Linux IP Masquerade HOWTO
Prev
Chapter 2. Background Knowledge
Next
2.6. Requirements for IP Masquerade on Linux 2.4.x
" ** Please refer to IP Masquerade Resource for the latest information. ** "
The newest 2.4.x kernels are now using both a completely new TCP/IP network stack as well as a new NAT sub-system called NetFilter. Within this NetFilter suite of tools, we now have a tool called IPTABLES for the 2.4.x kernels much like there was IPCHAINS for the 2.2.x kernels and IPFWADM for the 2.0.x kernels. The new IPTABLES system is far more powerful (combines several functions into one place like true NAT functionality), offers better security (stateful inspection), and better performance with the new 2.4.x TCP/IP stack. But this new suite of tools can be a bit complicated in comparison to older generation kernels. Hopefully, if you follow along with this HOWTO carefully, setting up IPMASQ won't be too bad. If you find anything unclear, downright wrong, etc. please email David about it.
Unlike the migration to IPCHAINS from IPFWADM, the new NetFilter tool has kernel modules that can actually support older IPCHAINS and IPFWADM rulesets with minimal changes. So re-writing your old MASQ or firewall ruleset scripts is not longer required. BUT.. with the 2.4.x kernels, you cannot use the old 2.2.x MASQ modules like ip_masq_ftp, ip_masq_irc, etc. AND IPCHAINS is incompatible with the new IPTABLES modules like ip_conntrack_ftp, etc. So, what does this mean? It basically means that if you want to use IPMASQ or PORTFW functionality under a 2.4.x kernel, you shouldn't use IPCHAINS rules but IPTABLES ones instead. Please also keep in mind that there might be several benefits in performing a full ruleset re-write to take advantage of the newer IPTABLES features like stateful tracking, etc. but that is dependant upon how much time you have to migrate your old rulesets. Please see Section 7.40 for additional details.
Some new 2.4.x functionalities include the following:
PROs:
Lots of new protocols modules like: amanda, eggdrop, ipsec, ipv6, portscan, pptp, quota, rsh, talk, and tftp
TRUE 1:1 NAT functionality for those who have TCP/IP addresses and subnets to use (no more iproute2 commands)
Stateful application level (FTP, IRC, etc.) and stateful protocol level (TCP/UDP/ICMP) network traffic inspection
Built-in PORT Forwarding (no more ipmasqadm or ipportfw commands)
The built-in PORTFW'ing support works for both external and internal traffic. This means that users that have PORTFW for external traffic and REDIR for internal port redirection do not need to use two tools any more!
PORT Forwarding of FTP traffic to internal hosts is now completely supported and is handled in the conn_trak_ftp module
Full Policy-Based routing features (source-based TCP/IP address routing)
Compatibility with Linux's FastRoute feature for significantly faster packet forwarding (a.k.a Linux network switching).
Note that this feature is still not compatible with packet filtering for strong firewall rulesets.
Fully supports TCP/IP v4, v6, and even DECnet (ack!)
Supports wildcard interface names like "ppp*" for serial interfaces like ppp0, ppp1, etc
Supports filtering on both input and output INTERFACES (not just IP addresses)
Source Ethernet MAC filtering
Denial of Service (DoS) packet rate limiting
Packet REJECTs now have user-selectable return ICMP messages
Variable levels of logging (different packets can go to different SYSLOG levels)
Other features like traffic mirroring, securing traffic per login, etc.
CONs:
Netfilter is an entirely new architechure thus most
* License
