IPMASQADM(M) IPMASQADM(M) NAME ipmasqadm - IP Masquerading additional modules administra- tion SYNOPSIS ipmasqadm <module> [module-specific-options] ipmasqadm <module> -h ipmasqadm autofw options ipmasqadm portfw options ipmasqadm mfw options DESCRIPTION Ipmasqadm is used to configure extra masquerading fun- cionality, usually provided by additional kernel modules. All in-firewall forwarding takes place by reverse-mas- querading so you must create firewall rules that must match desired forwarding as-is the connection had been outgoing (instead of incoming). Kernel must have been compiled with CONFIG_EXPERIMENTAL=y CONFIG_IP_MASQUERADE=y CONFIG_IP_MASQUERADE_MOD=y and CONFIG_IP_MASQUERADE_IPAUTOFW=y/m CONFIG_IP_MASQUERADE_IPPORTFW=y/m CONFIG_IP_MASQUERADE_MFW=y/m for respective modules. If you need to forward one (or more) ports to internal hosts, consider using mfw module. In short: c c c c c c c c l l l l. Short ipmasqadm kernel kernel descr. module module option _ Auto autofw.so ip_masq_aut- ofw.o CONFIG_IP_MASQUERADE_IPAUTOFW Port portfw.so ip_masq_portfw.o CONFIG_IP_MASQUER- ADE_IPPORTFW Fwmark mfw.so ip_masq_mfw.o CON- FIG_IP_MASQUERADE_MFW MODULE autofw - Auto-forwarding This module is, under some circustances, capable of han- dling application protocolos that don't have support as specific masq modules. Kernel must have been compiled with autofw -h Command help. By now please refer to it. For lot of useful info about using autofw please visit http://ipmasq.home.ml.org MODULE portfw - Port-forwarding This module is able to forward to-firewall packets to internal hosts, based on address and port specification. portfw -h Command help. By now please refer to it. MODULE mfw - fwmark-forwarding This module allows forwarding to-firewall packets to internal hosts, based on fwmark matching. See ipchains(s) for setting up firewall rules with fwmarking. Also please note that because this module acts only in first packet connection, it makes sense to add -y ipchains switch to TCP fwmark rules. COMMANDS mfw -A -m fwmark -r address [port] [-p pref] Append one rule to the end of fwmark list of for- warding hosts. Packets fwmarked will create a masq-tunnel for redirecting further connection traffic to address port. This will happen at most pref times before scheduling another entry with same fwmark value. If no port is specified, redirection will use original packet destination port. mfw -I -m fwmark -r address [port] [-p pref] Same as -A option, except that the rule is inserted at the head. mfw -D -m fwmark [-r address [port] ] Delete specified rule(e). mfw -E -m fwmark [-r address [port] ] -p pref Edit specified rule(e), currently -p value can be changed. mfw -S -m fwmark Force scheduling in fwmark redirect entries. mfw -F Flush all rules. mfw -L [-n] List rules, optionally showing only addresses (no names). EXAMPLES Redirect all web traffic to internals hostA and hostB, where hostB will serve 2 times hostA connections. Forward rules already masq internal hosts to outside (typical). ipchains -I input -p tcp -y -d yours.com/32 80 -m 1 ipmasqadm mfw -I -m 1 -r hostA 80 -p 10 ipmasqadm mfw -I -m 1 -r hostB 80 -p 20 Redirect ssh traffic from external clientA to internal hostB, also show forward masq rule to allow only hostB incoming connections to ssh port. ipchains -I forward -p tcp -d clientA/32 -s hostB/32 22 ipchains -I input -p tcp -y -s clientA/32 -d 0/0 22 -m 2 ipmasqadm mfw -I -m 2 -r hostB 22 Redirect all traffic from external clientA to internal hostB, also show forward masq rule to allow this for hostB only (clean, simple ... just *grin*) ipchains -I forward -d clientA/32 -s hostB/32 ipchains -I input -s clientA/32 -m 3 ipmasqadm mfw -I -m 3 -r hostB FILES /usr/lib/ipmasqadm/*.so Modules used for ipmasqadm kernel interfacing. /proc/net/ipmasq/* Masquerading modules internal state files. BUGS By 2.2, there is no way to share port numbers with normal sockets. Currently masq modules take precedence before sockets. Also because redirections are actually masq tunnels they have same propierties: idle timeouts, max. number of entries, etc. Kernel module autoloading will work for -A and -I switches, and not for -L, so you will see warnings about missing /proc/net/ip_masq/... if you list entries when module is not (auto)loaded. This will change in futur releases. CAVEATS Protocols that use control and data connections are always a headache when crossing firewalls. Examples of these are ftp, irc, real audio, etc. Because we are reverse-masq forwarding problems get reversed; for example: ftp from outside to an internal forwarded server will not work in PASV mode because server will send its internal address to outside client, in contrast, traditional non-passive con- nections will success (think about this a little, please). Support for bidirectional helper modules is in the works. NOTES This is my first man page, just in case you didn't notice ... ;) Consider it pre-alpha quality. SEE ALSO ipchains(s) AUTHOR Juan Jose Ciarlante <jjciarla@raiz.uncu.edu.ar> December 1998 IPMASQADM(M)