20
Redirect ssh traffic from external clientA to internal hostB, also show forward masq rule to allow only hostB incoming connections to ssh port.
ipchains -I forward -p tcp -d clientA/32 -s hostB/32 22
ipchains -I input -p tcp -y -s clientA/32 -d 0/0 22
-m 2
ipmasqadm mfw -I
-m 2
-r hostB 22
Redirect all traffic from external clientA to internal hostB, also show forward masq rule to allow this for hostB only (clean, simple ... just *grin*)
ipchains -I forward -d clientA/32 -s hostB/32
ipchains -I input -s clientA/32
-m 3
ipmasqadm mfw -I
-m 3
-r hostB
FILES
- /usr/lib/ipmasqadm/*.so
- Modules used for ipmasqadm kernel interfacing.
- /proc/net/ipmasq/*
- Masquerading modules internal state files.
BUGS
By 2.2, there is no way to share port numbers with normal sockets. Currently masq modules take precedence before sockets.
Also because redirections are actually masq tunnels they have same propierties: idle timeouts, max. number of entries, etc.
Kernel module autoloading will work for -A and -I switches, and not for -L, so you will see warnings about missing /proc/net/ip_masq/... if you list entries when module is not (auto)loaded. This will change in futur releases.
CAVEATS
Protocols that use control and data connections are always a headache when crossing firewalls. Examples of these are ftp, irc, real audio, etc. Because we are reverse-masq forwarding problems get reversed; for example: ftp from outside to an internal forwarded server will not work in PASV mode because server will send its internal address to outside client, in contrast, traditional non-passive connections will success (think about this a little, please). Support for bidirectional helper modules is in the works.
NOTES
This is my first man page, just in case you didn't notice ... ;)
Consider it pre-alpha quality.
SEE ALSO
AUTHOR
Juan Jose Ciarlante <jjciarla@raiz.uncu.edu.ar>