# Forwarding, flush and set default policy of deny. Actually
# is irrelevant because there is a catch all rule with deny and
ipchains -F forward
ipchains -P forward DENY
# Masquerade from local net on local interface to anywhere.
ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ
# catch all rule, all other forwarding is denied and logged.
pity there is no
# log option on the policy but this does the job instead.
ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
#End of file.
With IPCHAINS, you can block traffic to a particular site using
"output", and "forward" rules. Remember that
the set of rules are scanned t op
to bottom and "-A" means "append" to the
existing set of rules. So with this
in mind, any specific restrictions need to come bef ore global
Using "input" rules: Probably the fastest but it
only stops the local
machines, the firewall itself can still access the "forbidden"
site. Of course
you might want to allow that combination.
In the /etc/rc.d/rc.firewall ruleset:
... start of "input" rules ...
# reject and log local interface, local machines going to
/sbin/ipfwadm -I -a reject -V 192.168.0.1 -S 192.168.0.0/24 -D
# local interface, local machines, going anywhere is valid
/sbin/ipfwadm -I -a accept -V 192.168.0.1 -S 192.168.0.0/24 -D
... end of "input" rules ...
Using "output" rules. Slowest because the packets
go through masquerading
first but this rule even stops the firewall accessing the forbidden
... start of "output" rules ...
# reject and log outgoing to 188.8.131.52
/sbin/ipfwadm -O -a reject -V $ppp_ip -S $ppp_ip/32 -D 184.108.40.206/32
# anything else outgoing on remote interface is valid
/sbin/ipfwadm -O -a accept -V $ppp_ip -S $ppp_ip/32 -D 0.0.0.0/0
... end of "output" rules ...
Using "forward" rules. Probably slower than "input"
and this still only stops
masqueraded machines (i.e. internal), firewall can still get
... start of "forward" rules ...
# Reject and log from local net on PPP interface to 220.127.116.11.
/sbin/ipfwadm -F -a reject -W ppp0 -S 192.168.0.0/24 -D 18.104.22.168/32
# Masquerade from local net on local interface to anywhere.
/sbin/ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.0/24 -D 0.0.0.0/0
... end of "forward" rules ...
No need for a special rule to allow 192.168.0.0/24 to go to 22.214.171.124,
covered by the global rules.
Unlike IPFWADM, there is only one way of coding the interfaces
in the above
rules. IPCHAINS uses the "-i eth0" option. The "-V"
IPFWADM method was phased
out with the imgration to IPCHAINS but for IPFWADM users, its
and documentation more than anything.
- Dial-on-Demand Connections
If you would like to setup your network to automatically dial
up the Internet,
either the Diald demand dial-up or new versions of the PPPd packages
of great utility. Diald is the recommended solution due to its
Once Diald and IP Masq have been setup properly, any MASQed
that initiate a web, telnet or ftp session will make the Linux
bring up its Internet link.
There is a timeout that will occur with the first connection.
inevitable if you are using analog modems. The time taken to
modem link and the PPP connections may cause your client program
etc.). This isn't common though. If this does happen, just retry
traffic request (say a WWW page) again and it should come up
fine. You can
also try setting echo "1" > /proc/sys/net/ipv4/ip_dynaddr
kernel option to
help with this initial setup.
- ICQ on IP masq
You can use ICQ by using a new ICQ Masq modile or use IPPORTFW.
With the first
option you'll be able to set up multiple ICQ users behind a masq
you won't need to make any special changes to the ICQ client.
now support real-time chat and file transfer. You'll find that
this is the
better choice to get ICQ working behind a masq server.
With the second option, IPPORTFW, you'll have to make some changes
linux and ICQ, but it will work just fine. Do as follows:
You need to have your linux kernel runing with IPPORTFW enabled.
Next, add, tou your /etc/rc.d/rc.firewall file, this: (10.1.2.3
external IP adress) and internal will be 192.168.0.10:
Example #1 -- /usr/local/sbin/ipportfw -A -t10.1.2.3/2000
/usr/local/sbin/ipportfw -A -t10.1.2.3/2001 -R 192.168.0.10/2001
/usr/local/sbin/ipportfw -A -t10.1.2.3/2002 -R 192.168.0.10/2002
/usr/local/sbin/ipportfw -A -t10.1.2.3/2003 -R 192.168.0.10/2003
/usr/local/sbin/ipportfw -A -t10.1.2.3/2004 -R 192.168.0.10/2004
/usr/local/sbin/ipportfw -A -t10.1.2.3/2005 -R 192.168.0.10/2005
/usr/local/sbin/ipportfw -A -t10.1.2.3/2006 -R 192.168.0.10/2006
/usr/local/sbin/ipportfw -A -t10.1.2.3/2007 -R 192.168.0.10/2007
/usr/local/sbin/ipportfw -A -t10.1.2.3/2008 -R 192.168.0.10/2008
/usr/local/sbin/ipportfw -A -t10.1.2.3/2009 -R 192.168.0.10/2009
/usr/local/sbin/ipportfw -A -t10.1.2.3/2010 -R 192.168.0.10/2010
/usr/local/sbin/ipportfw -A -t10.1.2.3/2011 -R 192.168.0.10/2011
/usr/local/sbin/ipportfw -A -t10.1.2.3/2012 -R 192.168.0.10/2012
/usr/local/sbin/ipportfw -A -t10.1.2.3/2013 -R 192.168.0.10/2013
/usr/local/sbin/ipportfw -A -t10.1.2.3/2014 -R 192.168.0.10/2014
/usr/local/sbin/ipportfw -A -t10.1.2.3/2015 -R 192.168.0.10/2015
/usr/local/sbin/ipportfw -A -t10.1.2.3/2016 -R 192.168.0.10/2016
/usr/local/sbin/ipportfw -A -t10.1.2.3/2017 -R 192.168.0.10/2017
/usr/local/sbin/ipportfw -A -t10.1.2.3/2018 -R 192.168.0.10/2018
/usr/local/sbin/ipportfw -A -t10.1.2.3/2019 -R 192.168.0.10/2019
/usr/local/sbin/ipportfw -A -t10.1.2.3/2020 -R 192.168.0.10/2020
while [ $port -le 2020 ]
/usr/local/sbin/ipportfw -A t10.1.2.3/$port -R 192.168.0.10/$port
That was for a 2.0.x kernel, the next is for 2.2.x with IPCHAINS
Example #1 --
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2000 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2001 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2002 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2003 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2004 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2005 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2006 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2007 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2008 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2009 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2010 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2011 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2012 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2013 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2014 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2015 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2016 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2017 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2018 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2019 -R
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2020 -R
while [ $port -le 2020 ]
/usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 $port
Once your new rc.firewall is ready, reload the ruleset to
make sure things are
ok by simple typing in "/etc/rc.d/rc.firewall". If
you get any errors, you
either don't have IPPORTFW support in the kernel or you made
a typo in the
Now, in ICQ's Preferences-->Connection, configure it to
be "Behind a LAN" and
"Behind a firewall or Proxy". Now, click on "Firewall
Settings" and configure
it to be "I don't use a SOCK5 proxy". Also note that
it was repviously
recommended to change ICQ's "Firewall session timeouts"
to "30" seconds BUT
many users have found that ICQ becomes unreliable. It has been
found that ICQ
is more reliable with its stock timeout setting (don't enable
that ICQ option)
and simply change MASQ's timeout to 160 seconds. You can see
how to change
this timeout in the rc.firewall-2.0.x and rc.firewall-2.2.x rulesets.
click on Next and configure ICQ to "Use the following TCP
listen ports.." from
"2000" to "2020". Now click done.
Now ICQ will tell you that you have to restart ICQ for the changes
effect. To be honest, I had to REBOOT the Windows9x machine to
get things to
work right but other people say otherwise. So.. try it both ways.
It should also be noted that one user told me that simply
4000 to his ICQ machine worked best. He reported that everything
(chat, file transfers, etc) WITHOUT re-configuring ICQ from its
settings. Your mileage might vary on this topic but I though
you might like to
hear about this alternative configuration.
[Editor: I've spoken with the author of micq (Matt somebody,
I can't recall
his late name right now). He said that ICQ messages use port
His program works with just the one port. To do chat and file
reportedly you need the 2000's open. According to microsoft,
ICS, you need to open 2000-4000, but this sounds to me to be
Does IP Masquerade work with dynamically assigned IP addresses?
Yes, it works with either dynamic IP addressed assigned by your
ISP via either
PPP or a DHCP/BOOTp server. As long as you have an valid Internet
it should work. Of course, static IP works too. Yet, if you plan
implementing a strong IPFWADM/IPCHAINS ruleset and/or plan on
using a Port
forwarder, your ruleset will have to be re-executed everytime
your IP address
Can I use a cable modem (both bi-directional and with modem
satellite link, etc. to connect to the Internet and use IP Masquerade?
Yes, as long as Linux supports that network interface, it should
Can I use Diald or the Dial-on-Demand feature of PPPd with
Definitely! IP Masquerading is totally transparent to Diald or
PPP. The only
thing that might become an issue is if you use STRONG firewall
dynamic IP addresses
How can I get IP Masquerade running on Redhat, Debian, Slackware,
No matter what Linux distribution you have, the procedures for
setting up IP
Masquerade mentioned in this HOWTO should apply. Some distributions
GUI or special configuration files that make the setup easier.
MASQed FTP clients don't work.
Check to see that the "ip_masq_ftp" module is loaded.
To do this, log into the
MASQ server and run the command "/sbin/lsmod". If you
don't see the
"ip_masq_ftp" module loaded, make sure that you followed
/etc/rc.d/rc.firewall recommendations found in firewall-examples
you are implimenting your own ruleset, make sure you at include
most of the
examples from the HOWTO or you will have lots of continuing problems.
I'm getting "kernel: ip_masq_new(proto=UDP): no free
ports." in my SYSLOG
files. Whats up?
One of your internal MASQed machine is creating an abnormally
high number of
packets destined for the Internet. As the IP Masq server builds
the MASQ table
and forwards these packets out over the Internet, the table is
filling. Once the table is full, it will give you this error.
The only application that I known that temporarily creates this
situation is a
gaming program called "GameSpy". Why? Gamespy builds
a server list and then
pings all of the servers in the list (1000s of game servers).
By creating all
these pings, it creates 10,000s of quick connections in a VERY
Until these sessions timeout via the IP MASQ timeouts, the MASQ
So what can you do about it? Realistically, don't use programs
that do things
like this. If you do get this error in your logs, find it and
stop using it.
If you really like GameSpy, just don't do a lot of server refreshes.
Regardless, once you stop running this MASQ'ed program, this
MASQ error will
go away as these connections timeout in the MASQ tables.
Enogh... ok, I think I coverd most IP MASQ topics... any comments,
questions, or whatever, please ask me. Though I don't have a
lot of free time
I'll try to answer the questions. OK, feedback to firstname.lastname@example.org.
This is a list devoted to *legal* hacking! If anyone plans
to use any
information in this Digest or at our Web site to commit crime,
away! We like to put computer criminals behind bars where they