Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Linux Software

Ask Slashdot: IP Masquerading Drawbacks? 212

Posted by Cliff from the getting-it-working dept.
A Nameless Slashdotter submitted this question: "IP Masquerading (NAT under FreeBSD) is straight from the Gods. Yet it has a few very large drawbacks, such as inability to do DCC or ICQ file transfers, or play games over the internet on one of the Masq'ed machines, even with the "irc" and "quake" masquerading modules loaded. Someone give me options to solve this problem, be it another operating system, a firewall setting, a program or setup!"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: IP Masquerading Drawbacks? More

Ask Slashdot: IP Masquerading Drawbacks?

Comments Filter:

  • Socks5 Proxy Server (Score:1)

    by Anonymous Coward
    IP Masquerading works for most stuff, however I find for things such as ICQ a socks5 proxy server is your best bet. You can find a socks5 server at http://www.socks.nec.com as well as a program called SocksCap, which lets programs not written to use socks proxy servers connect using them.

  • IPMasq HOWTO (Score:1)

    by Anonymous Coward
    Here [home.net]

  • Re:Use Win98 Second Edition (j/k) (Score:1)

    by Anonymous Coward
    I recently started using Win98 SE for IP masquerading on my home network, and it works absolutely perfectly. I don't have a single application that can't easily connect to the internet. Every game I've tried connects to the Internet with no trouble. I use CuteFTP under windows, and I haven't even specified that it should use passive mode, and it still works. It is _much_ faster than crappy old WinGate, but I haven't had a chance to compare it to nat32 (http://www.nat32.com/) which claims that it is faster still...

    -Sol

  • How I did it (Score:1)

    by Anonymous Coward
    Having just installed a cable modem I ran into all sorts of problems getting IPMASQ working. I ended up having to install RH6 several times because of all the problems and my own monkeying around.

    Assuming that you have the basic machine working and it works as a gateway for WWW based applications, the next thing is getting the IP MASQ modules loaded.

    All the how-tos and do it yourself pages have not seemed to keep up with the various versions of software as well as the move to IPChains, which is a real pain in the a**.

    With RH6 I could not get it to work until I did the following (note: no kernel recompilation):

    in /etc/rc.d/rc.local I added (note: eth0 is my local net, eth1 is connected to my cable modem):


    echo 1 > /proc/sys/net/ipv4/ip_forward
    ipchains -P forward DENY
    ipchains -A forward -i eth1 -j MASQ

    insmod ip_masq_ftp
    insmod ip_masq_raudio
    insmod ip_masq_irc
    insmod ip_masq_icq
    insmod ip_masq_quake



    This took care of all the general use items. I have not had a single problem with FTP, IRC or ICQ yet).

    The ip_masq_icq module is not in the standard distribution of RH6, so you need to grab it from the following page:

    ip_masq_icq http://members.tripod.com/~djsf/masq-icq/ [tripod.com]


    For games, there are going to be major problems trying to run more than a single client from behind the gateway machine. To get around this I simply signed up 2 accounts with Kali and grabbed the Linux version of their proxy (binary only) from here:

    kProxy http://www.kali.net/js/software/kproxy. html [kali.net]

    As a side benefit, it is a Socks5 proxy, so anything that supports it can be run through kproxy.

    Do *not* try to autostart the kproxy from you module scripts. I created a user just to run kproxy and login and start the proxy manually.

    This may or may not work for you system, but it took me a whole weekend to get it running so if it works, maybe you'll have saved a little time.

    --

    P.S. If anyone can tell me how I could autostart kproxy in another terminal automatically, let me know. My gateway machine does not even have X installed, so no KDE,Gnome solutions please.


  • NAT/masquerading, from a technical perspective, is extremely evil. It changes some very important assumptions that are made in the Internet protocol suite, and this is why it breaks lots of applications. In the general case, it is impossible for a NAT/masquerade box to not break applications. Of course, NAT/masquerade boxen can be taught about specific applications/protocols and, by supporting all the special cases that will actually be seen in your environment, things work and users are happy... at least as long as they don't do anything new.

    Though some people will strongly disagree, I've always preferred firewall-traversal approaches such as SOCKS. Under Linux -- and possibly *BSD -- there are shared library tricks you can pull that will automagically add SOCKS support to most applications. Under Windows, some Winsock DLLs (the Trumpet one, I think) have SOCKS proxy support. What SOCKS does is effectively an RPC to the firewall, so that the application knows what addressing information is being used and can generate the right application-layer communications to talk with the other side without things breaking.

  • Re:Nothing wrong with it. (Score:2)

    by Anonymous Coward
    The problem with IPMasquerading is that it's a hack. It's a damn good hack, but none the less, it's still a hack. Many of the things which it doesn't do can be implemented, with more hacks, but what you get in the end is a mess.

    As with all hacks, you eventually have to figure out what makes it so good, figure out what it needs, and then rewrite it into a clean piece of code.

    What makes IPMasquing good is that it effectively sends and retrieves from the internet at the users request. It does it at a very low level, and in the kernel, so it is very fast.

    What IPMasquing needs is the ability to allow users to connect to sockets on computers behind the firewall. This can be done, as you said, by having applications tell the masquing box that they need information forwarded. However when you do this, what you effectively have is a SOCKS server.

    So maybe the answer lies in implementing socks-like functionality in the Linux kernel. There are probably reasons why this isn't a good idea, but I think you'll agree that the current technique (writing kernel modules for _EVERY_ program which needs bidirectional firewall traversal) needs to be replaced.

  • This is it -- the perfect example... (Score:2)

    by Anonymous Coward
    ... of why so many people continue to have negative feelings about linux and the linux community. The guy who's asking the question obviously isn't completely ignorant of the topic at hand, otherwise he wouldn't have brought up NAT or LKM's. Even if he were, this is a moderated "ask-the-question" forum that exists for the explicit purpose of people who don't know something to be able to, well, ask the question.

    Yet you insult the poster for no decernable purpose, and add nothing to the discussion. It's the damn elietism that turns people off. People arn't going to embrace linux if you're being a dick about it. You don't have to help them, but there's no reason to harass them (and many a reason not to).

    Ugh.
  • I've played a fair bit of games from my Win98 box behind the IP Masq, and for many newer games they work just fine (playing, not hosting).

    Those that don't need to get their act together. :) This [caltech.edu] has some explanations of a method to use UDP packets and work beautifully with different NAT systems.

    Things that I have played just fine recently (read, I at least see their CDs lieing around my desk, more work but I can't think of em all right now): Half-Life, Quake 3, Myth 1 and 2, Tribes, F22 Lightnine 3 Demo, even 2am.com's group of free games. I did pop in my old SWAT 2 and that one didn't work. Some game companies at least have a tech support FAQ that may tell what ports to redirect or anything to help. I say we start petitioning companies that refuse to make Linux ports to at least make compatible multiplayer gaming...
  • So he manually types up converted packets as they go out, are you saying that's impossible??
  • There is a project going on over here where videostreams are delivered to the desktop using the Xing XDMA protocol. However, I've not been able to get it to work through a masquerading firewall: it displays the first 15 seconds or something of the stream and it then just stops. W/o the masquerading firwall everything works fine.

    Maybe anyone has an idea how to get this to work properly?

  • This was on freshmeat a week or two ago, Its supposed to handle icq. Haven't tried it yet so no idea how well it works.

    [tripod.com]
    http://members.tripod.com/~djsf/masq-icq/

    IF someone has tried it, can you send me a message with how well it works and any advice. Remove the nospam from my e-mail and you've got it.

    LBS
  • Windows 98 SE does indeed have IP masquerading built in. I'm not sure if it's the NAT1000 stuff, but I'd assume it is, since it would be fairly pointless for them to write their own parallel version.
  • Under Windows, you can use the WinGate IP masquerading/SOCKS software. I assume there is similar stuff for Linux and FreeBSD. Once you have that set up, any decently written IRC client will be able to use DCC transfers (for example, mIRC on Windows works flawlessly).
  • Well, I use Windows 95 myself, so I can't give you any specifics, sorry. I know a few people that have used it though, and they say that you set it up through one of those "wizards" windows is so fond of.
  • No problems for me either, Linux 2.0.36 on the firewall. Normal "active mode" FTP even works, don't have to do passive mode, as long as ip_masq_ftp.o proxy is modprobe'ed into the kernel.

    -E

  • I bet you use Red Hat 6.0 (Score:4)

    by Eric Green ( 627 ) on Sunday July 25, 1999 @05:22PM (#1785039) Homepage
    The reason I say that is because Red Hat 6.0 has a bit of Evilness(tm) in the way it handles modules. Even if you manually 'modprobe' all of your ip_masq*.o proxy modules, Red Hat 6.0 will 'rmmod' them five minutes later (unless they happen to be in use at the time).
    Solution: Create /etc/rc.d/rc.modules and manually insmod your ip_masq* proxy modules there (don't forget to set the #!/bin/sh comment as the first line and do a chmod a+x on it!), and then in your /etc/crontab find where that @#$%!@ rmmod is taking place and zap it.
    Distributions which manually specify modules to be loaded, like Debian or (maybe) Caldera, don't have this problem. It's just distributions which try to get fancy by using the kernel-level module auto-loader that have this problem (and only under the 2.2 kernel, which removed the 2.0 kernel's timeout functionality for the auto-loader).
    With the proxy modules loaded, I've never had any problems with reverse connections on FTP, Quake, etc. That's why I'm suspecting either a) you don't have them loaded, or b) Red Hat 6.0 (or Mandrake 6.0) is helpfully unloading them for you!

    -E

  • ident? (Score:1)

    by chap ( 676 )
    This may be a simple question, but I haven't seen it addressed in any of the documentation I've read: What about IRC servers that require a valid ident response to connect? Everything works fine on my client machine except this (and incoming ICQ transfers, but I can live w/o that). Does anyone have any tips or pointers to documentation that covers this?

    Thanks.
  • yup yup yup... I've managed somehow to shove a linuxrouter distro on one floppy that does masquerading+caching DNS for the internal network... on a 486 with 8Mb of RAM (512K for the DNS cache)

    It does work... more or less... most of the outside world 0DNS queries time-out because of the lag.. oh well, works better with the internal DN queries so I'm not to bothered :)

    ---

  • Unless you want a really spiffy brand new kernel on your router (doesn't bother me) the Linux Router Project [linuxrouter.org] disk is a damn fine way to go.

    I have mine set up on an old 486 in a pizzabox case and it works beautifully. All I did was tweak a few IP numbers, tell it to do transparent proxying and I haven't noticed any difference from being dialled up directly, apart from my flatmates sucking all the bandwidth that is :).

    That said, I am currently in the process of designing a disk specifically for doing dialup router/firewall duties that will be somewhat more current and easier to configure than the LRP disk. mail me [mailto] if you are interested.

  • Comment removed based on user account deletion
  • I am using a NAT program called SYGATE on my NT Server box (hey, ot works!) that connects my LAN to the Internet.

    I have played Quake, Quake2, Quake3A Test (1.05 - 1.07) and a whole host of other games on the Internet.

    The only problem I have ever had is with FTP clients. I got one that supported pasive mode and everything worked fine.
  • I've gotten a few emails asking about ICQ and FTP from behind a Sygate server.

    For FTP I have used plain old Windows FTP and the GNU version of FTP that comes with BeOS. Both work fine. I used to use WSFTP back when I used WinGate, and it also seems to work with Sygate.

    While I do not use ICQ I did see some items about using multiple ICQ clients behind the Sygate server on their FAQs page on their web page:
    http://www.sygate.com

    As for multiple people playing Quake, have never tried it. I'm the only person in my house that plays Quake(1,2,3A) and I have never seen the need to play it on two computers at the same time (nor would I have the skill, as anyone who has kicked my ass in Quake can tell you).
  • I'm no expert, but I am running Starcraft under NT4 in VMware, Linux 2.2.10. Once masquerading was up, it all seemed to work well with no extra setup.
  • I have problems using ftp over masquerading. Even with passive mode on, reverse DNS lookups not required, matched C libraries, certain ftp clients still don't work with certain ftp servers. It's a matter of trying every ftp client on your system until one works, then remembering which ftp client works with which server and which client is faster for the job. Right now ftp, ncftp, Wxftp, sftp, Igloo, and netscape are on the system.
  • DEC Multias also make great little firewalls. There are usually a few for sale at any give time on ebay [ebay.com].
  • got a linux ip_masq box running great on cable, and my machine inside of it (among other boxes). I have an irc bot runnin on the ip_masq box, so other people can access it - DCC works just fine for everyone, except me! I think the bot (eggdrop) sees a DCC chat req comming from the 'external' ip #, and tries to essentially connect to itself. now I can get into the bot via telnet, so I'm not completely stranded, but it'd be nice to use DCC chat instead. Am I stuck with telnetting, or does anyone know how to fix this?

    -----
    If Bill Gates had a nickel for every time Windows crashed...
  • NAT is the virtualization of network addresses. Weve had the same development with memory addresses long ago, and similar issues (i.e. programs using physical (memory) addresses directly). Today we have almost the same development weve seen inside a computer in a larger environment, the network. The time where an address specified an exact physical entity will be over some day, and is already today in many cases - ever heard of virtual servers? Load balancing?

    The network is still at an very early stage in development compared to the inside of any modern computer. Youll see even more virtualization. That doesnt mean todays NAT solutions are the future, theyre just the beginning and at an early, sometimes very experimental, stage, just like virtual memory wasnt developed overnight. Besides, the virtual network is a lot harder to do than virtual memory: the latter takes place inside one small box, while the virtualization of network resources has consequences for millions of computers simultaenously.

    general NAT info:
    http://www.csn.tu-chemnitz. de/~mha/linux-ip-nat/diplom/" [tu-chemnitz.de]
    --
    Michael Hasenstein
    http://www.csn.tu-chemnitz.de/~mha/ [tu-chemnitz.de]

  • The only thing that doesnt work inder IP-masq is
    *incoming* connections. That is because the
    remote system connects to say, port 1234 on the
    server that sends the original packet. As this
    is apparently the masquerading host, the masq host
    does not know where to send the packet on to,
    there is no way to connect an arbitrary portnumber
    without configuring that portnumber to ALWAYS be accociated with a unique app.

    Your only solution is to have your ISP give you a
    group of IPs, and assign one for each box

  • ipmasqadm portfw -a -P tcp -L 25 -R 25

    There, I've just forwarded in my mail server. It works with udp as well. You can also add multiple machines and round-robin between them. Do port translation to get around firewalls. Forward out different services to different machines and confuse the hell out of skript kiddies.

    Protocols which break behind NAT boxes are doing nasty stuff like including IP and port numbers inside the _data_ layer of the packet, which is arguably a stupid thing to do.

  • lag on doing anything, even more than the noticable lag when using a 486.

    naw. I use a 386DX33 with 8 megs and a 120 meg HDD doing voicemail, X10 and internet dialling. no worries there. I mean I"m only connected at 56k so the processor is mostly sitting around. I just gotta get a UPS on the beast so I can get some uptime on it :-)
  • IPMasq might be technologically evil, but we still live in an IPv4 universe, and IP addresses are expensive. Until that changes, I think masqing is a fact of life, and something that designers of new protocols really should consider.

    -Mars
  • No one seems to have mentioned something I consider pretty important: X Windows. I don't think that X will EVER run across NAT... I mean, what would you set your DISPLAY variable to?

  • I have seen a few comments about how evil NAT is. I wholelly agree. But it has it's benefits.

    Being able to have any number of IP's that are needed to complete one's network without having to go through the hassle of paying for an IP space is the one at the top of my list for one... Though:

    For ease of use I would recommend FreeBSD, it has a better suite for NAT (no flames yet plaese... read the rest.) And my statistics for the box actually say that FreeBSD is faster for doing the networking. (non professional... just watching the D/L rates.)

    For functionality I would highly recommend Linux, as it has a much better plug in system for the Masq modules.

    I have used both. And had much success with both. But the one thing I will HIGHLY recommend for both operating system platforms is socks5. Most applications are somewhat aware of it, and those that are not can be made aware with some library tricks. I use ICQ and AIM on a windows box behind my firewall with little to no problems at all. The only problem that I see is that sometimes incoming messages are a little slow (have yet to figure that one out, but I'm sure it's a configuration error).

    The only other thing that may cause problems is if you are using dynamic dialup. Secure web sites sometimes complain about an invalid reverse name lookup.

    I have been happily using a NAT based firewall for about 2 years now both Linux and FreeBSD. I prefer FreeBSD for the networking speed, but that is wholelly my personal opinion.

  • Quick comment: I'm using a Red Hat 6.0-based Internet gateway to connect my network to my ISP's dial-up link. ICQ & Quake3Arena work flawlessly without any special setup besides the regular firewall settings. I didn't have to bother with modprobe/insmod of any filters, it worked straight out of the box, so I don't think it's a problem of Red Hat Linux.
  • ACtually, Vicom internet gateway reinvents the wheel. OpenTransport has the ability to do the equivilent of IPMasq (as far as I remember) and you can use a tool called IPNetRouter to do so. Plus, it's probably cheaper. (not open-source though)
  • The URL for IPNetRouter is http://www.sustworks.com/products/ip nr/ppd1.html [sustworks.com]
  • Comment removed based on user account deletion
  • Hi all,

    Various other people pointed to broken protocols, and protocols which need special help. In general, any protocol which does not restrict itself to a single connection (ie. src ip/port dst ip/port quad) will require special assistance. This includes FTP (both passive and active) in the general case, although for simple masquerading passive ftp does not need help.

    For static NAT, where an IP address is always mapped the same way (n:n NAT, eg. 192.168.1.* is mapped straight into 1.2.3.*), only protocols which actually include IP addresses within their data stream will be impaired. Unfortunately, FTP is one of these.

    A special note on games: Dan Kegel (of Activision) produced a fairly well-thought-out proposal for UDP gaming through NAT. IP masquerading in Linux 2.2 meets this standard.
    Here is the draft [caltech.edu]


    Rusty.

  • With all the appropriate configurations done on the server and the client workstations (ie, port ranges for ICQ) I have had few, if any problems.

    I can send and receive files from ICQ, chat with people, even chat with people on my own lan. There is no loss of functionality for me with IP Masq. Some applications require special modules or commands, but once done, it's never an issue.

    I'm running Slackware 3(?), with kernel 2.0.36. The machine is so solid that it doesn't have a monitor or keyboard attached to it, and it's only a 486.

    I have not tried to do any online gaming with IP Masq.

    I can't get full voice with MS netmeeting to work, though I haven't tried too hard. The whiteboard and everything else works fine though.

    I do get strange intermittant problems, issues such as people being invited into a four-way-chat only getting a three way chat... when everyone else sees the four. People dissapear who should be visible, lots of peculiar behavior, but nothing show-stopping. I think it is a combination of ICQ running out of incomming TCP connections and a problem with the ICQ servers failing to correctly or timely interpret the status of people with the same IP address or something... most status issues are resolved by changing status back and forth.

    I would love to hear people's suggestions about how to fine tune various applications.

  • You can get full ICQ functionality by running a socks5 proxy. If you're running an icq clone, your mileage will obviously vary, but the mirabilis releases do just fine.


    Commercial sites will run into licensing issues, too.


    http://www.socks.nec.com [nec.com]


    FreeBSD users see /usr/ports/net/socks5/

  • I haven't played with battle.net, but I just got my friend's machine (behind my masq box) to work with the MSN gaming zone.

    Doing so involved the use of yet another experimental kernel networking feature: fwmark forwarding (look for it in the network options in the kernel).

    The first thing to do is to find out the port ranges that the gaming system (battle.net, the zone, whatever) need to access.

    second thing to do is to (other than being familiar with the firewall & masq tools) is to do a 'man ipmasqadm' and look for the section called mfw.

    That should be about it. You might even be able to get multiple boxen to work with at the same time (mfw allows redirection of ports to multiple simultaneous internal machines, if i read the docs correctly).

    the third thing, of course, it to get all the command line parameters correct for ipchains and for ipmasqadm :)

    anyway, i hope this helps someone, if you have more questions, email me, but this is most of what i know (it only took me ~30 mins to set it all up -- ms acutally had good docs for what port ranges were required)
  • Actually, slight correction. NAT (network address translation) is the common term for this functionality. I dont know why the linux community still refers to it at IPMasq...

    But anyhoo, IPNat under OpenBSD lets me run anything behind it. I can DCC, AIM, ICQ, etc. with no problems.

    NAT however is an unfortunate (although extremely cool) side effect of what happens when you begin to run out of IP addresses with IPv4.

    -Dave

    --
    Dave Brooks (db@amorphous.org)
    http://www.amorphous.org
  • I've been using a masq'd box as a firewall/gateway for my home LAN for the past six months or so. It does everything perfectly, and I don't load up any modules. I just use ipchains, and everything on the other boxen looks like it were directly connected to the internet; it works perfectly. Every application from ICQ to AIM to telnet to Quake II to email to whatever you want will run like this.
  • That's because the DCC module doesn't take into account the non-standard extensions that mIRC uses to do DCC resume. The problem is mIRC's implementation of the protocol (ie, ircII hacked to support DCC resume has the same problem). It breaks one of the 'rules' in rfc1459 (clients should never send an automatic response to a NOTICE) and is much more difficult to support than the original DCC. I tried once, using the spec on mIRC's homepage, but eventually gave up and went back to using ftp to share files.

  • That's how I do it.. IPChains and Socks5..
    ICQ messages, chat and transfers work through socks with no problems.

    However, I have yet to find a windows IRC client with complete SOCKS5 support.. I can get everything BUT outgoing DCC to work with just IPChains.

    Frequently, the problem with IRC clients and NAT isn't the NAT itself, but the way the client figures out the local IP. If it uses the IP of the local machine, any direct connections are toast... Most clients (like mIRC) let you either manually specify an IP (a pain under DHCP) or can get it back from the IRC server after you connect.

    Quake 2, Ultima Online and any other game I've tried have worked fine with just IPChains, but SOCKSCap is always an option for really wierd things.


  • Masquerade resources (Score:5)

    by httptech ( 5553 ) on Sunday July 25, 1999 @04:47PM (#1785069) Homepage
    Try this page: http://www.tsmservices.com/masq/ [tsmservices.com]

    You can find information there on getting just about any application working with masquerading.



  • Better yet, use tcp_redir. It's simpler, and its docs are in english (a big bonus for me anyway...)

  • Re:You need a specialised setup for each app (Score:4)

    by garcia ( 6573 ) on Sunday July 25, 1999 @05:06PM (#1785071)
    Not true...

    Check out my "howto" on portfw'ing:

    http://www.gargoyle.dyndns.org/linux/portfw-tuto rial.html

    anyway, the webserver itself is behind the IPmasq :) It is really easy to do, all the links are there (or used to be hehe).
  • If you use your FTP client in passive mode, you don't need the ip_masq_ftp module.

    eg:

    ftp site.com
    ftp> passive
    Passive Mode On
    ftp> get blah.tar.gz, etc

    the ip_masq_ftp module just allows the active FTP
    transfers to work. I don't use ip_masq_ftp
    and am able to ftp up/down from the net w/out problems. I just need to use passive mode. This is what your browser will use as default when it is downloading via FTP.
  • From an administration standpoint, wouldn't you agree that socks is harder to maintain since it requires client config per computer. Somewhat like using static IPs instead of Dynamic IPs. You can imagine the hassle with laptops that are used at both a corporate HQ and a client site.

    Here's where NAT/masq applications shine. They don't require any changes on the client side. I've been at a firm that used socks, and it is somewhat more difficult because if your application doesn't use the TCP/IP stack like the socks is expecting it, such as with Oracle apps, you're screwed.. With NAT, you're not :).. There are basically pros/cons, but I'm a pro NAT individual.
  • Learn to read it people. There is a reason someone spends time writing down that boring crap into awful as formats like nroff.

    Almost everything questioned by the original poster is covered in the FreeBSD natd man page. How do I know this? I learned to read. You should try it.

    ---
    Openstep/NeXTSTEP/Solaris/FreeBSD/Linux/ultrix/OSF /...
  • It made ICQ DCC chat work for one of my clients

    You still can't DCC _IN_ directly to a masq'ed client, unless you do a trick: allocate a port for each user and forward the data from that specific port to the assigned user. I haven't tried this under 2.0.x but did get it working once on 2.2.x: the caller aims their DCC to the appropriate port on the masq server instead of trying to hit the masq'ed user directly.
  • This worked great for me, except that I never *could* get ICQ working with the Socks5 from nec.com. I *thought* I'd read somewhere on their site that the free version didn't support UDP forwarding or something. But you're saying that you got ICQ to work? Do anything special? Or just an out-of-the-tarball compile and install?
  • Actually, there is a way to do this, sort of. It's an experimental feature called IP Port Forwarding. The idea is that you can designate certain ports which can be forwarded to certain machines inside your network, so you can have a web server on your masq'd network and have it transparently proxied by forwarding port 80, or do other similar tricks. Of course, this has it's drawbacks, along with being experimental but it does work... in fact, this technique has been used to allow SMB mounting of filesystems on a masq'd box, among other neat things...
  • But, you cannot compile the Masquerading modules into the kernel. They're always built as modules, just like the PPP compressors.

    BTW - Anyone know why the ip_masq_icq module hasn't become a regular part of the kernel? And when are we going to get some of the neat Masq'ing features that the 2.0.37ac?? patches have?

  • You need to use the RTSP/RTP proxy (run it on the same box as you're masking from). Works perfectly for me. Builds on a few different platforms.

    http://www.apple.com/quicktime/ developers/rtspproxy.html [apple.com]

    Dox & source included. Enjoy,
    W
    -------------------
  • Yeah, that page is a positive goldmine if you're attempting something with a 1.3.x kernel

    Otherwise, it's hogwash.

    It's been in dire need of an update since about 2.0.17

  • It does work, but it doesn't understand ICQ's newer protocols.

    Thus, it won't work for icq98 or icq99, but it will work with older versions of icq.

    The problem is I'm not about to tell my users they should retrograde their icq. So i installed Socks instead.

  • Ummm... (Score:1)

    by sp- ( 11321 )
    this advice is assuming the person has everything you talk about loaded as a module and not compiled into the kernel...

    in response to the question at hand...
    solution: use ipfwadm or ipchains

    set up correctly with a newer kernel, this will work for everything.
    ------------------------------------- -----
    Reveal your Source, Unleash the Power. (tm)

  • Well that would explain my experiences.. I installed SOCKS5 and ICQ worked worse than without it. I did find a kernel module ip_masq_icq (just search on alta-vista theres only a couple of hits) but I managed to trash my router by recompiling the kernel (I needed to upgrade it to 2.0.36) and putting it after cylinder 1024 on the disk *embarressed smile* so I had to restore it. I'll have another go doing this when I have time *S* or swap in a motherboard that will boot it...
  • I don't see anything evil about it: IP masquerading does what it does and it's useful at that. It is halfway between having separate machines and having a true cluster of computers.

    SOCKS works in user mode; I don't see any advantage to that. If you want bidirectional firewall traversal, you could implement similar functionality in the kernel. You need to either notify the firewall machine that a socket on the client is accepting connections and that needs to be forwarded to the firewall machine, or when there is a request coming in, the firewall machine has to try until it finds a machine willing to service it.

    Most people don't need, and in fact, don't want that functionality. But people who do already get it: it's part of clustering.

  • ipfwadm has been abandoned for ipchains in the 2.2.x/2.3.x kernel revisions. If you're thinking of using ipfwadm, you should seriously think about compiling a new kernel.

    (It's a point of information, not my attempt to make anyone look or feel bad.)

  • Missed a /B in there. I suck.

    Let that be a lesson to you. Always preview before you submit.

  • I've recently set up IPMasquerade on my home box (kernel 2.2.10, i486) DCC, FTP and the like all work fine, once you get the appropriate modules loaded and functioning.

    One thing to be careful of is to make sure you load the modules to keep an eye on the proper ports. I had everything but DCC running, and was scratching my head for a while, until I realized that the ip_masq_irc module which deals with such things was looking at the default (6666?) port, and not any of the others (6667, 7000) that are frequently used.

    Seriously. If you need help with IP Masquerading, check out http://ipmasq.cjb.net [cjb.net] ... the IP Masquerade Resources Page. Complete with mini-HOWTOs and links to useful documents like TrinityOS for ensuring your system is remotely secure.

    Good luck. It's a little bit of work, but once you wrap your mind around it, it's a piece of cake.

  • I wrote this in one thread, but I'm guessing it'll be too buried for a lot of people to get to (or it'll get moderated down, blah blah blah).

    http://ipmasq.cjb.net [cjb.net] is the URL for the Linux IP Masquerade Resource page. Once there, consult the IP Masquerade mini-HOWTO (v1.76-Jul18.99), patches for older kernels, the mailing list, the IP masquerade application collection (if you want to configure that one pesky piece of Internet software just right.), the TrinityOS step-by-step documentation for IPMASQ and network security, and even goodies for people on dynamic (gasp!) IP connections.

    It's an excellent site, which was truly an invaluable resource when I was trying to put the jumper cables to my own IP MASQ'ing gateway box. Even my Amiga has no problem getting through to the outside world via. the Linux box.

    Good luck. It can be a little tricky in spots, but the end result is worth it.

  • I rather think that the original question was regarding IP Masquerading via Linux, and possibly *BSD. It may well be possible via Win98. I won't dispute that, as I don't know. But let's try to stay on topic here.

    My question is: why must FTP be in passive mode when it is run from a host on a masqueraded net (the gateway itself excepted, of course)?
  • I used NAT and the only problem I had was that if a user was telnetted to a site outside the firewall and left it inactive for awhile, it the firewall would think that the connection was dead and close the tunnel. I tried playing with the timeouts, but it seems to work on a global level and it just bogged down the poor machine.

    Is there away to make NAT not drop just telnet tunnels or something? Email me if you like, I'd like to know.
  • why bother w/ a 486? I used to have a 386 sx16 or something slow like that w/8megs of ram and a 100meg hdd doing the job. Greatest part, I didn't pay for any of it. I had the nic lying around and I got the 386 from a friend who bought a new computer.
  • FYI, 6667 is the default irc port, other commonly used ports are 6660-9 and 7000.
  • simple, use the X forwarding in ssh.
  • How do you get Windows98 SE to perform NAT functionality? That would be very useful for me since I'm the firewall machine, but I dual-boot into Windows98 sometimes to play games, and when I do, my brother gets mad. :)

    Thanks.
  • I am the TIS firewall ftp-gw module for people on my internal network as well as the NEC Socks5 firewal

    Doesn't that hurt? }:-O


  • What good is a gateway machine that you have to reboot every six hours, eh?

    I know of commercial solutions for Solaris (FW1E for example) that are EXCELLENT.

    Novell has one too that allows quake and stuff too. I haven't played with that one much.
  • RSP and RTSP or Real Time Streaming Protocol requires special support from the proxy server and fails under most NAT implementations.

    RealAudio/Video uses HTTP which is widely supported but far less efficient. Funny thing is that I am using NAT on my Cisco router and RTSP fails, even though Cisco supports RTSP for CiscoTV. So much for Cisco supporting standards.

    I'm about to spark up my Novell Border Manager to see if it supports RTSP and if Novell's NAT works.
  • Socks5 is available for many flavors of unix (some versions are even free) from NEC.
    The only drawback to socks5 proxies that I can find is that it doesn't do ICMP packets (ie PING)
    You can get a free socks5 client for win95 that basically replaces winsock so you don't have to configure all your software for proxy. I don't think there is such a client product for Linux but I could be wrong. (that just means you have to set proxy settings in netscape, ICQ etc.
  • OK, I fully agree with the fact that masq'n at an ISP is just evil. Some of you might be suprised to learn that ISPs using NAT goes beyond goes beyond three-man operations.

    I've got DSL and Internet through USWest (which is huge, and getting even huger merging with Qwest), who used to op for a straight bridging scheme through a Cisco 675 "DSL Modem." No problem. I set it up with a Linux box that I masq'd and put lots of Microsoft boxen behind. Just a couple days ago, though, USWest decides to get freaky and set it up so the Cisco gets a dynamic IP, and then itself acts as a DHCP server for any machines behind it (non-routable private use IPs, 10.0.0.0) and it uses NAT! SUCK! So now, I've got packets traversing two layers of NAT/masq grimore. Almost nothing works.

    The moral of the story is, even if you're only going to connect one computer (by the way, USWest does NOT support Unix at all) don't sign up with USWest as an ISP. No lovin' at all. [Well, I guess the actual DSL service is pretty good. Only one outage in over 8 months.]

    OK, I be shut up.


    / c l o c k w o r k /
  • IPNetRouter 1.4 for the Mac also works very well. 1.3.3 wasn't able to handle the RTP/RTSP protocol required for quicktime streaming (had to map out the port manually) but they fixed that one right away. ICQ, Real, etc all work great. Wow, I can't believe I almost bought a hardware router for my office. Instead we just took one of our old Macs out of mothballs.

    Just out of curiosity, has anyone tried out WinGate 3.0 for windows?
  • all i can say is- "read it." irc has always worked using the irc module, not to mention quake, etc. just about any game company under the sun will tell you the tcp/udp port settings if you ask... and icq... well, icq is hell-sent anyways... use ftp, http, nfs, ssh or *anything* else for file transfers....

  • can you provide us with links to information on the libraries that do things automagically? thanks!
  • Welp, I hate to say it but the only solution I know of is on Win9x. I'm sure there are others and i can't wait to hear about them. As for the Win9x solution: Nevod Inc used to make a product called Nat1000 which was amazing! You could do everything from the client machines -- run quake servers, dcc serve, run hotline clients -- everything. Unfortunately, these guys were bought out by those folks from Redmond, and supposedly their tech was to be incorporated into Win98 SE. I've long since lost the original need for ipMasq/NAT but would be interested nonotheless in knowing whether it *works* in Win98 SE or how to get it up and running on FreeBSD/Linux.
  • I'm not familiar with ICQ, so I can't help with that. But for DCC over IRC, to load the kernel module, instead of doing:

    /sbin/modprobe ip_masq_irc

    do:

    /sbin/modprobe ip_masq_irc ports=6667,7000

    and add whatever ports you use for IRC in the ports. I had this same problem about a week ago and a friend was kind enough to let me in on the secret. :) Look for some sort of ip_masq_icq, which would probably let you do the ICQ thing too.
  • Damn Enter key anyways!

    I have no problems with any icq function, you just have to make sure that you tell it you are behind a firewall, and that you dont use a socks 4/5 server...as for quake, it works just fine, make sure the quake module is loaded on your linux box...

    masq servers cant accept incoming connections to you, so you'll have to initiate them if you want to do something...

    El Guapo
  • The draft for this is located at:
    http://www. ietf.org/internet-drafts/draft-ietf-nat-rsip-proto col-01.txt [ietf.org]. Pretty interesting read as it looks like it has loads of potential. I can't wait to try out an implementation of this!

    Bryan R.
  • I'm surprised this hasn't been mentioned already, but David Ranch's IP-masq'ing mini-HOWTO really helped me...I play StarCraft, Quake2, Quake 3 Arena, use AOL IM, ICQ (file transfers can be made to work), and more. Probably the main thing that will help you is IP portforwarding... In any case, check out the HOWTO... IP masq mini-HOWTO [csuchico.edu]
  • My understanding was that Microsoft was going to incorporate NAT1000 into Windows 2000, not Win98 SE. I've never used the software, but I've heard great things about it, and a large majority of NAT1000 users were pissed when they discovered MS bought Nevod out and they lost support.
  • I have three masqing machines, two at work and one on cable at home ;). Yes you don't have a valid Internet IP on the internal network, but this is a GOOD thing - I would rather be secure than have the ability to run a web server on my box, that is what a SERVER is for.
    Most of your faults can be worked around, such as ICQ file transfers, e.g. port forwarding. Games work fine, I play Quake 2 and 3 all the time through my firewall ;) The point is you have to KNOW what you are doing read absolutely everything you can find and then read it again. IP masq is very kewl. You just have to know how it works, and how to configure it properly.

    -ShieldWolf
  • blow away the vdolive module, which uses port 7000, and use:

    modprobe ip_masq_irc ports=6666,6667,6668,6669,7000

    Works fine for me on Linux 2.2.5 and 2.2.10. Not sure about BSD though.
  • I've had masking set up on more networks than I can count, and I've never had a problem with any ICQ options (after updating the module), games (Quake2, Quake3, Tribes, Civilization: Call To Power), or most other things. Even passive mode ftp can work well with a little setup time.
  • I have an old Mac running Vicom (www.vicomtech.com, I think) Internet gateway. It is way easier to setup than masq and give new life to that old 7200 you have lying around ;)
  • Well I've found winroute lite (www.tinysoftware.com) to be an awesome program for running multiple ip's over one connection. Never had a problem with any games or DCC, would suggest to anyone who needs and easy to configure Masquearder for win95/98.
  • I've been using masquerading on a linux machine (And a short time with fbsd, but it has some odd quirks I don't like) and had just resigned myself to not using dcc send beause it never worked using epic. Until a friend pointed out that chat worked both ways so why shouldn't file transfers. So, working with another friend, we tracked down why. Appearantly, if you include extra stuff at the end of the dcc send request, the module ignores it. To fix, we simply commented a few lines in /usr/src/linux/net/ipv4/ip_masq_irc.c. This is all based on Linux 2.0.36.

    Line 172, comment out:

    if (xtra_args != 0) continue;

    Lines 178-182, comment out:


    if (data[0] != 0x01)
    continue;
    if (data[1]!='\r' && data[1]!='\n')
    continue;


    Then make clean;make modules;make modules_install, quit irc, wait 60 seconds for the connections to timeout, rmmod ip_masq_irc;modprobe ip_masq_irc and you're set. This is a kludge, but it works.
  • Simple. Make the game writers follow, or create, a standard. They keep creating proprietary data formats which only their software understands. Then customers find that firewalls and competitors (ie, the current AOL and MS squabble) are not compatible.

  • How (Score:2)

    by SEWilco ( 27983 )
    How, indeed. We can't make other programmers do anything.

    As programmers we can improve competitors' products who are following standards. As customers we can avoid proprietary products, just as we did with MicroChannel. As reviewers we can mention if products use proprietary methods or standards.

    The AOL and MS messaging customers and tech support are getting lessons in that right now.

  • Hmm, I'm running a RH 5.2 install on a 486 that I use for a masq firewall. I've had pretty good success with only two real exceptions:

    ICQ file transfers.
    FTP with some *cough* windows clients.

    I am able to play any net multiplayer game I want, I run a Q3Test server from behind the 486 using port-forwarding. Works great. Only issue I had was registering my game server with the id master.

    Masquerading gets the registration packets, and masqs them out, except it changes the source port. This fouls up the works since game ports are expected to be 27960 and I show up with 62345 or some other randome port number generated by masquerading. To get around this, I use a helper that runs on the firewall that sniffs for the registration packets then writes out a copy from the correct port.

    When I got the program, it was set up for half-life. I made a couple quick changes to get it to work for Q3Test, but it probably could be easilty converted for any game server that sends out similar registration packets (Quake2, Sin, Blood, Shogo, etc.)

  • Hmmm, what's the minimum hardware setup for running a W98 SE box to do NAT? P133 w/ 32 meg - I would probably guess. Nice thing about doing this with Linux is that you can dust off that 486 and put it to use.

    My masq/portfw/gateway/firewall is a 486/100 with 16m running a 2.0.36 kernel on a 202 Mb hard drive. I laid hands on a couple SMC ISA NICs and an ATI mach 8 at a swap-meet and I was in business for about $30. Before I set this up, I was using a PPro 200 with 64mb to run Win98 and Sygate. This did actually work ok, except for having to reboot it when it froze every couple days. (now the ppro is running Debian doing Q2 server duty). Its a real shame you have to run an OS with an integrated GUI and web browser just to do a simple chore like NAT.

    And the only real shortcoming I have with my setup is ICQ file transfers, but what I do anyway is set up FTP access for friends that need to send files. Granted, I don't do this very often and it wouldn't be practical for someone trading pr0n with strangers they meet on ICQ. ;-)



  • Maybe on a 386, but on my 486 its fine. I'm connected to a cable modem and the 10BT NIC's run at full speed, the cpu barely ever breaks over 10%, even when holding up a quake3 game with 8 players (no the game doesn't run on the 486, I'm just talking about the network traffic).

  • just installed this over the weekend, and it does seem to work like a charm.

    One gotcha, though, the Win98SE machine has to be "logged in" for it to work, it seems.

  • How I Do It on Linux (Score:5)

    by DrKirwin ( 38614 ) on Sunday July 25, 1999 @04:47PM (#1785139) Homepage
    Had the same prob using my masq't machines to ftp to and from the net. So, I telnet to my linux machine, and:

    /sbin/modprobe --list | grep ftp

    which returns:

    /lib/modules/2.2.5-15/ipv4/ip_masq_ftp.o

    Then I (as root):

    /sbin/modprobe ip_masq_ftp.o

    This adds the ability to do ftp from a masq't machine, or does for me. There are other protocols, such as for RealAudio. Grepping on "masq" will find 'em.

    Ie:

    /sbin/modprobe -l | grep masq

    I'm not sure that the loaded module persists if it isn't called for a while. There are parameters governing this sort of thing. You can also add the line to your /etc/rc.local (or whatever).

    Looking forward to seeing other solutions! (Far as I can tell, I'm first post.)

    Anyway, gives you a place to manpage if nothing else....

    -K
  • yeah win98 se's nat stuff seems to work for everything i've tried (admittedly just telneting and ftping, but hey) the only thing is the default network and netmask are nasty, 192.168.0.0 and 255.255.255.0, and as far as i can tell theres no nice pretty redmond approved way of changing that, but looking through the registry for ICS(internet connection sharing) finds the stuff you need to change, and it seemed pretty intuitive for me......
  • it is also possible to forward port 6001 from the firewall box to the port 6000 on a box behind the firewall... that way you can set your DISPLAY variable to myfirewallbox:1 which will be vome screen 0 on the machine running the X server.

    i've never actually tried this myself, but know some people who have...

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close