What's New!

Chat with

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 


Meet the 
Happy Hacksters 

Help for 



It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Google Groups
Subscribe to Happy Hacker
Visit this group

# Forwarding, flush and set default policy of deny. Actually the default
# is irrelevant because there is a catch all rule with deny and log.
ipchains -F forward
ipchains -P forward DENY

# Masquerade from local net on local interface to anywhere.
ipchains -A forward -i $extint -s $intnet -d -j MASQ
# catch all rule, all other forwarding is denied and logged. pity there is no
# log option on the policy but this does the job instead.
ipchains -A forward -s -d -l -j REJECT

#End of file.
With IPCHAINS, you can block traffic to a particular site using the "input",
"output", and "forward" rules. Remember that the set of rules are scanned t op
to bottom and "-A" means "append" to the existing set of rules. So with this
in mind, any specific restrictions need to come bef ore global rules. For

Using "input" rules: Probably the fastest but it only stops the local
machines, the firewall itself can still access the "forbidden" site. Of course
you might want to allow that combination.


In the /etc/rc.d/rc.firewall ruleset:

... start of "input" rules ...

# reject and log local interface, local machines going to
/sbin/ipfwadm -I -a reject -V -S -D -o

# local interface, local machines, going anywhere is valid
/sbin/ipfwadm -I -a accept -V -S -D

... end of "input" rules ...

Using "output" rules. Slowest because the packets go through masquerading
first but this rule even stops the firewall accessing the forbidden site.


... start of "output" rules ...

# reject and log outgoing to
/sbin/ipfwadm -O -a reject -V $ppp_ip -S $ppp_ip/32 -D -o

# anything else outgoing on remote interface is valid
/sbin/ipfwadm -O -a accept -V $ppp_ip -S $ppp_ip/32 -D

... end of "output" rules ...
Using "forward" rules. Probably slower than "input" and this still only stops
masqueraded machines (i.e. internal), firewall can still get to forbidden


... start of "forward" rules ...

# Reject and log from local net on PPP interface to
/sbin/ipfwadm -F -a reject -W ppp0 -S -D -o

# Masquerade from local net on local interface to anywhere.
/sbin/ipfwadm -F -a masquerade -W ppp0 -S -D

... end of "forward" rules ...
No need for a special rule to allow to go to, it is
covered by the global rules.

Unlike IPFWADM, there is only one way of coding the interfaces in the above
rules. IPCHAINS uses the "-i eth0" option. The "-V" IPFWADM method was phased
out with the imgration to IPCHAINS but for IPFWADM users, its personal choice
and documentation more than anything.


- Dial-on-Demand Connections


If you would like to setup your network to automatically dial up the Internet,
either the Diald demand dial-up or new versions of the PPPd packages will be
of great utility. Diald is the recommended solution due to its more granular

Once Diald and IP Masq have been setup properly, any MASQed client machines
that initiate a web, telnet or ftp session will make the Linux box dynamically
bring up its Internet link.

There is a timeout that will occur with the first connection. This is
inevitable if you are using analog modems. The time taken to establish the
modem link and the PPP connections may cause your client program (WWW browser,
etc.). This isn't common though. If this does happen, just retry that Internet
traffic request (say a WWW page) again and it should come up fine. You can
also try setting echo "1" > /proc/sys/net/ipv4/ip_dynaddr kernel option to
help with this initial setup.


- ICQ on IP masq

You can use ICQ by using a new ICQ Masq modile or use IPPORTFW. With the first
option you'll be able to set up multiple ICQ users behind a masq server, and
you won't need to make any special changes to the ICQ client. 2.2.x versions
now support real-time chat and file transfer. You'll find that this is the
better choice to get ICQ working behind a masq server.
With the second option, IPPORTFW, you'll have to make some changes to both
linux and ICQ, but it will work just fine. Do as follows:
You need to have your linux kernel runing with IPPORTFW enabled.
Next, add, tou your /etc/rc.d/rc.firewall file, this: ( asummed as
external IP adress) and internal will be

Example #1 -- /usr/local/sbin/ipportfw -A -t10.1.2.3/2000 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2001 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2002 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2003 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2004 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2005 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2006 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2007 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2008 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2009 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2010 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2011 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2012 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2013 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2014 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2015 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2016 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2017 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2018 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2019 -R
/usr/local/sbin/ipportfw -A -t10.1.2.3/2020 -R --
Example #2
while [ $port -le 2020 ]
/usr/local/sbin/ipportfw -A t10.1.2.3/$port -R$port

That was for a 2.0.x kernel, the next is for 2.2.x with IPCHAINS

Example #1 --
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2000 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2001 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2002 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2003 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2004 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2005 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2006 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2007 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2008 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2009 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2010 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2011 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2012 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2013 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2014 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2015 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2016 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2017 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2018 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2019 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 2020 -R
Example #2
while [ $port -le 2020 ]
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L $port -R $port

Once your new rc.firewall is ready, reload the ruleset to make sure things are
ok by simple typing in "/etc/rc.d/rc.firewall". If you get any errors, you
either don't have IPPORTFW support in the kernel or you made a typo in the
rc.firewall file.

Now, in ICQ's Preferences-->Connection, configure it to be "Behind a LAN" and
"Behind a firewall or Proxy". Now, click on "Firewall Settings" and configure
it to be "I don't use a SOCK5 proxy". Also note that it was repviously
recommended to change ICQ's "Firewall session timeouts" to "30" seconds BUT
many users have found that ICQ becomes unreliable. It has been found that ICQ
is more reliable with its stock timeout setting (don't enable that ICQ option)
and simply change MASQ's timeout to 160 seconds. You can see how to change
this timeout in the rc.firewall-2.0.x and rc.firewall-2.2.x rulesets. Finally,
click on Next and configure ICQ to "Use the following TCP listen ports.." from
"2000" to "2020". Now click done.
Now ICQ will tell you that you have to restart ICQ for the changes to take
effect. To be honest, I had to REBOOT the Windows9x machine to get things to
work right but other people say otherwise. So.. try it both ways.

It should also be noted that one user told me that simply portforwarding port
4000 to his ICQ machine worked best. He reported that everything worked fine
(chat, file transfers, etc) WITHOUT re-configuring ICQ from its default
settings. Your mileage might vary on this topic but I though you might like to
hear about this alternative configuration.

[Editor: I've spoken with the author of micq (Matt somebody, I can't recall
his late name right now). He said that ICQ messages use port 4000/UDP, only.
His program works with just the one port. To do chat and file xfers,
reportedly you need the 2000's open. According to microsoft, writing about
ICS, you need to open 2000-4000, but this sounds to me to be a little

- FAQ's

Does IP Masquerade work with dynamically assigned IP addresses?
Yes, it works with either dynamic IP addressed assigned by your ISP via either
PPP or a DHCP/BOOTp server. As long as you have an valid Internet IP address,
it should work. Of course, static IP works too. Yet, if you plan on
implementing a strong IPFWADM/IPCHAINS ruleset and/or plan on using a Port
forwarder, your ruleset will have to be re-executed everytime your IP address

Can I use a cable modem (both bi-directional and with modem returns), DSL,
satellite link, etc. to connect to the Internet and use IP Masquerade?
Yes, as long as Linux supports that network interface, it should work.

Can I use Diald or the Dial-on-Demand feature of PPPd with IP MASQ?
Definitely! IP Masquerading is totally transparent to Diald or PPP. The only
thing that might become an issue is if you use STRONG firewall rulesets with
dynamic IP addresses

How can I get IP Masquerade running on Redhat, Debian, Slackware, etc.?
No matter what Linux distribution you have, the procedures for setting up IP
Masquerade mentioned in this HOWTO should apply. Some distributions may have
GUI or special configuration files that make the setup easier.

MASQed FTP clients don't work.
Check to see that the "ip_masq_ftp" module is loaded. To do this, log into the
MASQ server and run the command "/sbin/lsmod". If you don't see the
"ip_masq_ftp" module loaded, make sure that you followed the BASIC
/etc/rc.d/rc.firewall recommendations found in firewall-examples section. If
you are implimenting your own ruleset, make sure you at include most of the
examples from the HOWTO or you will have lots of continuing problems.

I'm getting "kernel: ip_masq_new(proto=UDP): no free ports." in my SYSLOG
files. Whats up?
One of your internal MASQed machine is creating an abnormally high number of
packets destined for the Internet. As the IP Masq server builds the MASQ table
and forwards these packets out over the Internet, the table is quickly
filling. Once the table is full, it will give you this error.
The only application that I known that temporarily creates this situation is a
gaming program called "GameSpy". Why? Gamespy builds a server list and then
pings all of the servers in the list (1000s of game servers). By creating all
these pings, it creates 10,000s of quick connections in a VERY short time.
Until these sessions timeout via the IP MASQ timeouts, the MASQ tables become
So what can you do about it? Realistically, don't use programs that do things
like this. If you do get this error in your logs, find it and stop using it.
If you really like GameSpy, just don't do a lot of server refreshes.
Regardless, once you stop running this MASQ'ed program, this MASQ error will
go away as these connections timeout in the MASQ tables.

Enogh... ok, I think I coverd most IP MASQ topics... any comments, sugestions,
questions, or whatever, please ask me. Though I don't have a lot of free time
I'll try to answer the questions. OK, feedback to nicolasb@pinos.com.



This is a list devoted to *legal* hacking! If anyone plans to use any
information in this Digest or at our Web site to commit crime, go
away! We like to put computer criminals behind bars where they belong!


 © 2013 Happy Hacker All rights reserved.