On Sat, Mar 25, 2000 at 03:02:52AM -0500, Jeff Gordon wrote > Hi, John -- > > > Um.. in spite of what Andrew said, they're not modules. > > ipfwadm is an IP packet firewall/masquerading setup > > utility that works with kernel 2.0.x; ipchains is similar, > > but for kernel 2.2.x. > > (Okay.) > > > # ipchains -L input > > for kernel 2.2.x. > > > > This should list the default policy and rules for accepting > > incoming packets, if your kernel supports IP firewalling (which > > is required for IP masquerading). > > Okay--the policy at present is one I set up awhile ago, basically > allowing bidirectional forwarding on everything. :-) We realized that > if we didn't do that, my brother's packets would never make it out the > door -- but we're still left with problems of how to get responding > packets back to his machine, which (as I understand it, anyway) is > where the Masq bits come into play -- and the kernel is saying > Masquerading is not enabled -- so are we back at Andrew's original > statement, that I need to compile a kernel in which Masquerading -is- > enabled as the next order of business...? (I hope so 'cause I'm > downloading about 18 megs right now in order to do that. :-) >
Are you using a "stock" Debian kernel, or one which you built yourself? The stock kernels usually include masquerading support. If you're using a "Stock" 2.2.x kernel you should see masquerading modules (ip_masq_*.o) under /lib/modules/2.2.14/ipv4 (assuming kernel version 2.2.14); if you do then your kernel already has masquerading support built in (if it *is* a stock kernel then you should also have a file like /boot/config-2.2.14 that shows you the kernel configuration used). If you're compiling your own, you need to include support for (assuming kernel 2.2.x) Network Firewalls, IP Firewalls and IP Masquerading. You also need /proc filesystem support and sysctl support (under "General Options"). If you are using a 2.2.x kernel, also bear in mind that IP forwarding has to be enabled for IP masquerading to work; you can enable forwarding with # echo "1" > /proc/sys/net/ipv4/ip_forward and see if it is enabled with # cat /proc/sys/net/ipv4/ip_forward This step is not relevant to 2.0.x kernels; if they have forwarding enabled at compile time then it is enabled. Finally, here are the ipchains rules that perform masquerading on my machine, running kernel 2.2.14: # /sbin/ipchains -L -n Chain input (policy DENY): target prot opt source destination ports ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a ACCEPT all ------ 192.168.1.0/24 0.0.0.0/0 n/a ACCEPT all ------ 0.0.0.0/0 203.55.241.211 n/a DENY all ----l- 192.168.1.0/24 0.0.0.0/0 n/a Chain forward (policy DENY): target prot opt source destination ports MASQ all ------ 192.168.1.0/24 0.0.0.0/0 n/a Chain output (policy DENY): target prot opt source destination ports ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a ACCEPT all ------ 0.0.0.0/0 192.168.1.0/24 n/a ACCEPT all ------ 203.55.241.211 0.0.0.0/0 n/a DENY all ----l- 0.0.0.0/0 192.168.1.0/24 n/a # I use the ipmasq package to do this for me; I'm using version 3.2.5, which seems to work here. The only extra tweaking I've done (AFAICR) is to add the line modprobe ip_masq_ftp to the end of /etc/ppp/ip-up.d/00ipmasq; you may want to load the modules (if any) for the protocols you require there, also. Good luck, John P. -- [EMAIL PROTECTED] [EMAIL PROTECTED] "Oh - I - you know - my job is to fear everything." - Bill Gates in Denmark
