Slashdot Mirror
Ask Slashdot: IP Masquerading Drawbacks?
A Nameless Slashdotter submitted this question:
"IP Masquerading (NAT under FreeBSD) is straight from the Gods. Yet it has a few very large drawbacks, such as inability to do DCC or ICQ file transfers, or play games over the internet on one of the Masq'ed machines, even with the "irc" and "quake" masquerading modules loaded. Someone give me options to solve this problem, be it another operating system, a firewall setting, a program or setup!"
I have a masq box running kernel 2.2.10, and I can play quake, do irc, DCC, icq, etc without any problems
the only thing that doesnt seem to work is ICQ chat mode.
Big loss. AIM works fine.
--chaos
The only real problrm I've faced with my IP masq setup is the inability to run the Tcl/Tk AOL Instant Messager client. An easy solution is to run the client prog on my router box (before masquerading kicks in) and export the display back to my main machine. Works great for just about any X app you want to use. Security concerns? Probably, but at least it works.
Quite often when NAT becomes the subject of debate, the questions of standards is arisen. What standards define that TCP/IP-based applications cannot allocate dynamic ports? I'm asking because I don't know...Is there an RFC which defines this? I know for one FTP is a very NAT-unfriendly application (without PASV mode)yet most people aren't aware of it.... Just some food for thought.
I use Vicomsoft Internet Gateway 6.0.1 for the MacOS, and it works perfectly. I can play networked games with multiple machines on my network versus machines on the net simultaenously. ICQ works fine, as does every other program I've ever tried. I have yet to encounter a drawback to this program.
Weird. I have been using masq for 2 years now, using the masq_ftp module + active ftp or passive mode, and never had any problems with it. If you are having masq connections time out, you can increase the tcp connected timeout period, or connect to a server that isn't bogged down so badly.
There is a nice proxy-ish program called PhonePatch (get it here) which acts like a proxy for MS NetMeeting and other H.323 apps. They have Win32, Linux, FreeBSD, and Solaris versions. The NetMeeting support is transparent when using an ILS server but other H.323 applications may need to use the "switchboard".. I haven't tried it that much but it seems to work.
for f in /lib/modules/`uname -r`/ipv4/ip_masq_*; do
echo loading $f
modprobe $f
done
Are there any equivalent functionalities of ipautofw (in linux) in *BSD's NAT?
I've got IPNetRouter running on my Mac and I don't have any problems with anything. Of course, its not free. But at $90 it wouldn't seem like it would be that big of a deal for a decent size network. Of course, it also requires a Mac :-)
Most *BSD guys will not be able to help you, since they don't know what ipautofw is.
/usr/share/examples/ipf, there are a lot of other usefull examples as well.
From the name it sounds like a script that sets up basic firewalling. If this is true "mkfilters" will do the same, NetBSD stores this script in
read the man page and look at the
use_sockets and
same_ports
i hate to say 'works for me'
but it does
There's a NAT replacement called RSIP that's being talked up. Anybody know anything about it? It is
supposed to avoid all of the app-specific problems
with NAT.
I work for a non-profit ISP (volunteer really) that provides cheap dial service to our community in addition to corporate services for government and commercial institutions. We have a government charter that mandates us to provide this service.
This ISP is huge by "freenet" standards, but most of it is run by four people -- myself, the boss, a techie, and a clerical worker.
Long ago we made an architectural mistake that makes maintenances very labour-intensive. (Lots of console sitting. Guess which OS is present.) We are short for time and resources. We would like to do other things.
I recently did a experiment where I surreptiously inserted a MASQing linux box into our existing authentication framework. Everybody was pleased with the results. (Well, all three of us.) Many real IP addresses can be recovered for other things.
(Introducing Linux is part of my evil plan to turn whole ISP into lights-out one-guy-at-home-in-underwear operation.)
I indicated that changing everybody to MASQed addresses might break many user applications.
The Linux demo was downright spanky though -- perhaps too much for its good. The boss said he would be willing to switch most of our critical facilities over to Linux computers and tell those (hopefully few) inconvenienced users to bugger off.
If too many users must bugger off, then this is a bad thing. Anybody tried to pull something like this before? What quantity of users would be inconvenienced? (How many would understand what has changed?)
Also, for Linux evangelism, it is best to just go ahead and use the Linux system. Smart people clue-in quickly when it appears.
Couldn't you/we/i write a daemon to forward connections from the masq server to other machines on the local net based upon the name used to connect to the masq server?
straylight@softhome.net for any personal reply's,
suggestions, or offer's of help if someone hasn't
already done this.
Ok you can all yell at me now, but here is what I have to say on the subject. When I built my linux box I was also handed the requirement that we wanted to be able to access the internet from our win95 machine and my linux box. I found a wonderful product that has a network hub, and network router built in. I bought the webramp 710i. It's got two built in 56K modems, with COLT support and all that jazz, but I havne't had ANY problems doing DCC's playing quake team fortress, quake II, StarCraft, or any of these other things. No special configurations, nothing. Just plug it in, configure the 'net and your done. it even has a nice DHCP server built in. If your looking for something that will give you access like this, go look at what webramp has to offer, it's kinda pricy but it works sweet.
"What does the red button do?" - Last 10 seconds of life
From the question and most replies it's not clear to me if we are talking here about a 1:1 NAT, that is, "exporting" most ports from the firewall to one machine inside the net or n:m (n>m) i.e dozens of hosts share a few external IP#.
The first is quite simple to realise, the latter has the drawback that only connections comming from the inside work flawlessly, since the adress translator can built up a table this way. For connections coming from the outside you can only set up static redirection rules (to your mail/webserver e.g.)
I think that's the reason some functions of ICQ and DCC don't work (those when somebody ist trying to connect to the NATed host directly.)
The only solution for ICQ/IRC is (IMHO) SOCKS, a general IP proxy, see http://www.socks.nec.com/
AFAIK ICQ supports socks and since most IRC clients are open source it should be no big pain even for the inexperienced coder to SOCKSify the source. (A HowTo comes with SOCKS.)
http://neurosis.hungry.com/~ben/software/home-netw ork.html
The "name" (if there is one) is going to be at the protocol level rather then at the IP level. Some things like FTP don't even pass the name of the desired target over the connection. Virtual FTP always needs a seperate IP for each host. HTTP has only recently officially supported non-IP based hosting by sending the "Host: " header to the server. With apache and the ProxyPass directive, it would be possible to redirect incoming connections to an internal http server depending on what hostname was requested. There is a program called PhonePatch (see my previous post) which does the same thing but with MS NetMeeting. I'm sure there are others which work for various applications.
> I don't know what version of IP Masquerading you are using, but I have been able to do all of
> these things which you mentioned. I both send and receive DCCs quite often and I have yet to find a feature of ICQ that I have not been able to use.
You must have basically a one-to-one NAT setup, this (receiving DCC) just can't work if you are doing NAT for a whole subnet. There are mathematical reasons for it: A DCC request can come from an IP number the translating router has never seen before in his life (i.e. since boot) so he can't make a decision to wich internal host he has to forward this packet. You can make an "else send to my workstation" rule, but this is not possible (or fair) if you share this subnet with other users.
Bullshit. DEC Multias are worthless. They are about the most poorly engineered workstation I have seen. Avoid them like the plague unless you just want the RAM or that laptop sized SCSI out of them. The rest of the unit is pretty much junk. They overheat and there is a defect in the case. The tab on the bottom of the case breaks off a chip capacitor which is a bear to replace because it usually takes the solderpad with it. Oh yes, not to mention the lame M$ ARC garbage firmware. As much as I like(d) Digital (I hate Compaq) stuff those multias are as worthless as tits on a boar hog. Go with an old SPARCstation IPC or IPX running OpenBSD or NetBSD but do heed my advice about the Multias.
I've never had a problem with DCC, Quake, etc. The ONLY grudge i have with IP Masq is that some ftp connections require passive mode when connecting from a masq'd machine. But this is minor :)
TR
tim@theshiz.net
I have NO problems playing EverQuest Online
.....
I have No problems playing Quake I II or IIItest
I have No problems DCCing send or recieve
I have NO problems playing CivCTP either
Under Linux 2.2.10+
Debian
with Masquerading
even when the server box was a FBSD STABLE 3.2 box
with NAT or IPfiler
Dunno what yer problem is, maybe you don't have it
all set up right, read the DOCs, load all the MASQ modules, and set your ipchains rules correctly
But I think when ip_masq_irc.o is loaded, it looks at the packet going out, it rewrites the packet to come from it's address and an open port. When the DCC comes in, it re-directs it to the masqued machine. At least thats how I think it works... I've never used IRC before.
ipautofw is a linux kernel option that deals with applications such as icq, realaudio, etc.
These programs have a common characteristic - they send out packet on one control port but expect to receive packets on a different port (or a range of ports).
For example, icq uses udp port 4000 as its control port, but expect to receive packets on at lease 11 different ports. Realplayer uses port 7070 as its control port, but expect to receive packets on port range 6970-7170.
Besides regular NAT (or ipmasquerading in Linux), ipautofw tells the kernel, for example, that if a client sends out packets on say 7070, he is expecting packets on port range 6970-7170, and if you receive packets on those ports, forward to that client.
It is a really useful functionality to make various programs work with NAT. I was just wondering if *BSD's NAT have similar functionalities.
I have used IPMasq on 2.0 and 2.2 kernels and haven't had any problems with the proper modules loaded. The only blip on the radar was when my wife needed streaming QT4 to work for her box. If you know that you only need that particular service to go to 1 machine, and you know the TCP/UDP ports it needs, you can just patch ipportfw into the 2.0 kernels or use port forwarding naturallly with the 2.2. kernels.
Very straitforward stuff... I love it.
They are not meant to be workstation. They are supposed to be for low power clients, like an X terminal or just something the run netscape on at a library.
Problems with FTP can easily be remedied with the convenient ip_masq_ftp.o module. With a basic install, it'll push any connections to port 21 through, though with a commandline parameter, you can specify ftp connections to any remote port
/sbin/insmod ip_masq_ftp.o ports=21,101,145,etc.
But WHICH "masqued" machine? That's the whole point the poster was trying to make. If you have multiple machines on a network, routing through a single masquerading host, and the router receives a DCC packet, where does it send it? You simply can't run a server on a machine that's accessing the net by masquerading. Receiving files by DCC requires that your system act as a server.
IP masquerading works only when sessions are initiated by the client on the network. When you send out a packet through your router, it will associate one of it's unused ports with that session and the client. It knows that all packets that come in on that port are to be forwarded to the client. When a session is initiated remotely though, it can't know where to send the packet on the local network.
The only possible solution is to configure the router so that when it doesn't know where to send, say, an incoming DCC request, it will automatically forward it to the local host x. If you just have a small home network and you know x will be the only host wanting to receive files by DCC, then this can work. But otherwise it won't.
In this day and age, you should never be setting your DISPLAY variable or using -display options except in very unusual circumstances. For day-to-day use, ssh is perfect with X: automatic, transparent, secure session forwarding with no need to set DISPLAY, run xhost, copy magic cookies around, or any of that stuff.
If you always use ssh to secure your X sessions, you will be a happy (and safe) X11 user.
Get it from ftp://ftp.cs.hut.fi/pub/ssh/ssh-1.2.2 7.tar.gz. You'll be glad you did.
Actually, I'm aware of a complete answer that is from the lord himself. There is this program called IPNetRouter that you can download on www.download.com for the Macintosh. It allows you to run a server on a masqued box, use any program you want and everything else. Despite the name, it uses IP Masquing. Read up...
All it takes is a trivial proxy to run X across nat.
e twork.html has a link to one such proxy. There are many others.
http://neurosis.hungry.com/~ben/software/home-n
Well I have just no problem with ip_masq ... DCC icq etc works just fine (with the ip_masq_special_modules)... of course game servers or ftp servers on the localnet cannot be accessed but there is a way to solve it using a simple datapipe program ,it allow you to bind a localport on your gateway to a remoteport on anymachine on your private net ... but erm ! he cannot pass throught the gateway :
-> for those who dont know
eg : Jack wants to telnet 192.168.1.66 on my localnet
./datapipe 999 23 192.168.66
Jack will access the localnet computer telnetting the gateway at port 999
"Masquerading (NAT under FreeBSD) is straight from the Gods. Yet it has a few very large drawbacks, such as inability to do DCC or ICQ file transfers, or play games over the internet"... "Someone give me options to solve this problem, be it another operating system, a firewall setting, a program or setup!"
;)
Actually why are you using NAT? If you are afraid of being attacked, why not just shutdown all your unused services and patch your FreeBSD kernel and used services to the safest and most stable level?
When you put in a firewall or NAT, restricted access is usually an intentional result. In most firewall environments I've seen, the "inability" to do ICQ, Quake, games over the internet is a desirable feature.
When in certain cases where custom services are required you often can get away by using a static address translation, and adjusting the filters accordingly. However this means you need more than one visible external IP address.
If you only have a single visible IP address, you're often out of luck because many "proprietary 3D interactive multimedia internet applications"[1] can only deal with a single user per IP, most of those proprietary network protocols used can't deal with multiusers per IP.
So even if NAT/ the firewall has custom modules only a single host behind can access that app at a time.
Cheerio,
Link.
[1] netgames
Yup, IPNetRouter (sustworks.com) is indeed much better than VIG... ive had it running for 2 months now on a 2nd-gen PowerMac (7500/120) and it's rock solid and the performance is great. Since OpenTransport uses Mentat STREAMs it can be configured dynamically (on-the-fly filter table updates, etc) and allows apps like IPNetRouter to provide an easier interface to the underlying capabilities that aren't advertised enoough (who knew Macs had multihoming built in?).
:)
Anyways, great product, proud to say I paid for it with a big smile on my face... and if you're a version junkie Peter puts out regular betas sometimes weekly with new features all the time
There is an excellent software package called IPRouter at http://ww.mischler.com/iproute that works on 286s and up machines. It requires a minimum of one 5 1/4" drive (1.2 MB), 640k RAM and two network interfaces (2 NICs or a NIC and a modem). It comes with very good documentation on firewalls and NAT. It costs only $50.
I've been using it for the past 3 years on an old 386SX 16 MHz machine (1 MB ram, 5 1/4" floppy, monochrome monitor, no hard-drive) with two NICs with NAT and firewall filtering without any problems. I have about 40 PCs hidden behind it and there has never been any complaints about the throughput.
One big advantage is that you cannot telnet into it or crash it - pretty well hacker proof.
Maybe worth looking at for those of you who have some old PCs kicking around.
Use that if you don't mind a slow and sluggish user-space style forwarding. I much rather let the kernel do it with ipautofw.
:) )
.. other players try to contact you on 50001, linux gets data coming from a strange ip for 50001, and says WTF, this doesn't match my masq rule, and drops the packet. So the masq client never sees any data coming from OTHER players, only the host, which has it's original communication setup. this causes SC to relay data via the host, which is slow as hell. Chat packets are only direct ip->ip for anti-snooping concerns, so chat is impossible.
My two cents about the whole masq thing :
I've been using ip masqueradeing for over 3 years now. There's nothing I can't do behind it, includeing quake/starcraft/irc+dcc/ftp .
Certain things require a little coaxing to run, like starcraft. Other apps, people have to realize how masquerade modules work. Ftp masq module will only 'listen in and correct' connections to port 21. Unless you load the module with another port.
What I do, is load a new ftp module per port. so you can eaisily kill it, even if another ftp is using a different port:
insmod ip_masq_ftp ports=7721 -o ip_masq_ftp_7721
Same for irc. you load ip_masq_irc, and irc to port 6669 or any other non-6667 port, and it won't do anything. You have to specify the extra port. (in irc's case, I have no idea. I use telnet and irc in linux
I also think ip_masq_quake is for quake1 only, isn't it? Quake2/3 work great without any extra setup.
Battle.net (starcraft/broodwar) was a big pain. At least for 2.0 kernels, haven't tried it in 2.2 yet. If anyone who is working on the masquerade kernel code is reading this, can someone fix it:
Here's the problem with battle.net.. When a SC client contacts bnet, it needs to recv a packet, udp style on 6112, and then reply to it. This tells bnet you're talking fine, and lets bnet set that idiotic chat lag meter thing. That's no big deal, one ipautofw allows ONE masq client to play. Problem 2: The masq client trys to join a game. it sends a UDP hello over to the host of the game.
From my_ip:6112 to host_ip:host_port . Linux translates that "coming from port 6112" to a new port. let's say 50001 . That's listed in the masq table, "any data coming from mr.host:port TO 50001 should go to masq client". Game host then tells the other players: We have a new player at your_ip:50001
My solution arround this, I hacked up a masq module to change the "source port" to 6112 always. (I did it in a very ugly way, so never released it). This allows the ipautofw to take the 6112 all the time, so no communication breakdowns.
The only other solution for battle.net, is the masq client creates the game. that way all other game clients are contacting you (on your forwarded 6112), and you never run into the problem. (This whole thing only applys to battle.net, no other games)
ack, why did I write this much. oh well.
Control Panel ---> Add/Remove Programs ---> Windows Setup ---> Internet Tools ---> Internet Connection Sharing
I use Ballantain, a Linux-On-a-Floppy distro. The website is "www.linuxsupportline.com/~router". I run this baby on an old 486DX4/100, with 8 MB of RAM, a Network card and a 56K modem, no hard drive, no monitor, keyboard or mouse. It serves up internet connections to 3 other machines, and it works like a champ. I have not found anything it will not do, ICQ, AIM, Netmeeting, Quake, FTP, telnet, RealAudio. Took me all of 5 minutes to set it up and it hasn't been rebooted since. The guy who put this together is working on a new version which should work with cable modems as well.
Please note that Masquerading is only a subset of NAT. Masquerading as it is, is for outgoing connections only; NAT can do much more.
God help him if someone runs a remote root exploit against the Win98 box! Wait a minute.. there aren't any! Same thing as Linux with all the services disabled.
This is ENTIRELY the problem with NcFTP (2.4.x). It does something very weird with passive mode that a large number of the servers out there do not like, but the plain-jane ftp client will still do passive mode properly.
I am actually somewhat surprised that no one has mentioned simply setting up a host of stateful proxy applications for outgoing as well as incoming connections. TIS's Internet Firewall Toolkit (FWTK) provides an excellent toolset for connecting pipes every which way in a network. The RealAudio people make a program for it that proxies realaudio streams, which covers the bases for just about everything, since the newer players can be told about the proxy, but will only use it if the masquerading fails for some reason.
Apache itself can proxy for users internally and cache in a primitive fashion, and proxies FTP as well as HTTP. ICQ users should demand something more secure, rather than the slapped-together clustercode their protocol now uses. They should also consider using a SOCKS proxy and using the in-kernel firewalling (ipfwadm or ipchains) to block access to it from the outside in case of misconfiguration. For that matter, everything from 0 to 1024 should be blocked on general principle, and holes made for access from the outside to things which should be accessible from the outside. To this end, it's good that in pretty much ever case, the FWTK proxies as well as Apache make their outgoing connections on non-root ports, and thus simplifies firewalling dramatically. Hmm... I think I'm rambling a bit now.
Anyway, MOST of the tools I mentioned above will also LOG activity from inside the network, which is something a lot of people seem to ignore in their security policy. A company using masquerading can not use it, and use the Apache proxying module or FWTK to log accesses, to be reviewed by a script on a regular basis to ensure compliance with the company use policy. (I know this sounds Orwellian but it's not) Of course, the sane way to handle it is to simply inform everyone about the policy politely, and only worry about extreme infractions that will trigger regexp searches done on the logs automatically. The logs do NOT need to be reviewed by an actual person on a regular basis, but only when the predefined trigger conditions (keywords like 'porn', 'teen', 'warez' showing up repeatedly in URLSs) occur at a predetermined level to satisfy legal liabilities, without having to actually watch over them like a ghoul. Other events may occur which may require troubleshooting to be traced back to the network inside by an authorized system administrator, where serious liability may otherwise fall on the company.
I guess I'm partly arguing for more people to use stateful firewall proxies, because they can be made more secure (in particular, partially thwarting would be BO2K raiders) than masquerading machines. I'm not knocking BO2K either, because I'm basically itching for the linux clients to be using it on the few windows machines I do have to deal with, and I think it's great, but there will be lamers trying to use it blindly in email attachment bombs and whatnot soon enough.
To address one of the original topic points, the newer NcFTP 3.x doesn't have quite the same interface, but it's a hell of a lot easier to use when there's a firewall around, and it's passive mode works fine on everything I've seen.
It's not the fault of Red Hat 6.0 it's a "feature" of the 2.2.10 kernel (so every distribution will have it, from that kernel version upwards, unless they change the default way of loading/unloading modules).
Also, Quake3 works, because it's coded properly. A couple of hundred other games (Aliens vs. Predator, to name a single example) do NOT work, unless you build a them a solution case-by-case basis.
So, for net gamers (playing something else than just quake-enginde derivates) masquarading definitely is NOT an easy solution.
Or if you say it is, prove me wrong by pointing to a web page that gives configuration files for a linux setup that does working masquerading for several masked IP boxes that all play the same badly coded net game on the same port.
Rgds,
Anon bstrd
The only way all this stuff will be finally solved is if IPv6 gets mass implemented. ISPs will probably try to keep a lid on the flood of newly available address spaces to keep people from asking for subnets of dozens of IPs for their home, but how will they be able to justify NOT giving them out? There will be enough IP's for EVERYONE on the planet to have a bunch. I'm sure ISPs will stick with dynamically assigned IP addresses well into 2020 though. ;-) Only way around it is to pay a lot of money or make friends with a netadmin at an ISP.
Just wondering. I'm having a linux router/masq box to the internet, and suppose I want to play an IPX game like Bomberman orso with another party with about the same setup as me. How would I do that? I tried several things, including an ipx over ip, but no success yet..
Well, I'm using X-Win to connect to my university reguarly.
When I tried using X-Win 32 from my masq box it didn't work either.
Tried to forwad port 6000 upd and tcp. It worked
partly, I got the login screen (with an direct query to the server), but after I logged in nothing
Anybody got this working?
I just saw a Tutorial on this in webmonkey.
IP Masq
It's convenient in that it lays out everything for you.
I think it is a bit in error about the RH 5.2 tho if I rememer correctly ipchains doesnt work on anything less than the 2.2 kernel without patches.
I've been using ip masq for about 2 weeks now and haven't had a single problem except for like the first day and that's just cuz I hadn't loaded the modules for irc and ftp.
Well, I've had one other problem and that's sending files over irc. I've noticed if a friend of mine tries to resume a file I am sending them, mIRC spits out a msg in the status that is something like. [blah RESUME rejected]: invalid parameters.
Was wondering if anyone else has encountered this and if they know how to fix it?
The people using Win98 SE who need masquerading are users with a small home LAN and a dynamic IP. These people are already using Win 9X on their machine with the internet connection. The fact that it is now a firewall/router doesn't make them any more vulnerable than they were before. Besides, when was the last time you heard of somebody's home machine with a dynamic IP getting cracked?
I wish I could say this has been my experience; however on my network (with 3 computers behind the masquing box all wanting to use the same programs) certain things just wouldn't work. AIM, telnet, Quake, and email/web all work great, and I still use ipmasquing for them. However for things such as ICQ chat or file sending, it just wouldn't work for me. I could go the port forwarding route, but that would only work for one of the three computers. The same is true for games which aren't quake. They require that I forward certain ports to the box which I'm playing them on, however there are three boxes which all want to play them.
Also, I wouldn't be surprised if the ip masquing modules are getting loaded automatically somewhere on your computer. You would be noticing some serious problems with ftp (only works in passive mode) and irc (no dcc) if they weren't there.
No, I'm afraid you haven't been keeping up with current events pal. ALL versions of windows are vulnerable to DoS attacks. Even Win2k can be taken down with kod.c and some of the other recent DoS attacks. As far as being easy to hack. You are only partly right about the lack of services on Windows boxen. First off many people have static IP's (many cable modem and xDSL users) and they also want to use NAT. These folks often want to setup web, DNS, mail, and other services on their gateway machine since it's got the visible IP. If you don't think that windows is the most vulnerable OS (_WITH SERVICES_ anything else is a moot point anyway) then you need to catch up on your advisories for about the last 5 years. Also, there are ton's of documented cases where ISP's have been the victims of hacks, and DoS attacks that effect the users. When Winuke came out people where just strobing the entire Internet with OOB packets. So dynamic IP's got hit just as hard as static IP's did. If you ran an Internet visable firewall and checked your logs, you'd know that people are also randomly scanning for vulnerablities on the net. So it really doesn't matter if you are using a dynamic IP or not. When you connect to the Internet you are at risk. If you are running a M$ OS then you are even more at risk,and if you make as many stupid assumptions as you just did; you deserve to be hacked and/or DoS'd.
Because FTP in "regular" [active] mode actually opens a connection from the remote machine to port 20 on the local machine. People using NAT/ip masquerading don't have global ips, so the remote system can't contact the local machine to set up the connection. Unless of course you have the NAT/masq box forward all packets for port 20 to your box, which might work if you only have one machine you want to do this for.
IP Masquerading works for most stuff, however I find for things such as ICQ a socks5 proxy server is your best bet. You can find a socks5 server at http://www.socks.nec.com as well as a program called SocksCap, which lets programs not written to use socks proxy servers connect using them.
Here
I recently started using Win98 SE for IP masquerading on my home network, and it works absolutely perfectly. I don't have a single application that can't easily connect to the internet. Every game I've tried connects to the Internet with no trouble. I use CuteFTP under windows, and I haven't even specified that it should use passive mode, and it still works. It is _much_ faster than crappy old WinGate, but I haven't had a chance to compare it to nat32 (http://www.nat32.com/) which claims that it is faster still...
-Sol
Having just installed a cable modem I ran into all sorts of problems getting IPMASQ working. I ended up having to install RH6 several times because of all the problems and my own monkeying around.
/etc/rc.d/rc.local I added (note: eth0 is my local net, eth1 is connected to my cable modem):
/proc/sys/net/ipv4/ip_forward
Assuming that you have the basic machine working and it works as a gateway for WWW based applications, the next thing is getting the IP MASQ modules loaded.
All the how-tos and do it yourself pages have not seemed to keep up with the various versions of software as well as the move to IPChains, which is a real pain in the a**.
With RH6 I could not get it to work until I did the following (note: no kernel recompilation):
in
echo 1 >
ipchains -P forward DENY
ipchains -A forward -i eth1 -j MASQ
insmod ip_masq_ftp
insmod ip_masq_raudio
insmod ip_masq_irc
insmod ip_masq_icq
insmod ip_masq_quake
This took care of all the general use items. I have not had a single problem with FTP, IRC or ICQ yet).
The ip_masq_icq module is not in the standard distribution of RH6, so you need to grab it from the following page:
ip_masq_icq http://members.tripod.com/~djsf/masq-icq/
For games, there are going to be major problems trying to run more than a single client from behind the gateway machine. To get around this I simply signed up 2 accounts with Kali and grabbed the Linux version of their proxy (binary only) from here:
kProxy http://www.kali.net/js/software/kproxy. html
As a side benefit, it is a Socks5 proxy, so anything that supports it can be run through kproxy.
Do *not* try to autostart the kproxy from you module scripts. I created a user just to run kproxy and login and start the proxy manually.
This may or may not work for you system, but it took me a whole weekend to get it running so if it works, maybe you'll have saved a little time.
--
P.S. If anyone can tell me how I could autostart kproxy in another terminal automatically, let me know. My gateway machine does not even have X installed, so no KDE,Gnome solutions please.
NAT/masquerading, from a technical perspective, is extremely evil. It changes some very important assumptions that are made in the Internet protocol suite, and this is why it breaks lots of applications. In the general case, it is impossible for a NAT/masquerade box to not break applications. Of course, NAT/masquerade boxen can be taught about specific applications/protocols and, by supporting all the special cases that will actually be seen in your environment, things work and users are happy... at least as long as they don't do anything new.
Though some people will strongly disagree, I've always preferred firewall-traversal approaches such as SOCKS. Under Linux -- and possibly *BSD -- there are shared library tricks you can pull that will automagically add SOCKS support to most applications. Under Windows, some Winsock DLLs (the Trumpet one, I think) have SOCKS proxy support. What SOCKS does is effectively an RPC to the firewall, so that the application knows what addressing information is being used and can generate the right application-layer communications to talk with the other side without things breaking.
The problem with IPMasquerading is that it's a hack. It's a damn good hack, but none the less, it's still a hack. Many of the things which it doesn't do can be implemented, with more hacks, but what you get in the end is a mess.
As with all hacks, you eventually have to figure out what makes it so good, figure out what it needs, and then rewrite it into a clean piece of code.
What makes IPMasquing good is that it effectively sends and retrieves from the internet at the users request. It does it at a very low level, and in the kernel, so it is very fast.
What IPMasquing needs is the ability to allow users to connect to sockets on computers behind the firewall. This can be done, as you said, by having applications tell the masquing box that they need information forwarded. However when you do this, what you effectively have is a SOCKS server.
So maybe the answer lies in implementing socks-like functionality in the Linux kernel. There are probably reasons why this isn't a good idea, but I think you'll agree that the current technique (writing kernel modules for _EVERY_ program which needs bidirectional firewall traversal) needs to be replaced.
... of why so many people continue to have negative feelings about linux and the linux community. The guy who's asking the question obviously isn't completely ignorant of the topic at hand, otherwise he wouldn't have brought up NAT or LKM's. Even if he were, this is a moderated "ask-the-question" forum that exists for the explicit purpose of people who don't know something to be able to, well, ask the question.
Yet you insult the poster for no decernable purpose, and add nothing to the discussion. It's the damn elietism that turns people off. People arn't going to embrace linux if you're being a dick about it. You don't have to help them, but there's no reason to harass them (and many a reason not to).
Ugh.
I've played a fair bit of games from my Win98 box behind the IP Masq, and for many newer games they work just fine (playing, not hosting).
:) This has some explanations of a method to use UDP packets and work beautifully with different NAT systems.
Those that don't need to get their act together.
Things that I have played just fine recently (read, I at least see their CDs lieing around my desk, more work but I can't think of em all right now): Half-Life, Quake 3, Myth 1 and 2, Tribes, F22 Lightnine 3 Demo, even 2am.com's group of free games. I did pop in my old SWAT 2 and that one didn't work. Some game companies at least have a tech support FAQ that may tell what ports to redirect or anything to help. I say we start petitioning companies that refuse to make Linux ports to at least make compatible multiplayer gaming...
So he manually types up converted packets as they go out, are you saying that's impossible??
Maybe anyone has an idea how to get this to work properly?
This was on freshmeat a week or two ago, Its supposed to handle icq. Haven't tried it yet so no idea how well it works.
http://members.tripod.com/~djsf/masq-icq/
IF someone has tried it, can you send me a message with how well it works and any advice. Remove the nospam from my e-mail and you've got it.
LBS
Why is it that its easier to write a huge comment here, but I still can't write the first paragraph of that english st
Windows 98 SE does indeed have IP masquerading built in. I'm not sure if it's the NAT1000 stuff, but I'd assume it is, since it would be fairly pointless for them to write their own parallel version.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Under Windows, you can use the WinGate IP masquerading/SOCKS software. I assume there is similar stuff for Linux and FreeBSD. Once you have that set up, any decently written IRC client will be able to use DCC transfers (for example, mIRC on Windows works flawlessly).
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Well, I use Windows 95 myself, so I can't give you any specifics, sorry. I know a few people that have used it though, and they say that you set it up through one of those "wizards" windows is so fond of.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
No problems for me either, Linux 2.0.36 on the firewall. Normal "active mode" FTP even works, don't have to do passive mode, as long as ip_masq_ftp.o proxy is modprobe'ed into the kernel.
-E
Send mail here if you want to reach me.
The reason I say that is because Red Hat 6.0 has a bit of Evilness(tm) in the way it handles modules. Even if you manually 'modprobe' all of your ip_masq*.o proxy modules, Red Hat 6.0 will 'rmmod' them five minutes later (unless they happen to be in use at the time). /etc/rc.d/rc.modules and manually insmod your ip_masq* proxy modules there (don't forget to set the #!/bin/sh comment as the first line and do a chmod a+x on it!), and then in your /etc/crontab find where that @#$%!@ rmmod is taking place and zap it.
Solution: Create
Distributions which manually specify modules to be loaded, like Debian or (maybe) Caldera, don't have this problem. It's just distributions which try to get fancy by using the kernel-level module auto-loader that have this problem (and only under the 2.2 kernel, which removed the 2.0 kernel's timeout functionality for the auto-loader).
With the proxy modules loaded, I've never had any problems with reverse connections on FTP, Quake, etc. That's why I'm suspecting either a) you don't have them loaded, or b) Red Hat 6.0 (or Mandrake 6.0) is helpfully unloading them for you!
-E
Send mail here if you want to reach me.
This may be a simple question, but I haven't seen it addressed in any of the documentation I've read: What about IRC servers that require a valid ident response to connect? Everything works fine on my client machine except this (and incoming ICQ transfers, but I can live w/o that). Does anyone have any tips or pointers to documentation that covers this?
Thanks.
It does work... more or less... most of the outside world 0DNS queries time-out because of the lag.. oh well, works better with the internal DN queries so I'm not to bothered :)
---
"Hasta la victoria siempre!" El Comandante
Unless you want a really spiffy brand new kernel on your router (doesn't bother me) the Linux Router Project disk is a damn fine way to go.
I have mine set up on an old 486 in a pizzabox case and it works beautifully. All I did was tweak a few IP numbers, tell it to do transparent proxying and I haven't noticed any difference from being dialled up directly, apart from my flatmates sucking all the bandwidth that is :).
That said, I am currently in the process of designing a disk specifically for doing dialup router/firewall duties that will be somewhat more current and easier to configure than the LRP disk. mail me if you are interested.
Silver
I am using a NAT program called SYGATE on my NT Server box (hey, ot works!) that connects my LAN to the Internet.
I have played Quake, Quake2, Quake3A Test (1.05 - 1.07) and a whole host of other games on the Internet.
The only problem I have ever had is with FTP clients. I got one that supported pasive mode and everything worked fine.
Boobies never hurt anyone. - Sherry Glaser.
I'm no expert, but I am running Starcraft under NT4 in VMware, Linux 2.2.10. Once masquerading was up, it all seemed to work well with no extra setup.
Have you read my journal today?
I have problems using ftp over masquerading. Even with passive mode on, reverse DNS lookups not required, matched C libraries, certain ftp clients still don't work with certain ftp servers. It's a matter of trying every ftp client on your system until one works, then remembering which ftp client works with which server and which client is faster for the job. Right now ftp, ncftp, Wxftp, sftp, Igloo, and netscape are on the system.
DEC Multias also make great little firewalls. There are usually a few for sale at any give time on ebay.
got a linux ip_masq box running great on cable, and my machine inside of it (among other boxes). I have an irc bot runnin on the ip_masq box, so other people can access it - DCC works just fine for everyone, except me! I think the bot (eggdrop) sees a DCC chat req comming from the 'external' ip #, and tries to essentially connect to itself. now I can get into the bot via telnet, so I'm not completely stranded, but it'd be nice to use DCC chat instead. Am I stuck with telnetting, or does anyone know how to fix this?
-----
If Bill Gates had a nickel for every time Windows crashed...
The network is still at an very early stage in development compared to the inside of any modern computer. Youll see even more virtualization. That doesnt mean todays NAT solutions are the future, theyre just the beginning and at an early, sometimes very experimental, stage, just like virtual memory wasnt developed overnight. Besides, the virtual network is a lot harder to do than virtual memory: the latter takes place inside one small box, while the virtualization of network resources has consequences for millions of computers simultaenously.
general NAT info:
http://www.csn.tu-chemnitz. de/~mha/linux-ip-nat/diplom/"
--
Michael Hasenstein
http://www.csn.tu-chemnitz.de/~mha/
The only thing that doesnt work inder IP-masq is
*incoming* connections. That is because the
remote system connects to say, port 1234 on the
server that sends the original packet. As this
is apparently the masquerading host, the masq host
does not know where to send the packet on to,
there is no way to connect an arbitrary portnumber
without configuring that portnumber to ALWAYS be accociated with a unique app.
Your only solution is to have your ISP give you a
group of IPs, and assign one for each box
lag on doing anything, even more than the noticable lag when using a 486.
:-)
naw. I use a 386DX33 with 8 megs and a 120 meg HDD doing voicemail, X10 and internet dialling. no worries there. I mean I"m only connected at 56k so the processor is mostly sitting around. I just gotta get a UPS on the beast so I can get some uptime on it
No one seems to have mentioned something I consider pretty important: X Windows. I don't think that X will EVER run across NAT... I mean, what would you set your DISPLAY variable to?
I have seen a few comments about how evil NAT is. I wholelly agree. But it has it's benefits.
Being able to have any number of IP's that are needed to complete one's network without having to go through the hassle of paying for an IP space is the one at the top of my list for one... Though:
For ease of use I would recommend FreeBSD, it has a better suite for NAT (no flames yet plaese... read the rest.) And my statistics for the box actually say that FreeBSD is faster for doing the networking. (non professional... just watching the D/L rates.)
For functionality I would highly recommend Linux, as it has a much better plug in system for the Masq modules.
I have used both. And had much success with both. But the one thing I will HIGHLY recommend for both operating system platforms is socks5. Most applications are somewhat aware of it, and those that are not can be made aware with some library tricks. I use ICQ and AIM on a windows box behind my firewall with little to no problems at all. The only problem that I see is that sometimes incoming messages are a little slow (have yet to figure that one out, but I'm sure it's a configuration error).
The only other thing that may cause problems is if you are using dynamic dialup. Secure web sites sometimes complain about an invalid reverse name lookup.
I have been happily using a NAT based firewall for about 2 years now both Linux and FreeBSD. I prefer FreeBSD for the networking speed, but that is wholelly my personal opinion.
ACtually, Vicom internet gateway reinvents the wheel. OpenTransport has the ability to do the equivilent of IPMasq (as far as I remember) and you can use a tool called IPNetRouter to do so. Plus, it's probably cheaper. (not open-source though)
--mere mortal--
my IPmasq/fw for my home lan is an old 386DX25 with 16Megs of ram and an 80Meg HD. It runs a home brew dristro of linux and goes months on end with out a reboot. It is also headless.
I have to return some videotapes...
Various other people pointed to broken protocols, and protocols which need special help. In general, any protocol which does not restrict itself to a single connection (ie. src ip/port dst ip/port quad) will require special assistance. This includes FTP (both passive and active) in the general case, although for simple masquerading passive ftp does not need help.
For static NAT, where an IP address is always mapped the same way (n:n NAT, eg. 192.168.1.* is mapped straight into 1.2.3.*), only protocols which actually include IP addresses within their data stream will be impaired. Unfortunately, FTP is one of these.
A special note on games: Dan Kegel (of Activision) produced a fairly well-thought-out proposal for UDP gaming through NAT. IP masquerading in Linux 2.2 meets this standard.
Here is the draft
Rusty.
With all the appropriate configurations done on the server and the client workstations (ie, port ranges for ICQ) I have had few, if any problems.
I can send and receive files from ICQ, chat with people, even chat with people on my own lan. There is no loss of functionality for me with IP Masq. Some applications require special modules or commands, but once done, it's never an issue.
I'm running Slackware 3(?), with kernel 2.0.36. The machine is so solid that it doesn't have a monitor or keyboard attached to it, and it's only a 486.
I have not tried to do any online gaming with IP Masq.
I can't get full voice with MS netmeeting to work, though I haven't tried too hard. The whiteboard and everything else works fine though.
I do get strange intermittant problems, issues such as people being invited into a four-way-chat only getting a three way chat... when everyone else sees the four. People dissapear who should be visible, lots of peculiar behavior, but nothing show-stopping. I think it is a combination of ICQ running out of incomming TCP connections and a problem with the ICQ servers failing to correctly or timely interpret the status of people with the same IP address or something... most status issues are resolved by changing status back and forth.
I would love to hear people's suggestions about how to fine tune various applications.
Commercial sites will run into licensing issues, too.
http://www.socks.nec.com
FreeBSD users see
I haven't played with battle.net, but I just got my friend's machine (behind my masq box) to work with the MSN gaming zone.
:)
Doing so involved the use of yet another experimental kernel networking feature: fwmark forwarding (look for it in the network options in the kernel).
The first thing to do is to find out the port ranges that the gaming system (battle.net, the zone, whatever) need to access.
second thing to do is to (other than being familiar with the firewall & masq tools) is to do a 'man ipmasqadm' and look for the section called mfw.
That should be about it. You might even be able to get multiple boxen to work with at the same time (mfw allows redirection of ports to multiple simultaneous internal machines, if i read the docs correctly).
the third thing, of course, it to get all the command line parameters correct for ipchains and for ipmasqadm
anyway, i hope this helps someone, if you have more questions, email me, but this is most of what i know (it only took me ~30 mins to set it all up -- ms acutally had good docs for what port ranges were required)
Actually, slight correction. NAT (network address translation) is the common term for this functionality. I dont know why the linux community still refers to it at IPMasq...
But anyhoo, IPNat under OpenBSD lets me run anything behind it. I can DCC, AIM, ICQ, etc. with no problems.
NAT however is an unfortunate (although extremely cool) side effect of what happens when you begin to run out of IP addresses with IPv4.
-Dave
--
Dave Brooks (db@amorphous.org)
http://www.amorphous.org
I've been using a masq'd box as a firewall/gateway for my home LAN for the past six months or so. It does everything perfectly, and I don't load up any modules. I just use ipchains, and everything on the other boxen looks like it were directly connected to the internet; it works perfectly. Every application from ICQ to AIM to telnet to Quake II to email to whatever you want will run like this.
-- K
You can find information there on getting just about any application working with masquerading.
If you use your FTP client in passive mode, you don't need the ip_masq_ftp module.
eg:
ftp site.com
ftp> passive
Passive Mode On
ftp> get blah.tar.gz, etc
the ip_masq_ftp module just allows the active FTP
transfers to work. I don't use ip_masq_ftp
and am able to ftp up/down from the net w/out problems. I just need to use passive mode. This is what your browser will use as default when it is downloading via FTP.
-Booya "No Try Not. Do or do not, there is no try." -Yoda
Learn to read it people. There is a reason someone spends time writing down that boring crap into awful as formats like nroff.
F /...
Almost everything questioned by the original poster is covered in the FreeBSD natd man page. How do I know this? I learned to read. You should try it.
---
Openstep/NeXTSTEP/Solaris/FreeBSD/Linux/ultrix/OS
--- I do not moderate.
It made ICQ DCC chat work for one of my clients
You still can't DCC _IN_ directly to a masq'ed client, unless you do a trick: allocate a port for each user and forward the data from that specific port to the assigned user. I haven't tried this under 2.0.x but did get it working once on 2.2.x: the caller aims their DCC to the appropriate port on the masq server instead of trying to hit the masq'ed user directly.
Got time? Spend some of it coding or testing
This worked great for me, except that I never *could* get ICQ working with the Socks5 from nec.com. I *thought* I'd read somewhere on their site that the free version didn't support UDP forwarding or something. But you're saying that you got ICQ to work? Do anything special? Or just an out-of-the-tarball compile and install?
But, you cannot compile the Masquerading modules into the kernel. They're always built as modules, just like the PPP compressors.
BTW - Anyone know why the ip_masq_icq module hasn't become a regular part of the kernel? And when are we going to get some of the neat Masq'ing features that the 2.0.37ac?? patches have?
You need to use the RTSP/RTP proxy (run it on the same box as you're masking from). Works perfectly for me. Builds on a few different platforms.
http://www.apple.com/quicktime/ developers/rtspproxy.html
Dox & source included. Enjoy,
W
-------------------
-------------------
This is my SIG. There are many like it, but this one is mine.
It does work, but it doesn't understand ICQ's newer protocols.
Thus, it won't work for icq98 or icq99, but it will work with older versions of icq.
The problem is I'm not about to tell my users they should retrograde their icq. So i installed Socks instead.
This is just like television, only you can see much further.
in response to the question at hand...
solution: use ipfwadm or ipchains
set up correctly with a newer kernel, this will work for everything.- -----
------------------------------------
Reveal your Source, Unleash the Power. (tm)
SOCKS works in user mode; I don't see any advantage to that. If you want bidirectional firewall traversal, you could implement similar functionality in the kernel. You need to either notify the firewall machine that a socket on the client is accepting connections and that needs to be forwarded to the firewall machine, or when there is a request coming in, the firewall machine has to try until it finds a machine willing to service it.
Most people don't need, and in fact, don't want that functionality. But people who do already get it: it's part of clustering.
Let that be a lesson to you. Always preview before you submit.
-DrPsycho - Coping with reality since 1975
http://ipmasq.cjb.net is the URL for the Linux IP Masquerade Resource page. Once there, consult the IP Masquerade mini-HOWTO (v1.76-Jul18.99), patches for older kernels, the mailing list, the IP masquerade application collection (if you want to configure that one pesky piece of Internet software just right.), the TrinityOS step-by-step documentation for IPMASQ and network security, and even goodies for people on dynamic (gasp!) IP connections.
It's an excellent site, which was truly an invaluable resource when I was trying to put the jumper cables to my own IP MASQ'ing gateway box. Even my Amiga has no problem getting through to the outside world via. the Linux box.
Good luck. It can be a little tricky in spots, but the end result is worth it.
-DrPsycho - Coping with reality since 1975
I rather think that the original question was regarding IP Masquerading via Linux, and possibly *BSD. It may well be possible via Win98. I won't dispute that, as I don't know. But let's try to stay on topic here.
My question is: why must FTP be in passive mode when it is run from a host on a masqueraded net (the gateway itself excepted, of course)?
Pope Felix the Scurrilous.
Computer Geek by day, religious Icon by night.
I used NAT and the only problem I had was that if a user was telnetted to a site outside the firewall and left it inactive for awhile, it the firewall would think that the connection was dead and close the tunnel. I tried playing with the timeouts, but it seems to work on a global level and it just bogged down the poor machine.
Is there away to make NAT not drop just telnet tunnels or something? Email me if you like, I'd like to know.
why bother w/ a 486? I used to have a 386 sx16 or something slow like that w/8megs of ram and a 100meg hdd doing the job. Greatest part, I didn't pay for any of it. I had the nic lying around and I got the 386 from a friend who bought a new computer.
-matt
How do you get Windows98 SE to perform NAT functionality? That would be very useful for me since I'm the firewall machine, but I dual-boot into Windows98 sometimes to play games, and when I do, my brother gets mad. :)
Thanks.
What good is a gateway machine that you have to reboot every six hours, eh?
I know of commercial solutions for Solaris (FW1E for example) that are EXCELLENT.
Novell has one too that allows quake and stuff too. I haven't played with that one much.
- Hugh Buchanan
- Userfriendly.com
RSP and RTSP or Real Time Streaming Protocol requires special support from the proxy server and fails under most NAT implementations.
RealAudio/Video uses HTTP which is widely supported but far less efficient. Funny thing is that I am using NAT on my Cisco router and RTSP fails, even though Cisco supports RTSP for CiscoTV. So much for Cisco supporting standards.
I'm about to spark up my Novell Border Manager to see if it supports RTSP and if Novell's NAT works.
Thought for the day, don't you really dislike the space and bandwidth wasted by most signatures?
all i can say is- "read it." irc has always worked using the irc module, not to mention quake, etc. just about any game company under the sun will tell you the tcp/udp port settings if you ask... and icq... well, icq is hell-sent anyways... use ftp, http, nfs, ssh or *anything* else for file transfers....
Welp, I hate to say it but the only solution I know of is on Win9x. I'm sure there are others and i can't wait to hear about them. As for the Win9x solution: Nevod Inc used to make a product called Nat1000 which was amazing! You could do everything from the client machines -- run quake servers, dcc serve, run hotline clients -- everything. Unfortunately, these guys were bought out by those folks from Redmond, and supposedly their tech was to be incorporated into Win98 SE. I've long since lost the original need for ipMasq/NAT but would be interested nonotheless in knowing whether it *works* in Win98 SE or how to get it up and running on FreeBSD/Linux.
-- jar
I'm not familiar with ICQ, so I can't help with that. But for DCC over IRC, to load the kernel module, instead of doing:
:) Look for some sort of ip_masq_icq, which would probably let you do the ICQ thing too.
/sbin/modprobe ip_masq_irc
do:
/sbin/modprobe ip_masq_irc ports=6667,7000
and add whatever ports you use for IRC in the ports. I had this same problem about a week ago and a friend was kind enough to let me in on the secret.
Damn Enter key anyways!
I have no problems with any icq function, you just have to make sure that you tell it you are behind a firewall, and that you dont use a socks 4/5 server...as for quake, it works just fine, make sure the quake module is loaded on your linux box...
masq servers cant accept incoming connections to you, so you'll have to initiate them if you want to do something...
El Guapo
I'm surprised this hasn't been mentioned already, but David Ranch's IP-masq'ing mini-HOWTO really helped me...I play StarCraft, Quake2, Quake 3 Arena, use AOL IM, ICQ (file transfers can be made to work), and more. Probably the main thing that will help you is IP portforwarding... In any case, check out the HOWTO... IP masq mini-HOWTO
I have three masqing machines, two at work and one on cable at home ;). Yes you don't have a valid Internet IP on the internal network, but this is a GOOD thing - I would rather be secure than have the ability to run a web server on my box, that is what a SERVER is for. ;) The point is you have to KNOW what you are doing read absolutely everything you can find and then read it again. IP masq is very kewl. You just have to know how it works, and how to configure it properly.
Most of your faults can be worked around, such as ICQ file transfers, e.g. port forwarding. Games work fine, I play Quake 2 and 3 all the time through my firewall
-ShieldWolf
just = (My)Opinion.toCents();
blow away the vdolive module, which uses port 7000, and use:
modprobe ip_masq_irc ports=6666,6667,6668,6669,7000
Works fine for me on Linux 2.2.5 and 2.2.10. Not sure about BSD though.
"Unix is a proprietary operating system intended to compete against Microsoft Windows" --Patrick Reilly
I have an old Mac running Vicom (www.vicomtech.com, I think) Internet gateway. It is way easier to setup than masq and give new life to that old 7200 you have lying around ;)
Play Well
I've been using masquerading on a linux machine (And a short time with fbsd, but it has some odd quirks I don't like) and had just resigned myself to not using dcc send beause it never worked using epic. Until a friend pointed out that chat worked both ways so why shouldn't file transfers. So, working with another friend, we tracked down why. Appearantly, if you include extra stuff at the end of the dcc send request, the module ignores it. To fix, we simply commented a few lines in /usr/src/linux/net/ipv4/ip_masq_irc.c. This is all based on Linux 2.0.36.
Line 172, comment out:
if (xtra_args != 0) continue;
Lines 178-182, comment out:
if (data[0] != 0x01)
continue;
if (data[1]!='\r' && data[1]!='\n')
continue;
Then make clean;make modules;make modules_install, quit irc, wait 60 seconds for the connections to timeout, rmmod ip_masq_irc;modprobe ip_masq_irc and you're set. This is a kludge, but it works.
When I was able to do my own spam-armoring, you got a chance to email me. Now you can only hope I see your reply.
I've been using ipchains for a month now, and I've been playing HalfLife, using ICQ, and just about anything you can think of with it ... yeah, mini-HOWTO is absolutely invaluable for doing it.
(Why? Well, no reason not to, another excuse to leave it running constantly, and best machine around to do it. (Have no running 4 or 386s, anyway.))
Heh, why not?
Moo.
Simple. Make the game writers follow, or create, a standard. They keep creating proprietary data formats which only their software understands. Then customers find that firewalls and competitors (ie, the current AOL and MS squabble) are not compatible.
As programmers we can improve competitors' products who are following standards. As customers we can avoid proprietary products, just as we did with MicroChannel. As reviewers we can mention if products use proprietary methods or standards.
The AOL and MS messaging customers and tech support are getting lessons in that right now.
Maybe on a 386, but on my 486 its fine. I'm connected to a cable modem and the 10BT NIC's run at full speed, the cpu barely ever breaks over 10%, even when holding up a quake3 game with 8 players (no the game doesn't run on the 486, I'm just talking about the network traffic).
I have an old FreeBSD box running 2.2.7 (haven't gotten around to upgrading to 3.2 yet) and have had only a few problems. ;P ;P). Just telnet to the box that's doing the nat'ing, and use sharity light to mount a shared directory on any machine on your network (including fat32 drives. woohoo!). Then just FTP to the site that has the files you require and watch as it automagically downloads to your hard drive. You could even turn on a screen session if you need to close the telnet proggie for whatever reason. Very convenient.
... it'd be insane if i didn't have it, since my cable provider charges $10 per extra IP.
Most of those, however, i was able to get around without too much difficulty, too.
1. Quake*.* - No problems here whatsoever, and have never needed to tweak any settings or configs to make it work. It just does. As for servers, Q3Test, and if i'm not mistaken, Quake2, will let you specify the port to use. All you do is use NAT'd port forwarding ability to redirect all connections to a given port.
Certain games (namely baldurs gate) use DirectPlay, which can use an entire range of ports. BG used a random port between 2300 and 2399. So what did i do? Port foward 100 ports
A minor inconvenience, but you shold be able to figure out what ports need to be redirected without a lot of hassle.
2. It is not possible to make an FTP connection between an ipmasq'd/nat'd box when you yourself are nat'd/ipmasq'd. What i do in this situation is rely on a wonderful proggie called Sharity light (available in the freebsd ports collection
3. DCC's, etc. Occasionally i have DCC problems, but i think, again, this is only for 2 boxen that are both nat'd. If neccesary, you could install an ftp daemon on the machine that is behind the net, and port forward a port (say 1234) to port 21 (or any port, if the daemon supports changing the port) on the box you need to send/recieve files on.
Hope that helps =) I absolutely agree that NAT rocks a whole lot
Yeah but that also means no free mail service, ftp, your own DNS, etc. Which is lame...
Now, I know that this post might engender some "warm replies" about the touting of non-open source solutions but I am pregmatic about this. I prefer open source solutions but am not against a propriatary/commercial solution to get the job done. If it's a good product it's a good product.
--
If I actually could spell I'd have spelled it right in the first place.
Unfortunately, I've found that the best way of dealing with masquerading service problems is on a case by case basis. For example, QuickTime streaming doesn't work behind a masquerading firewall, so you install a proxy.
I'm not aware of any general solutions. But there might be a completely different technology that allows for the same connection-sharing features as ip_masq...
Apple has an RTSP proxy freely available at http://apple.com/quicktime/dev elopers/rtspproxy.html.
There have been some comments about SOCKS being a better solution for ip masquerading. Could someone explain the benefits of SOCKS vs. the standard ip_masq modules for Linux?
Current NAT related drafts:
http://www.ietf.org/ids.by.wg/nat.html
I had a small network that was IP masqing, and we were putting it throught its paces. It was really quite good. ICQ had a few problems,and a few games had some problems. Quake was our primary testing game. One client behind the ip-masq machine worked fine, a second tried to sign on, and the server would kick the first. In cases like this, it seems apparant that many applications assume only one copy can be run on a machine. We decided toswtich to freeciv, which had no qualms about multiple clients on a single IP :) I think it would be nice if most applications/protocols that are designed take into account the possibility of IP-masquerading.. In most cases, avoiding a few simple assumptions and making sure to verify a client is truly offline before kicking it would help... In many protocls, I really don't understand the point in encoding things like source and destination IPs redundantly into certain packets.. If anything I said is way off base, you are welcome to correct me politely, just don't start flaming because I was an apparent idiot :)
XML is like violence. If it doesn't solve the problem, use more.
I started with a proxy and used it until my wife complained that she could play certain internet games, and I could not figure out to fix it (and really was annoyed at having to try). After that I tried a number of windows programs that do NAT and found a couple that worked well (WinRoute, SyGate). I heard somewhere (and it may be wrong, that NAT1000 was bought by M$).
As of now I used a little blue box from Hawking Technology that works well for me (it supports 2 modems, ISDN, or leased lines). When I can get cable or ADSL I will go back to a PC again. Anyways this box (IR8228 I think) has worked well, although it doesn't like to disconnect for inactivity and I don't mind that. My friend just got another model (IR560) and after flash upgrading the firmware it seems to be working fine (wouldn't work with the game Everquest before flashing). The only reason I mention these devices is that you can get them pretty cheap at ONSALE the "at cost" section. A caution though, I have sent a couple of emails to their Tech Support, and have never gotten a reply (I was trying to figure out the disconnet issue).
In any case, hope this is at least interesting.
Later.
Had the same prob using my masq't machines to ftp to and from the net. So, I telnet to my linux machine, and:
/sbin/modprobe --list | grep ftp
/lib/modules/2.2.5-15/ipv4/ip_masq_ftp.o
/sbin/modprobe ip_masq_ftp.o
/sbin/modprobe -l | grep masq
/etc/rc.local (or whatever).
which returns:
Then I (as root):
This adds the ability to do ftp from a masq't machine, or does for me. There are other protocols, such as for RealAudio. Grepping on "masq" will find 'em.
Ie:
I'm not sure that the loaded module persists if it isn't called for a while. There are parameters governing this sort of thing. You can also add the line to your
Looking forward to seeing other solutions! (Far as I can tell, I'm first post.)
Anyway, gives you a place to manpage if nothing else....
-K
You can look at IPNetRouter (may be Mac only). It allows you to designate a machine that accepts incoming packets that it can't use NAT to route.
If is "spurting jiz" then is Male, yes?
"Her" refers to a Female, yes?
Male + Female != "faggot" | "queercakes", yes?
-- The act of censorship is always worse than whatever is being censored. Always.
How, exactly, do you intend to make the game wrighters do anything? That sounds right up there with "making" the game wrighters switch to GPLing all their games instead of MSLing as they do now.
-- The act of censorship is always worse than whatever is being censored. Always.
lag on doing anything, even more than the noticable lag when using a 486.
"Just because you can, doesn't mean it's the best solution"
-- The act of censorship is always worse than whatever is being censored. Always.
I've had great luck with IP Masq so far, It seems that the only thing I can't get to work is UDP packets. Does anyone have this working? And if so how?
Thanks,
Brian
It's easy.. enable firewall support.. that's all..
:. Ultimate Control Dedicated/VM Servers
I would be seriously annoyed if you were my ISP and did this without telling me. I don't run publicly available services, but I do expect to be able to ssh or http my box from work.
You'd break that if you went to a masq'd service.
I guess it depends on how many sophisticated users you have. You could try scanning ftp, www, and telnet ports on your dialup lines for a few weeks to see what percentage of users might be inconvenienced by this particular issue.
You might be able to offer a slightly more expensive upgraded service to folks who need a real IP. Pitch it as a "server enabled" service. The clued will get it and either upgrade or jump ship... But at least you didn't just cut them off with no warning. The average users will just think it's a new service that they don't need.
Are you actually running out of IPs to dynamically assign?
I don't know anything about gaming so I can't comment on that.
Good Luck,
Loopy
I have no trouble at all with ICQ file transfers using a Linux IPCHAINS firewall and IPMASQADM. It is a bit of a pain in the ass if you have a lot of machines behind the firewall. for ICQ I simply forward all ports above 1500 to each machine that uses ICQ. If done right it should be little trouble just make sure you put the machines in in the order they are most used. As far as IRC goes I think proper tweaking with DCC options and IDENT settings on both the firewall and the IRCing machine might help as I noticed when I was forwarding port 113 to my IRC machine I had less problems then when I dont. Please be careful though port forwarding can get very tricky and very complex. I only wish someone would write a good HOWTO on it as all the current IPMASQ/IPCHAINS HOWTOs are severly lacking, and no I cant do it myself, or I wouldnt be asking for one. Basicaly what this says is that if it can't be done in Linux, it cant be done at ALL!
Power to the People, or are the People the Power?
Its a public service .. I imagine they have a very strict time limit, something like 15 or 20 hours a month .. If this were somehting the people payed for, or something that they could use 24 hours a day, then I'd agree .. But its free, so you can't complain too much, if they don't like it they should go out an make their own free ISP, or *gasp* pay for internet access.
And if they really wanted to ssh to the box? first ssh to the masq box, then ssh to your machine, which I assume would ge assigned an IP like 192.186.xx.xx, like on a regular VPN.
Ummm recieving files by DCC requires that your system act as a client, when you sendout a send request it includes your ip and port, which i would assume the ipmasq irc would alter if its coming from inside.... and to know where to send the incomming connection from the reciever, i'm assuming from not actually having read the source to that module that it would take it from the source of the irc connection to the server.
If you're gonna tell people they're wrong, at least warn ppl that you might be, unless you're right.....
Need a Catering Connection
IPRoute from David Mischler, www.mischler.com works very well as a NAT router and firewall. Quake, ICQ, and DCC all work. PPTP and other tunneling and security stuff need certain ports to be opened and mapped to the private side of the network for them to work but I find it more secure than the Linux box we used to use. This could be because IPRoute closes all listening ports until you tell it to open them rather than linux (and Mac and NT) which has them all open until you close them. This is not making much sense but I forgot to sleep last night.
I would like win 98(or even NT with proxy Server) to do this. run NAT (IP Masquarading) over a dynamic PPP link, route between two seperate ethernet networks, run a wins server on each network, and run a caching proxy server like squid. all on a 486 66Mhz, with 16 Megs of RAM. and add to this not ever having to re-boot the machine.
To Microsoft, I dare you:
A simple trick (although I have no idea how secure it is) I've found to make DCCs work is to use a program such as redir (look on sunsite) to redirect ports on the linux machine to another IP address. Set aside a port (or block of ports) on each masqueraded machine that's unique to each machine (this is assuming you can do so on your IRC software; mIRC can), and run several copies of redir to redirect those ports to the desired machine. (Running it through inetd would probably be better; I haven't tried to do this yet)
Caveat emptor!
NAT helps if there isn't a "socksified" client or an existing proxy. Otherwise, you are saving yourself a lot of potential IP headache...
"IP Masquerading (NAT under FreeBSD) is straight from the Gods. Yet it has a few very large drawbacks, such as inability to do DCC or ICQ file transfers, or play games over the internet on one of the Masq'ed machines, even with the "irc" and "quake" masquerading modules loaded. Someone give me options to solve this problem, be it another operating system, a firewall setting, a program or setup!"
I only have a few comments to say about this. First of all...I don't know what version of IP Masquerading you are using, but I have been able to do all of these things which you mentioned. I both send and receive DCCs quite often and I have yet to find a feature of ICQ that I have not been able to use. As far as any other aspect of IRC or Quake, I have NEVER had any problems with either. I suggest you read some documentation on the topic before posting ignorant and uninformed comments about such wonderful inventions.
I've got REDHAT 6 with the 2.2.5-15 kernal. I have IP MASQ running on it and everything works fine. Quake 1,2,3 and ICQ all work fine. The problem i get is on the client machiens running bulletproof ftp on win 98. The fire wall setting for bulletproof is set to pasive. I can connect no probs and download too, but as soon as i try to upload it's a no go. I get to about 12k on the file and it doesn't alow any more to be uploaded.
I tried the no firewall option but the same happens. But if i dial in with the client computer to my isp directly the upload works fine. Does anyone have an idea as to what the prob is.
Thanx
In his original question, he states he's using FreeBSD and NAT (the natd daemon). NAT on FreeBSD is similar in concept but not in usage to IP Masq on Linux.
/etc/rc.conf
While most answers here would be greatly helpful if he were running Linux or had an old Mac lying around, he may not.
We have clients using both FreeBSD and Linux, and here at my office we use FreeBSD 3.1-RELEASE for our NAT.
With NAT properly configured, ICQ, DCC, IRC, Half-Life TFC, Quake 3, anything else I can think of - all work without any problems.
Follow these steps (this is FreeBSD not Linux):
If you're using 3.1-RELEASE or better, you're 90% of the way there.
1. Set GATEWAY="YES", NATD="YES", FIREWALL="YES", FIREWALL_TYPE="open" in
2. Rebuild the kernel to include IPFIREWALL and IPDIVERT.
Rebuild the kernel and you're all set. Reboot.
-Hivelord
The only Prob i have is with FTPs on a diff port then 21. it sits at Listing /bin/ls or something..
they say to put it on pasv mode in the ftp client but cuteftp doesnt work right anyone know of a better ftp client that does work right and download multi files with pasv mode on?
Simple. You use SSH, which tunnels your X protocol back. No sweat, and it Just Works. If you're running on a Wintel machine, the clients out there (I use SecureCRT) work just fine too.