old-www/HOWTO/IP-Masquerade-HOWTO/index.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML
><HEAD
><TITLE
>Linux IP Masquerade HOWTO</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="NEXT"
TITLE="Introduction"
HREF="ipmasq-intro1.0.html"></HEAD
><BODY
CLASS="BOOK"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="BOOK"
><A
NAME="IPMASQ-TOC"
></A
><DIV
CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
><A
NAME="AEN2"
></A
>Linux IP Masquerade HOWTO</H1
><H3
CLASS="AUTHOR"
><A
NAME="AEN4"
></A
>David A. Ranch</H3
><DIV
CLASS="AFFILIATION"
><DIV
CLASS="ADDRESS"
><P
CLASS="ADDRESS"
><TT
CLASS="EMAIL"
>&#60;<A
HREF="mailto:dranch@trinnet.net"
>dranch@trinnet.net</A
>&#62;</TT
></P
></DIV
></DIV
><P
CLASS="PUBDATE"
>November 13, 2005<BR></P
><DIV
><DIV
CLASS="ABSTRACT"
><A
NAME="AEN12"
></A
><P
></P
><P
>November 13, 2005
 </P
><P
>This document describes how to enable the Linux IP Masquerade feature on a 
given Linux host.  IP Masquerade is a form of Network Address Translation or 
NAT which NAT allows internally connected computers that do not have one or more 
registered Internet IP addresses to communicate to the Internet via the Linux 
server's Internet IP address. </P
><P
></P
></DIV
></DIV
><HR></DIV
><DIV
CLASS="TOC"
><DL
><DT
><B
>Table of Contents</B
></DT
><DT
>1. <A
HREF="ipmasq-intro1.0.html"
>Introduction</A
></DT
><DD
><DL
><DT
>1.1. <A
HREF="ipmasq-intro1.1.html"
>Introduction to IP Masquerading or IP MASQ</A
></DT
><DT
>1.2. <A
HREF="ipmasq-intro1.2.html"
>Foreword, Feedback &#38; Credits</A
></DT
><DT
>1.3. <A
HREF="ipmasq-intro1.3.html"
>Copyright &#38; Disclaimer</A
></DT
></DL
></DD
><DT
>2. <A
HREF="ipmasq-background2.0.html"
>Background Knowledge</A
></DT
><DD
><DL
><DT
>2.1. <A
HREF="ipmasq-background2.1.html"
>What is IP Masquerade?</A
></DT
><DT
>2.2. <A
HREF="ipmasq-background2.2.html"
>Current Status</A
></DT
><DT
>2.3. <A
HREF="ipmasq-background2.3.html"
>Who Can Benefit From IP Masquerade?</A
></DT
><DT
>2.4. <A
HREF="ipmasq-background2.4.html"
>Who Doesn't Need IP Masquerade?</A
></DT
><DT
>2.5. <A
HREF="ipmasq-background2.5.html"
>How does IP Masquerade Work?</A
></DT
><DT
>2.6. <A
HREF="kernel-2.4.x-requirements.html"
>Requirements for IP Masquerade on Linux 2.4.x</A
></DT
><DT
>2.7. <A
HREF="kernel-2.2.x-requirements.html"
>Requirements for IP Masquerade on Linux 2.2.x</A
></DT
><DT
>2.8. <A
HREF="kernel-2.0.x-requirements.html"
>Requirements for IP Masquerade on Linux 2.0.x</A
></DT
></DL
></DD
><DT
>3. <A
HREF="c472.html"
>Setting Up IP Masquerade</A
></DT
><DD
><DL
><DT
>3.1. <A
HREF="ipmasq-compiling3.0.html"
>Compiling a new kernel if needed</A
></DT
><DT
>3.2. <A
HREF="ipmasq-compiling3.1.html"
>Checking your existing kernel for MASQ functionality</A
></DT
><DD
><DL
><DT
>3.2.1. <A
HREF="ipmasq-compiling3.1.html#IPMASQ-COMPILING3.1.1"
>Compiling Linux 2.4.x Kernels</A
></DT
><DT
>3.2.2. <A
HREF="ipmasq-compiling3.1.html#IPMASQ-COMPILING3.1.2"
>Compiling Linux 2.2.x Kernels</A
></DT
><DT
>3.2.3. <A
HREF="ipmasq-compiling3.1.html#IPMASQ-COMPILING3.1.3"
>Compiling Linux 2.0.x Kernels</A
></DT
></DL
></DD
><DT
>3.3. <A
HREF="addressing-the-lan.html"
>Assigning Private Network IP Addresses to the Internal LAN</A
></DT
><DT
>3.4. <A
HREF="firewall-examples.html"
>Configuring IP Forwarding Policies</A
></DT
><DD
><DL
><DT
>3.4.1. <A
HREF="firewall-examples.html#RC.FIREWALL-IPTABLES"
>Configuring IP Masquerade on Linux 2.6.x and 2.4.x Kernels</A
></DT
><DT
>3.4.2. <A
HREF="firewall-examples.html#RC.FIREWALL-IPCHAINS"
>Configuring IP Masquerade on Linux 2.2.x Kernels</A
></DT
><DT
>3.4.3. <A
HREF="firewall-examples.html#RC.FIREWALL-IPFWADM"
>Configuring IP Masquerade on Linux 2.0.x Kernels</A
></DT
></DL
></DD
></DL
></DD
><DT
>4. <A
HREF="configuring-clients.html"
>Configuring the other internal to-be MASQed machines</A
></DT
><DD
><DL
><DT
>4.1. <A
HREF="configuring-win9x.html"
>Configuring Microsoft Windows 95 and OSR2</A
></DT
><DT
>4.2. <A
HREF="configuring-winnt.html"
>Configuring Windows NT</A
></DT
><DT
>4.3. <A
HREF="configuring-wfwg.html"
>Configuring Windows for Workgroup 3.11</A
></DT
><DT
>4.4. <A
HREF="configuring-unix.html"
>Configuring UNIX Based Systems</A
></DT
><DT
>4.5. <A
HREF="configuring-dos.html"
>Configuring DOS using NCSA Telnet package</A
></DT
><DT
>4.6. <A
HREF="configuring-mactcp.html"
>Configuring MacOS Based System Running MacTCP</A
></DT
><DT
>4.7. <A
HREF="configuring-opentransport.html"
>Configuring MacOS Based System Running Open Transport</A
></DT
><DT
>4.8. <A
HREF="configuring-novell.html"
>Configuring Novell network using DNS</A
></DT
><DT
>4.9. <A
HREF="configuring-os2.html"
>Configuring OS/2 Warp</A
></DT
><DT
>4.10. <A
HREF="configuring-os400.html"
>Configuring OS/400 on a IBM AS/400</A
></DT
><DT
>4.11. <A
HREF="configuring-other.html"
>Configuring Other Systems</A
></DT
></DL
></DD
><DT
>5. <A
HREF="testing.html"
>Testing IP Masquerade</A
></DT
><DD
><DL
><DT
>5.1. <A
HREF="loading-rc.firewall.html"
>Loading up the rc.firewall ruleset</A
></DT
><DT
>5.2. <A
HREF="testing-the-masqed-pc.html"
>Testing internal MASQ client PC connectivity</A
></DT
><DT
>5.3. <A
HREF="testing-masqed-pc-to-masq-server.html"
>Testing internal MASQ client to MASQ server connectivity</A
></DT
><DT
>5.4. <A
HREF="testing-masq-server-internal.html"
>Testing internal MASQ server connectivity</A
></DT
><DT
>5.5. <A
HREF="testing-masq-server-to-masqed-pc.html"
>Testing internal MASQ server to MASQ client connectivity</A
></DT
><DT
>5.6. <A
HREF="testing-masq-server-external.html"
>Testing External MASQ server Internet connectivity</A
></DT
><DT
>5.7. <A
HREF="testing-masqed-pc-to-ext-masq-server.html"
>Testing internal MASQ client to external MASQ server connectivity</A
></DT
><DT
>5.8. <A
HREF="testing-masq-icmp.html"
>Testing external MASQ ICMP forwarding</A
></DT
><DT
>5.9. <A
HREF="testing-masq-wo-dns.html"
>Testing MASQ functionality without DNS</A
></DT
><DT
>5.10. <A
HREF="testing-masq-w-dns.html"
>Testing MASQ functionality with DNS resolution</A
></DT
><DT
>5.11. <A
HREF="testing-masq-w-dns-extended.html"
>Testing more MASQ functionality with DNS</A
></DT
><DT
>5.12. <A
HREF="testing-final-tests.html"
>Any remaining functional, performance, etc. issues...</A
></DT
></DL
></DD
><DT
>6. <A
HREF="ipmasq-support-portfw-and-stronger-rulesets.html"
>Other IP Masquerade Issues and Software Support</A
></DT
><DD
><DL
><DT
>6.1. <A
HREF="ipmasq-problems.html"
>Problems with IP Masquerade</A
></DT
><DT
>6.2. <A
HREF="incoming-services.html"
>Incoming services</A
></DT
><DT
>6.3. <A
HREF="supported-client-software.html"
>Supported Client Software and Other Setup Notes</A
></DT
><DD
><DL
><DT
>6.3.1. <A
HREF="supported-client-software.html#GAME-CLIENTS"
>Network Clients that -Work- with IP Masquerade</A
></DT
><DT
>6.3.2. <A
HREF="supported-client-software.html#AEN1897"
>Clients that do not have full support in IP MASQ:</A
></DT
></DL
></DD
><DT
>6.4. <A
HREF="stronger-firewall-examples.html"
>Stronger firewall rulesets to run after initial testing</A
></DT
><DD
><DL
><DT
>6.4.1. <A
HREF="stronger-firewall-examples.html#RC.FIREWALL-IPTABLES-STRONGER"
>Stronger IP Firewall (IPTABLES) rulesets</A
></DT
><DT
>6.4.2. <A
HREF="stronger-firewall-examples.html#RC.FIREWALL-IPCHAINS-STRONGER"
>Stronger IP Firewall (IPCHAINS) rulesets</A
></DT
><DT
>6.4.3. <A
HREF="stronger-firewall-examples.html#RC.FIREWALL-IPFWADM-STRONGER"
>Stronger IP Firewall (IPFWADM) Rulesets</A
></DT
></DL
></DD
><DT
>6.5. <A
HREF="multiple-masqed-lans.html"
>IP Masquerading multiple internal networks</A
></DT
><DD
><DL
><DT
>6.5.1. <A
HREF="multiple-masqed-lans.html#IPTABLES-MASQING-MULTIPLE-LANS"
>iptables support for multiple internal lans</A
></DT
><DT
>6.5.2. <A
HREF="multiple-masqed-lans.html#IPCHAINS-MASQING-MULTIPLE-LANS"
>ipchains support for multiple internal lans</A
></DT
><DT
>6.5.3. <A
HREF="multiple-masqed-lans.html#IPFWADM-MASQING-MULTIPLE-LANS"
>ipfwadm support for multiple internal lans</A
></DT
></DL
></DD
><DT
>6.6. <A
HREF="dial-on-demand.html"
>IP Masquerade and Dial-on-Demand Connections</A
></DT
><DT
>6.7. <A
HREF="forwarders.html"
>Port Forwarding with IPTABLES or external tools like IPPORTFW, 
IPMASQADM, IPAUTOFW, REDIR, UDPRED, and other Port Forwarding tools</A
></DT
><DD
><DL
><DT
>6.7.1. <A
HREF="forwarders.html#PORTFW-VIA-IPTABLES-PREROUTING"
>IPTABLES-based PORTFWD'ing: Using IPTABLES's PREROUTING option for 2.6.x 
and 2.4.x kernels</A
></DT
><DT
>6.7.2. <A
HREF="forwarders.html#PORTFWDING-VIA-2.2.X-IPMASQADM"
>IPMASQADM-based PORTFWD'ing: Using IPMASQADM with 2.2.x kernels</A
></DT
><DT
>6.7.3. <A
HREF="forwarders.html#PORTFWDING-VIA-2.0.X-IPPORTFW"
>IPPORTFW-based PORTFWD'ing: Using IPPORTFW on 2.0.x kernels</A
></DT
></DL
></DD
><DT
>6.8. <A
HREF="cuseeme.html"
>CU-SeeMe and Linux IP-Masquerade</A
></DT
><DT
>6.9. <A
HREF="icq.html"
>Mirabilis ICQ</A
></DT
><DT
>6.10. <A
HREF="looseudp.html"
>Gamers:  The LooseUDP patch</A
></DT
></DL
></DD
><DT
>7. <A
HREF="faq.html"
>Frequently Asked Questions</A
></DT
><DD
><DL
><DT
>7.1. <A
HREF="masq-supported-distributions.html"
>( Distro ) - What Linux Distributions support IP Masquerading?</A
></DT
><DT
>7.2. <A
HREF="faq-hardware.html"
>( Requirements ) - What are the minimum hardware requirements and any 
limitations for IP Masquerade?  How well does it perform?</A
></DT
><DT
>7.3. <A
HREF="faq-command-not-found.html"
>( Errors ) - When I run my specific rc.firewall-* ruleset, I get 
"command not found" errors.  
Why?</A
></DT
><DT
>7.4. <A
HREF="still-wont-work.html"
>( Still wont work ) - I've checked all my configurations, I still can't get IP Masquerade to 
work.  What should I do?</A
></DT
><DT
>7.5. <A
HREF="masq-list.html"
>( Email list ) - How do I join or view the IP Masquerade and/or IP Masqurade Developers 
mailing lists and archives?</A
></DT
><DT
>7.6. <A
HREF="what-is-masq.html"
>( NAT vs. Proxy ) - How does IP Masquerade differ from Proxy or NAT services?</A
></DT
><DT
>7.7. <A
HREF="gui-tools.html"
>( GUI ) - Are there any GUI firewall creation/management tools?</A
></DT
><DT
>7.8. <A
HREF="masq-and-dyn-addr.html"
>( MASQ and Dynamic IPs ) - Does IP Masquerade work with dynamically 
assigned IP addresses?</A
></DT
><DT
>7.9. <A
HREF="diff-network-support.html"
>( MASQ and various networks ) - Can I use a cable modem (both 
bi-directional and with modem returns), DSL, satellite link, etc. to connect 
to the Internet and use IP Masquerade?</A
></DT
><DT
>7.10. <A
HREF="masq-and-dod.html"
>( Dial on Demand ) - Can I use Diald or the Dial-on-Demand feature of 
PPPd with IP MASQ?</A
></DT
><DT
>7.11. <A
HREF="masq-supported-apps.html"
>( Apps ) - What applications are supported with IP Masquerade?</A
></DT
><DT
>7.12. <A
HREF="distro-specific.html"
>( Distro Setup ) - How can I get IP Masquerade running on Redhat, 
Debian, Slackware, etc.?</A
></DT
><DT
>7.13. <A
HREF="masq-timeouts.html"
>( Timeouts ) - Connections seem to break if I don't use them often.  
Why is that?</A
></DT
><DT
>7.14. <A
HREF="masq-behavior.html"
>( Odd Behavior ) - When my Internet connection first comes up, nothing 
works.  If I try again, everything then works fine.  Why is this?</A
></DT
><DT
>7.15. <A
HREF="mtu-issues.html"
>( MTU ) - IP MASQ seems to be working fine but some sites don't work.  
This usually happens with WWW and some FTP sites.</A
></DT
><DD
><DL
><DT
>7.15.1. <A
HREF="mtu-issues.html#AEN2620"
>Enabling PMTU Clamping for PPPoE and some PPP Users:</A
></DT
><DT
>7.15.2. <A
HREF="mtu-issues.html#AEN2628"
>Clamping the MSS via IPTABLES:</A
></DT
><DT
>7.15.3. <A
HREF="mtu-issues.html#AEN2633"
>Changing the External MTU of the MASQ server:</A
></DT
><DT
>7.15.4. <A
HREF="mtu-issues.html#AEN2647"
>Changing the MTU of various operating systems:</A
></DT
></DL
></DD
><DT
>7.16. <A
HREF="masqed-ftp.html"
>( FTP ) - MASQed FTP clients don't work.</A
></DT
><DT
>7.17. <A
HREF="masq-performace.html"
>( Performance ) - IP Masquerading seems slow</A
></DT
><DT
>7.18. <A
HREF="portfw-issues.html"
>( PORTFW ) - IP Masquerading with PORTFWing seems to break when my line 
is idle for long periods</A
></DT
><DT
>7.19. <A
HREF="portfw-local.html"
>( PORTFW - Locally ) - I can't reach my PORTFWed server from the INTERNAL lan</A
></DT
><DT
>7.20. <A
HREF="masq-logs.html"
>( Logs ) - Now that I have IP Masquerading up, I'm getting all sorts of weird 
notices and errors in the SYSLOG log files.  How do I read the IPTABLES/IPCHAINS/IPFWADM 
firewall errors?</A
></DT
><DT
>7.21. <A
HREF="reducing-masq-logs.html"
>( Log Reduction ) - My logs are filling up with packet hits due to the 
new "stronger" rulesets.  How can I fix this?</A
></DT
><DT
>7.22. <A
HREF="masq-host-security.html"
>( MASQ Security ) - Can I configure IP MASQ to allow Internet users to 
directly contact internal MASQed servers?</A
></DT
><DT
>7.23. <A
HREF="no-free-ports.html"
>( Free Ports ) - I'm getting "kernel: ip_masq_new(proto=UDP): no free ports." in my 
SYSLOG files.  Whats up?</A
></DT
><DT
>7.24. <A
HREF="setsockopt.html"
>( SETSOCKOPT ) - I'm getting "ipfwadm: setsockopt failed: Protocol not 
available" when I try to use IPPORTFW!</A
></DT
><DT
>7.25. <A
HREF="samba.html"
>( SAMBA ) - Microsoft File and Print Sharing and Microsoft Domain clients 
don't work through IP Masq!</A
></DT
><DT
>7.26. <A
HREF="ident.html"
>( IDENT ) - IRC won't work properly for MASQed IRC users.  Why?</A
></DT
><DT
>7.27. <A
HREF="irc-dcc.html"
>( IRC DCC ) - mIRC doesn't work with DCC Sends</A
></DT
><DT
>7.28. <A
HREF="aliasing.html"
>( IP Aliasing ) - Can IP Masquerade work with only ONE Ethernet network card?</A
></DT
><DT
>7.29. <A
HREF="multiple-lans.html"
>( Multiple-LANs ) - I have two MASQed LANs but they cannot communicate with 
each other!</A
></DT
><DT
>7.30. <A
HREF="shaping.html"
>( SHAPING ) - I want to be able to limit the speed of specific types of 
traffic</A
></DT
><DT
>7.31. <A
HREF="accounting.html"
>( ACCOUNTING ) -  I need to do accounting on who is using the network</A
></DT
><DT
>7.32. <A
HREF="multiple-ips.html"
>( MULTIPLE IPs - DMZ segments) -  I have several EXTERNAL IP addresses that I want to
PORTFW to several internal machines.  How do I do this?</A
></DT
><DT
>7.33. <A
HREF="one-to-one-nat.html"
>( 1:1 NAT ) - I'd like to do 1:1 NAT but I can't figure out how to do it</A
></DT
><DT
>7.34. <A
HREF="netstat.html"
>( Netstat ) - I'm trying to use the NETSTAT command to show my Masqueraded 
connections but its not working</A
></DT
><DT
>7.35. <A
HREF="vpns.html"
>( VPNs ) - I would like to get Microsoft PPTP (GRE tunnels) and/or 
IPSEC (Linux SWAN) tunnels running through IP MASQ</A
></DT
><DT
>7.36. <A
HREF="games.html"
>( Games ) - I want to get the XYZ network game to work through IP MASQ but it won't 
work.  Help!</A
></DT
><DT
>7.37. <A
HREF="masq-stops-working.html"
>( Stops working ) - IP MASQ works fine for a while but then it stops working.  A reboot 
seems to fix this.  Why?</A
></DT
><DT
>7.38. <A
HREF="smtp.html"
>( SMTP Relay ) - Internal MASQed computers cannot send SMTP or POP-3 mail!</A
></DT
><DT
>7.39. <A
HREF="iproute2.html"
>( Source Routing ) - I need different internal MASQed networks to exit 
on different external IP addresses</A
></DT
><DT
>7.40. <A
HREF="ipchains-on-2.4.x.html"
>( IPCHAINS rulesets on 2.4.x kernels ) - What the ipchains.o module can 
do on 2.4.x kernels</A
></DT
><DT
>7.41. <A
HREF="iptables-vs-ipchains-vs-ipfwadm.html"
>( IPTABLES vs. IPCHAINS vs. IPFWADM ) - Why do the 2.4.x, 2.2.x, 
and 2.0.x kernels use different firewall systems?</A
></DT
><DT
>7.42. <A
HREF="upgrades.html"
>( Upgrades ) - I've just upgraded to the x.y.z kernel, why isn't IP 
Masquerade working?</A
></DT
><DT
>7.43. <A
HREF="eql.html"
>( EQL ) - I need help with EQL connections and IP Masq</A
></DT
><DT
>7.44. <A
HREF="wussing-out.html"
>( Wussing out ) - I can't get IP Masquerade to work!  What options do I 
have for Windows Platforms?</A
></DT
><DT
>7.45. <A
HREF="developers.html"
>( Developers ) - I want to help with IP Masquerade development.  What 
can I do?</A
></DT
><DT
>7.46. <A
HREF="more-info.html"
>( More INFO ) - Where can I find more information on IP Masquerade?</A
></DT
><DT
>7.47. <A
HREF="translators.html"
>( Translators ) - I want to translate this HOWTO to another language, 
what should I do?</A
></DT
><DT
>7.48. <A
HREF="updates.html"
>( Updates ) - This HOWTO seems out of date, are you still maintaining 
it?  Can you include more information on ...?  Are there any plans for making 
this better?</A
></DT
><DT
>7.49. <A
HREF="thanks.html"
>( Thanks ) - I got IP Masquerade working, it's great!  I want to thank 
you guys, what can I do?</A
></DT
></DL
></DD
><DT
>8. <A
HREF="c3199.html"
>Miscellaneous</A
></DT
><DD
><DL
><DT
>8.1. <A
HREF="donald-beckers-nic-drivers-and-utils-faq-hw.html"
>Useful Resources</A
></DT
><DT
>8.2. <A
HREF="resources.html"
>Linux IP Masquerade Resource</A
></DT
><DT
>8.3. <A
HREF="supporters.html"
>Thanks to the following supporters..</A
></DT
><DT
>8.4. <A
HREF="references.html"
>Reference</A
></DT
><DT
>8.5. <A
HREF="changelog.html"
>ChangeLOG</A
></DT
></DL
></DD
></DL
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="ipmasq-intro1.0.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Introduction</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>