Ask Slashdot: IP Masquerading Drawbacks?

A Nameless Slashdotter submitted this question: "IP Masquerading (NAT under FreeBSD) is straight from the Gods. Yet it has a few very large drawbacks, such as inability to do DCC or ICQ file transfers, or play games over the internet on one of the Masq'ed machines, even with the "irc" and "quake" masquerading modules loaded. Someone give me options to solve this problem, be it another operating system, a firewall setting, a program or setup!"

Socks5 Proxy Server

IP Masquerading works for most stuff, however I find for things such as ICQ a socks5 proxy server is your best bet. You can find a socks5 server at http://www.socks.nec.com as well as a program called SocksCap, which lets programs not written to use socks proxy servers connect using them.

Re:Socks5 Proxy Server

[Erik+Hollensbe]

Have any of you ever heard of ipautofw? You can use this little tool under linux to make anything you want to work, either to be enabled temporarily in a script (for a game) or permanently (ICQ)...

There's also a port forwarding patch for the kernel, which is probably insecure as hell but does do the job.

For ICQ for windows, there are firewall settings that you can setup, to have all communication sent through ports 2000-4000. At least under my standard ip masq setup, it works fine.

All of this stuff is at ipmasq.cjb.net.

-Erik-

IPMasq HOWTO

Here

Re:Use Win98 Second Edition (j/k)

I recently started using Win98 SE for IP masquerading on my home network, and it works absolutely perfectly. I don't have a single application that can't easily connect to the internet. Every game I've tried connects to the Internet with no trouble. I use CuteFTP under windows, and I haven't even specified that it should use passive mode, and it still works. It is _much_ faster than crappy old WinGate, but I haven't had a chance to compare it to nat32 (http://www.nat32.com/) which claims that it is faster still...

-Sol

How I did it

Having just installed a cable modem I ran into all sorts of problems getting IPMASQ working. I ended up having to install RH6 several times because of all the problems and my own monkeying around.

Assuming that you have the basic machine working and it works as a gateway for WWW based applications, the next thing is getting the IP MASQ modules loaded.

All the how-tos and do it yourself pages have not seemed to keep up with the various versions of software as well as the move to IPChains, which is a real pain in the a**.

With RH6 I could not get it to work until I did the following (note: no kernel recompilation):

in /etc/rc.d/rc.local I added (note: eth0 is my local net, eth1 is connected to my cable modem):


echo 1 > /proc/sys/net/ipv4/ip_forward
ipchains -P forward DENY
ipchains -A forward -i eth1 -j MASQ

insmod ip_masq_ftp
insmod ip_masq_raudio
insmod ip_masq_irc
insmod ip_masq_icq
insmod ip_masq_quake



This took care of all the general use items. I have not had a single problem with FTP, IRC or ICQ yet).

The ip_masq_icq module is not in the standard distribution of RH6, so you need to grab it from the following page:

ip_masq_icq http://members.tripod.com/~djsf/masq-icq/


For games, there are going to be major problems trying to run more than a single client from behind the gateway machine. To get around this I simply signed up 2 accounts with Kali and grabbed the Linux version of their proxy (binary only) from here:

kProxy http://www.kali.net/js/software/kproxy. html

As a side benefit, it is a Socks5 proxy, so anything that supports it can be run through kproxy.

Do *not* try to autostart the kproxy from you module scripts. I created a user just to run kproxy and login and start the proxy manually.

This may or may not work for you system, but it took me a whole weekend to get it running so if it works, maybe you'll have saved a little time.

--

P.S. If anyone can tell me how I could autostart kproxy in another terminal automatically, let me know. My gateway machine does not even have X installed, so no KDE,Gnome solutions please.

Straight from the gods? Maybe the fallen one.

NAT/masquerading, from a technical perspective, is extremely evil. It changes some very important assumptions that are made in the Internet protocol suite, and this is why it breaks lots of applications. In the general case, it is impossible for a NAT/masquerade box to not break applications. Of course, NAT/masquerade boxen can be taught about specific applications/protocols and, by supporting all the special cases that will actually be seen in your environment, things work and users are happy... at least as long as they don't do anything new.

Though some people will strongly disagree, I've always preferred firewall-traversal approaches such as SOCKS. Under Linux -- and possibly *BSD -- there are shared library tricks you can pull that will automagically add SOCKS support to most applications. Under Windows, some Winsock DLLs (the Trumpet one, I think) have SOCKS proxy support. What SOCKS does is effectively an RPC to the firewall, so that the application knows what addressing information is being used and can generate the right application-layer communications to talk with the other side without things breaking.

Re:Straight from the gods? Maybe the fallen one.

[Mars+Saxman]

IPMasq might be technologically evil, but we still live in an IPv4 universe, and IP addresses are expensive. Until that changes, I think masqing is a fact of life, and something that designers of new protocols really should consider.

-Mars

Re:Straight from the gods? Maybe the fallen one.

[Booya]

From an administration standpoint, wouldn't you agree that socks is harder to maintain since it requires client config per computer. Somewhat like using static IPs instead of Dynamic IPs. You can imagine the hassle with laptops that are used at both a corporate HQ and a client site.

Here's where NAT/masq applications shine. They don't require any changes on the client side. I've been at a firm that used socks, and it is somewhat more difficult because if your application doesn't use the TCP/IP stack like the socks is expecting it, such as with Oracle apps, you're screwed.. With NAT, you're not :).. There are basically pros/cons, but I'm a pro NAT individual.

Re:Straight from the gods? Maybe the fallen one.

[pal]

can you provide us with links to information on the libraries that do things automagically? thanks!

Re:Nothing wrong with it.

The problem with IPMasquerading is that it's a hack. It's a damn good hack, but none the less, it's still a hack. Many of the things which it doesn't do can be implemented, with more hacks, but what you get in the end is a mess.

As with all hacks, you eventually have to figure out what makes it so good, figure out what it needs, and then rewrite it into a clean piece of code.

What makes IPMasquing good is that it effectively sends and retrieves from the internet at the users request. It does it at a very low level, and in the kernel, so it is very fast.

What IPMasquing needs is the ability to allow users to connect to sockets on computers behind the firewall. This can be done, as you said, by having applications tell the masquing box that they need information forwarded. However when you do this, what you effectively have is a SOCKS server.

So maybe the answer lies in implementing socks-like functionality in the Linux kernel. There are probably reasons why this isn't a good idea, but I think you'll agree that the current technique (writing kernel modules for _EVERY_ program which needs bidirectional firewall traversal) needs to be replaced.

This is it -- the perfect example...

... of why so many people continue to have negative feelings about linux and the linux community. The guy who's asking the question obviously isn't completely ignorant of the topic at hand, otherwise he wouldn't have brought up NAT or LKM's. Even if he were, this is a moderated "ask-the-question" forum that exists for the explicit purpose of people who don't know something to be able to, well, ask the question.

Yet you insult the poster for no decernable purpose, and add nothing to the discussion. It's the damn elietism that turns people off. People arn't going to embrace linux if you're being a dick about it. You don't have to help them, but there's no reason to harass them (and many a reason not to).

Ugh.

Games, Games, Games

[whoop]

I've played a fair bit of games from my Win98 box behind the IP Masq, and for many newer games they work just fine (playing, not hosting).

Those that don't need to get their act together. :) This has some explanations of a method to use UDP packets and work beautifully with different NAT systems.

Things that I have played just fine recently (read, I at least see their CDs lieing around my desk, more work but I can't think of em all right now): Half-Life, Quake 3, Myth 1 and 2, Tribes, F22 Lightnine 3 Demo, even 2am.com's group of free games. I did pop in my old SWAT 2 and that one didn't work. Some game companies at least have a tech support FAQ that may tell what ports to redirect or anything to help. I say we start petitioning companies that refuse to make Linux ports to at least make compatible multiplayer gaming...

Re:ftp connections break

[whoop]

So he manually types up converted packets as they go out, are you saying that's impossible??

YAQ: streaming video through masq

[rvdmeent]

There is a project going on over here where videostreams are delivered to the desktop using the Xing XDMA protocol. However, I've not been able to get it to work through a masquerading firewall: it displays the first 15 seconds or something of the stream and it then just stops. W/o the masquerading firwall everything works fine.

Maybe anyone has an idea how to get this to work properly?

Re:How to do DCC

[oxygen]

This was on freshmeat a week or two ago, Its supposed to handle icq. Haven't tried it yet so no idea how well it works.


http://members.tripod.com/~djsf/masq-icq/

IF someone has tried it, can you send me a message with how well it works and any advice. Remove the nospam from my e-mail and you've got it.

LBS

Re:Use Win98 Second Edition (j/k)

[Trepidity]

Windows 98 SE does indeed have IP masquerading built in. I'm not sure if it's the NAT1000 stuff, but I'd assume it is, since it would be fairly pointless for them to write their own parallel version.

Use a SOCKS5 firewall/proxy

[Trepidity]

Under Windows, you can use the WinGate IP masquerading/SOCKS software. I assume there is similar stuff for Linux and FreeBSD. Once you have that set up, any decently written IRC client will be able to use DCC transfers (for example, mIRC on Windows works flawlessly).

Re:Use a SOCKS5 firewall/proxy

[Gray]

That's how I do it.. IPChains and Socks5..
ICQ messages, chat and transfers work through socks with no problems.

However, I have yet to find a windows IRC client with complete SOCKS5 support.. I can get everything BUT outgoing DCC to work with just IPChains.

Frequently, the problem with IRC clients and NAT isn't the NAT itself, but the way the client figures out the local IP. If it uses the IP of the local machine, any direct connections are toast... Most clients (like mIRC) let you either manually specify an IP (a pain under DHCP) or can get it back from the IRC server after you connect.

Quake 2, Ultima Online and any other game I've tried have worked fine with just IPChains, but SOCKSCap is always an option for really wierd things.

Re:Use a SOCKS5 firewall/proxy

[aonaran]

Socks5 is available for many flavors of unix (some versions are even free) from NEC.
The only drawback to socks5 proxies that I can find is that it doesn't do ICMP packets (ie PING)
You can get a free socks5 client for win95 that basically replaces winsock so you don't have to configure all your software for proxy. I don't think there is such a client product for Linux but I could be wrong. (that just means you have to set proxy settings in netscape, ICQ etc.

Re:Use Win98 Second Edition (j/k)

[Trepidity]

Well, I use Windows 95 myself, so I can't give you any specifics, sorry. I know a few people that have used it though, and they say that you set it up through one of those "wizards" windows is so fond of.

Re:No problems for me.

[Eric+Green]

No problems for me either, Linux 2.0.36 on the firewall. Normal "active mode" FTP even works, don't have to do passive mode, as long as ip_masq_ftp.o proxy is modprobe'ed into the kernel.

-E

I bet you use Red Hat 6.0

[Eric+Green]

The reason I say that is because Red Hat 6.0 has a bit of Evilness(tm) in the way it handles modules. Even if you manually 'modprobe' all of your ip_masq*.o proxy modules, Red Hat 6.0 will 'rmmod' them five minutes later (unless they happen to be in use at the time).
Solution: Create /etc/rc.d/rc.modules and manually insmod your ip_masq* proxy modules there (don't forget to set the #!/bin/sh comment as the first line and do a chmod a+x on it!), and then in your /etc/crontab find where that @#$%!@ rmmod is taking place and zap it.
Distributions which manually specify modules to be loaded, like Debian or (maybe) Caldera, don't have this problem. It's just distributions which try to get fancy by using the kernel-level module auto-loader that have this problem (and only under the 2.2 kernel, which removed the 2.0 kernel's timeout functionality for the auto-loader).
With the proxy modules loaded, I've never had any problems with reverse connections on FTP, Quake, etc. That's why I'm suspecting either a) you don't have them loaded, or b) Red Hat 6.0 (or Mandrake 6.0) is helpfully unloading them for you!

-E

Re:I bet you use Red Hat 6.0

[EAVY]

Quick comment: I'm using a Red Hat 6.0-based Internet gateway to connect my network to my ISP's dial-up link. ICQ & Quake3Arena work flawlessly without any special setup besides the regular firewall settings. I didn't have to bother with modprobe/insmod of any filters, it worked straight out of the box, so I don't think it's a problem of Red Hat Linux.

Re:I bet you use Red Hat 6.0

[Jburkholder]

Hmm, I'm running a RH 5.2 install on a 486 that I use for a masq firewall. I've had pretty good success with only two real exceptions:

ICQ file transfers.
FTP with some *cough* windows clients.

I am able to play any net multiplayer game I want, I run a Q3Test server from behind the 486 using port-forwarding. Works great. Only issue I had was registering my game server with the id master.

Masquerading gets the registration packets, and masqs them out, except it changes the source port. This fouls up the works since game ports are expected to be 27960 and I show up with 62345 or some other randome port number generated by masquerading. To get around this, I use a helper that runs on the firewall that sniffs for the registration packets then writes out a copy from the correct port.

When I got the program, it was set up for half-life. I made a couple quick changes to get it to work for Q3Test, but it probably could be easilty converted for any game server that sends out similar registration packets (Quake2, Sin, Blood, Shogo, etc.)

Re:I bet you use Red Hat 6.0

[yomahz]

Ummm... I'm pretty damn sure that the new kernel does *not* update your crontab with rmmod scripts.


--

A mind is a terrible thing to taste.

ident?

[chap]

This may be a simple question, but I haven't seen it addressed in any of the documentation I've read: What about IRC servers that require a valid ident response to connect? Everything works fine on my client machine except this (and incoming ICQ transfers, but I can live w/o that). Does anyone have any tips or pointers to documentation that covers this?

Thanks.

Re:ident?

[TwinkE]

I put on ident2 today (search for ident2 on freshmeat) and it works perfectly. Its easy to set up and you can specify what you want the response to be, if any, based on the ip that the request is for. It was extremely esay to set up too

Re:ident?

[oki900]

Another solustion, if you dont need it for other uses, is to simply forward port 113 to the machine that is IRCing. Not the safest or best way, but it seems pretty reliable for me, though Im new and I will be checking out some of these other IDENT programs.

Re:ident?

[toast0]

I think theres support for doing ident w/ masquerading, the ipmasq server will somehow check w/ the originating computer for the ident, I seem to recall this happening w/out any complex configuration the last time i used ipmasq (which was a while ago, so i don't remember where the option was)

Re:ident?

[Atilla]

There are several IDENTD servers available like Midentd, Oidentd... they will allow you to either redirect ident requests and answers, or reply with "hacked" idents... works like a charm...

oh.. almost forgot..
http://sunsite.ktu.lt/pub/linux/system/network/d aemons/oidentd-1.6.2.tar.gz

Re:I would think that a 386 would give noticable

[Eg0r]

yup yup yup... I've managed somehow to shove a linuxrouter distro on one floppy that does masquerading+caching DNS for the internal network... on a 486 with 8Mb of RAM (512K for the DNS cache)

It does work... more or less... most of the outside world 0DNS queries time-out because of the lag.. oh well, works better with the internal DN queries so I'm not to bothered :)

---

Linux Router Project is the way to go.

[silver]

Unless you want a really spiffy brand new kernel on your router (doesn't bother me) the Linux Router Project disk is a damn fine way to go.

I have mine set up on an old 486 in a pizzabox case and it works beautifully. All I did was tweak a few IP numbers, tell it to do transparent proxying and I haven't noticed any difference from being dialled up directly, apart from my flatmates sucking all the bandwidth that is :).

That said, I am currently in the process of designing a disk specifically for doing dialup router/firewall duties that will be somewhat more current and easier to configure than the LRP disk. mail me if you are interested.

Re:Linux Router Project is the way to go.

[lukpac]

Not sure how well they work (have not tried them), but Project Ballantain and Freesco both do what you describe. Check them out here: http://www.linuxsupportline.com/~router/

No problems for me.

[RatBastard]

I am using a NAT program called SYGATE on my NT Server box (hey, ot works!) that connects my LAN to the Internet.

I have played Quake, Quake2, Quake3A Test (1.05 - 1.07) and a whole host of other games on the Internet.

The only problem I have ever had is with FTP clients. I got one that supported pasive mode and everything worked fine.

Re:No problems for me.

[RatBastard]

I've gotten a few emails asking about ICQ and FTP from behind a Sygate server.

For FTP I have used plain old Windows FTP and the GNU version of FTP that comes with BeOS. Both work fine. I used to use WSFTP back when I used WinGate, and it also seems to work with Sygate.

While I do not use ICQ I did see some items about using multiple ICQ clients behind the Sygate server on their FAQs page on their web page:
http://www.sygate.com

As for multiple people playing Quake, have never tried it. I'm the only person in my house that plays Quake(1,2,3A) and I have never seen the need to play it on two computers at the same time (nor would I have the skill, as anyone who has kicked my ass in Quake can tell you).

Re:Ick & additional info about masq apps + battle.

[Chacham]

I'm no expert, but I am running Starcraft under NT4 in VMware, Linux 2.2.10. Once masquerading was up, it all seemed to work well with no extra setup.

ftp connections break

[heroine]

I have problems using ftp over masquerading. Even with passive mode on, reverse DNS lookups not required, matched C libraries, certain ftp clients still don't work with certain ftp servers. It's a matter of trying every ftp client on your system until one works, then remembering which ftp client works with which server and which client is faster for the job. Right now ftp, ncftp, Wxftp, sftp, Igloo, and netscape are on the system.

Re:ftp connections break

[Gramie]

I am the TIS firewall ftp-gw module for people on my internal network as well as the NEC Socks5 firewal

Doesn't that hurt? }:-O

Re:ftp connections break

[schon]

Anyway, MOST of the tools I mentioned above will also LOG activity
from inside the network, which is something a lot of people seem to
ignore in their security policy. A company using masquerading can not
use it, and use the Apache proxying module or FWTK to log accesses

Why can't someone using masquerading log accesses? I do it all the
time (actually, using Squid instead of Apache.) Simply block outgoing
connections to remote port 80 (and 1080 & 8080, if you're paranoid)
to force users to use the proxy, then use masquerading (with
connection logging - yes, you CAN do that, through a command-line
switch) for everything else.

You seem to think that masq and proxying are mutually exclusive, which
is not the case.

Re:ftp connections break

[bernywork]

I have a habit of doing work arounds, and adding functionality here and there.

I am the TIS firewall ftp-gw module for people on my internal network as well as the NEC Socks5 firewall.

These functions prove useful for logging as. (Anothing thing I haven't bothered configuring in IP Masq if its there)

Berny

Re:ftp connections break

[bernywork]

150K /sec and feeling fine :P

Or use a DEC Multia

[dhart]

DEC Multias also make great little firewalls. There are usually a few for sale at any give time on ebay.

Different DCC prob

[Nate+Fox]

got a linux ip_masq box running great on cable, and my machine inside of it (among other boxes). I have an irc bot runnin on the ip_masq box, so other people can access it - DCC works just fine for everyone, except me! I think the bot (eggdrop) sees a DCC chat req comming from the 'external' ip #, and tries to essentially connect to itself. now I can get into the bot via telnet, so I'm not completely stranded, but it'd be nice to use DCC chat instead. Am I stuck with telnetting, or does anyone know how to fix this?

-----
If Bill Gates had a nickel for every time Windows crashed...

About the "NAT is evil" articles

[mha]

NAT is the virtualization of network addresses. Weve had the same development with memory addresses long ago, and similar issues (i.e. programs using physical (memory) addresses directly). Today we have almost the same development weve seen inside a computer in a larger environment, the network. The time where an address specified an exact physical entity will be over some day, and is already today in many cases - ever heard of virtual servers? Load balancing?

The network is still at an very early stage in development compared to the inside of any modern computer. Youll see even more virtualization. That doesnt mean todays NAT solutions are the future, theyre just the beginning and at an early, sometimes very experimental, stage, just like virtual memory wasnt developed overnight. Besides, the virtual network is a lot harder to do than virtual memory: the latter takes place inside one small box, while the virtualization of network resources has consequences for millions of computers simultaenously.

general NAT info:
http://www.csn.tu-chemnitz. de/~mha/linux-ip-nat/diplom/"
--
Michael Hasenstein
http://www.csn.tu-chemnitz.de/~mha/

You need a specialised setup for each app

[Grim]

The only thing that doesnt work inder IP-masq is
*incoming* connections. That is because the
remote system connects to say, port 1234 on the
server that sends the original packet. As this
is apparently the masquerading host, the masq host
does not know where to send the packet on to,
there is no way to connect an arbitrary portnumber
without configuring that portnumber to ALWAYS be accociated with a unique app.

Your only solution is to have your ISP give you a
group of IPs, and assign one for each box

Re:You need a specialised setup for each app

[The+Finn]

ipmasqadm portfw -a -P tcp -L 25 -R 25

There, I've just forwarded in my mail server. It works with udp as well. You can also add multiple machines and round-robin between them. Do port translation to get around firewalls. Forward out different services to different machines and confuse the hell out of skript kiddies.

Protocols which break behind NAT boxes are doing nasty stuff like including IP and port numbers inside the _data_ layer of the packet, which is arguably a stupid thing to do.

Re:You need a specialised setup for each app

[An+Ominous+Cowherd]

Better yet, use tcp_redir. It's simpler, and its docs are in english (a big bonus for me anyway...)

Re:You need a specialised setup for each app

[garcia]

Not true...

Check out my "howto" on portfw'ing:

http://www.gargoyle.dyndns.org/linux/portfw-tuto rial.html

anyway, the webserver itself is behind the IPmasq :) It is really easy to do, all the links are there (or used to be hehe).

Re:You need a specialised setup for each app

[Belgarath]

Actually, there is a way to do this, sort of. It's an experimental feature called IP Port Forwarding. The idea is that you can designate certain ports which can be forwarded to certain machines inside your network, so you can have a web server on your masq'd network and have it transparently proxied by forwarding port 80, or do other similar tricks. Of course, this has it's drawbacks, along with being experimental but it does work... in fact, this technique has been used to allow SMB mounting of filesystems on a masq'd box, among other neat things...

Re:I would think that a 386 would give noticable

[tzanger]

lag on doing anything, even more than the noticable lag when using a 486.

naw. I use a 386DX33 with 8 megs and a 120 meg HDD doing voicemail, X10 and internet dialling. no worries there. I mean I"m only connected at 56k so the processor is mostly sitting around. I just gotta get a UPS on the beast so I can get some uptime on it :-)

Something noone else has mentioned:

[redactor]

No one seems to have mentioned something I consider pretty important: X Windows. I don't think that X will EVER run across NAT... I mean, what would you set your DISPLAY variable to?

Re:Something noone else has mentioned:

[yonderboy]

simple, use the X forwarding in ssh.

Re:Something noone else has mentioned:

[toast0]

Use ssh, it should work great for that, and it will be encyrpted and depending on your settings compressed as well

Re:Something noone else has mentioned:

[Atilla]

it is also possible to forward port 6001 from the firewall box to the port 6000 on a box behind the firewall... that way you can set your DISPLAY variable to myfirewallbox:1 which will be vome screen 0 on the machine running the X server.

i've never actually tried this myself, but know some people who have...

NAT Problem Workarounds

[Sly-Guy]

I have seen a few comments about how evil NAT is. I wholelly agree. But it has it's benefits.

Being able to have any number of IP's that are needed to complete one's network without having to go through the hassle of paying for an IP space is the one at the top of my list for one... Though:

For ease of use I would recommend FreeBSD, it has a better suite for NAT (no flames yet plaese... read the rest.) And my statistics for the box actually say that FreeBSD is faster for doing the networking. (non professional... just watching the D/L rates.)

For functionality I would highly recommend Linux, as it has a much better plug in system for the Masq modules.

I have used both. And had much success with both. But the one thing I will HIGHLY recommend for both operating system platforms is socks5. Most applications are somewhat aware of it, and those that are not can be made aware with some library tricks. I use ICQ and AIM on a windows box behind my firewall with little to no problems at all. The only problem that I see is that sometimes incoming messages are a little slow (have yet to figure that one out, but I'm sure it's a configuration error).

The only other thing that may cause problems is if you are using dynamic dialup. Secure web sites sometimes complain about an invalid reverse name lookup.

I have been happily using a NAT based firewall for about 2 years now both Linux and FreeBSD. I prefer FreeBSD for the networking speed, but that is wholelly my personal opinion.

Re:Use An Old Mac

[tesla]

ACtually, Vicom internet gateway reinvents the wheel. OpenTransport has the ability to do the equivilent of IPMasq (as far as I remember) and you can use a tool called IPNetRouter to do so. Plus, it's probably cheaper. (not open-source though)

Re:Masqd Connections

[tesla]

The URL for IPNetRouter is http://www.sustworks.com/products/ip nr/ppd1.html

or use a old 386

[CrAlt]

my IPmasq/fw for my home lan is an old 386DX25 with 16Megs of ram and an 80Meg HD. It runs a home brew dristro of linux and goes months on end with out a reboot. It is also headless.

Practical and Theoretical NAT Limitations

[rusty]

Hi all,

Various other people pointed to broken protocols, and protocols which need special help. In general, any protocol which does not restrict itself to a single connection (ie. src ip/port dst ip/port quad) will require special assistance. This includes FTP (both passive and active) in the general case, although for simple masquerading passive ftp does not need help.

For static NAT, where an IP address is always mapped the same way (n:n NAT, eg. 192.168.1.* is mapped straight into 1.2.3.*), only protocols which actually include IP addresses within their data stream will be impaired. Unfortunately, FTP is one of these.

A special note on games: Dan Kegel (of Activision) produced a fairly well-thought-out proposal for UDP gaming through NAT. IP masquerading in Linux 2.2 meets this standard.
Here is the draft

Rusty.

Not a problem here... almost

[Dr.+Evil]

With all the appropriate configurations done on the server and the client workstations (ie, port ranges for ICQ) I have had few, if any problems.

I can send and receive files from ICQ, chat with people, even chat with people on my own lan. There is no loss of functionality for me with IP Masq. Some applications require special modules or commands, but once done, it's never an issue.

I'm running Slackware 3(?), with kernel 2.0.36. The machine is so solid that it doesn't have a monitor or keyboard attached to it, and it's only a 486.

I have not tried to do any online gaming with IP Masq.

I can't get full voice with MS netmeeting to work, though I haven't tried too hard. The whiteboard and everything else works fine though.

I do get strange intermittant problems, issues such as people being invited into a four-way-chat only getting a three way chat... when everyone else sees the four. People dissapear who should be visible, lots of peculiar behavior, but nothing show-stopping. I think it is a combination of ICQ running out of incomming TCP connections and a problem with the ICQ servers failing to correctly or timely interpret the status of people with the same IP address or something... most status issues are resolved by changing status back and forth.

I would love to hear people's suggestions about how to fine tune various applications.

Re:Not a problem here... almost

[DaveKempe]

we are running the same setup except redhat 6 with ipchains
our gateway works fine 486 - no monitor keybord, lovin it

for ICQ to work stably i had to play a bit with the firewall settings. Tweaking the timout value a fair bit and now it is quite stable - i used to go on and off line alot but now it works fine.

The only thing we havnt been able to work with is PPTP and VPN stuff - if anyone has a painless way to get it to work behind a firewall on redhat 6 that would be great. I also have a webserver on this NT box that would be nice if we had outside access.

thanks
dave

ICQ does just fine through socks5

[Nugget94M]

You can get full ICQ functionality by running a socks5 proxy. If you're running an icq clone, your mileage will obviously vary, but the mirabilis releases do just fine.

Commercial sites will run into licensing issues, too.

http://www.socks.nec.com

FreeBSD users see /usr/ports/net/socks5/

more additional info about masq apps

[named]

I haven't played with battle.net, but I just got my friend's machine (behind my masq box) to work with the MSN gaming zone.

Doing so involved the use of yet another experimental kernel networking feature: fwmark forwarding (look for it in the network options in the kernel).

The first thing to do is to find out the port ranges that the gaming system (battle.net, the zone, whatever) need to access.

second thing to do is to (other than being familiar with the firewall & masq tools) is to do a 'man ipmasqadm' and look for the section called mfw.

That should be about it. You might even be able to get multiple boxen to work with at the same time (mfw allows redirection of ports to multiple simultaneous internal machines, if i read the docs correctly).

the third thing, of course, it to get all the command line parameters correct for ipchains and for ipmasqadm :)

anyway, i hope this helps someone, if you have more questions, email me, but this is most of what i know (it only took me ~30 mins to set it all up -- ms acutally had good docs for what port ranges were required)

NAT & Linux/*BSD

[db]

Actually, slight correction. NAT (network address translation) is the common term for this functionality. I dont know why the linux community still refers to it at IPMasq...

But anyhoo, IPNat under OpenBSD lets me run anything behind it. I can DCC, AIM, ICQ, etc. with no problems.

NAT however is an unfortunate (although extremely cool) side effect of what happens when you begin to run out of IP addresses with IPv4.

-Dave

--
Dave Brooks (db@amorphous.org)
http://www.amorphous.org

Re:Nothing wrong with it.

[krital]

I've been using a masq'd box as a firewall/gateway for my home LAN for the past six months or so. It does everything perfectly, and I don't load up any modules. I just use ipchains, and everything on the other boxen looks like it were directly connected to the internet; it works perfectly. Every application from ICQ to AIM to telnet to Quake II to email to whatever you want will run like this.

Re:hmmm.. masq'd connections?

[Zen+Sandwich]

That's because the DCC module doesn't take into account the non-standard extensions that mIRC uses to do DCC resume. The problem is mIRC's implementation of the protocol (ie, ircII hacked to support DCC resume has the same problem). It breaks one of the 'rules' in rfc1459 (clients should never send an automatic response to a NOTICE) and is much more difficult to support than the original DCC. I tried once, using the spec on mIRC's homepage, but eventually gave up and went back to using ftp to share files.

Masquerade resources

[httptech]

Try this page: http://www.tsmservices.com/masq/

You can find information there on getting just about any application working with masquerading.

Re:Masquerade resources

[alhaz]

Yeah, that page is a positive goldmine if you're attempting something with a 1.3.x kernel

Otherwise, it's hogwash.

It's been in dire need of an update since about 2.0.17

Re:Masquerade resources

[DrPsycho]

I've recently set up IPMasquerade on my home box (kernel 2.2.10, i486) DCC, FTP and the like all work fine, once you get the appropriate modules loaded and functioning.

One thing to be careful of is to make sure you load the modules to keep an eye on the proper ports. I had everything but DCC running, and was scratching my head for a while, until I realized that the ip_masq_irc module which deals with such things was looking at the default (6666?) port, and not any of the others (6667, 7000) that are frequently used.

Seriously. If you need help with IP Masquerading, check out http://ipmasq.cjb.net ... the IP Masquerade Resources Page. Complete with mini-HOWTOs and links to useful documents like TrinityOS for ensuring your system is remotely secure.

Good luck. It's a little bit of work, but once you wrap your mind around it, it's a piece of cake.

Re:Masquerade resources

[dirty]

FYI, 6667 is the default irc port, other commonly used ports are 6660-9 and 7000.

Re:How I Do It on Linux

[Booya]

If you use your FTP client in passive mode, you don't need the ip_masq_ftp module.

eg:

ftp site.com
ftp> passive
Passive Mode On
ftp> get blah.tar.gz, etc

the ip_masq_ftp module just allows the active FTP
transfers to work. I don't use ip_masq_ftp
and am able to ftp up/down from the net w/out problems. I just need to use passive mode. This is what your browser will use as default when it is downloading via FTP.

Two words: MAN PAGE

[juuri]

Learn to read it people. There is a reason someone spends time writing down that boring crap into awful as formats like nroff.

Almost everything questioned by the original poster is covered in the FreeBSD natd man page. How do I know this? I learned to read. You should try it.

---
Openstep/NeXTSTEP/Solaris/FreeBSD/Linux/ultrix/OSF /...

Try IPPORTFW/IPMASQADM

[leonbrooks]

It made ICQ DCC chat work for one of my clients

You still can't DCC _IN_ directly to a masq'ed client, unless you do a trick: allocate a port for each user and forward the data from that specific port to the assigned user. I haven't tried this under 2.0.x but did get it working once on 2.2.x: the caller aims their DCC to the appropriate port on the masq server instead of trying to hit the masq'ed user directly.

WIth ICQ?? Re:Socks5 Proxy Server

[deusx]

This worked great for me, except that I never *could* get ICQ working with the Socks5 from nec.com. I *thought* I'd read somewhere on their site that the free version didn't support UDP forwarding or something. But you're saying that you got ICQ to work? Do anything special? Or just an out-of-the-tarball compile and install?

Re:WIth ICQ?? Re:Socks5 Proxy Server

[Bigman]

Well that would explain my experiences.. I installed SOCKS5 and ICQ worked worse than without it. I did find a kernel module ip_masq_icq (just search on alta-vista theres only a couple of hits) but I managed to trash my router by recompiling the kernel (I needed to upgrade it to 2.0.36) and putting it after cylinder 1024 on the disk *embarressed smile* so I had to restore it. I'll have another go doing this when I have time *S* or swap in a motherboard that will boot it...

Re:WIth ICQ?? Re:Socks5 Proxy Server

[TBBle]

ICQ (At least for Win32) is a real b*tch for SOCKS 5. I tried both the free NT socks5 from nec and Wingate, and it's definately a problem in the way ICQ handles the SOCKS. It worked fine if I used a UDP mapped port. I found I toggled settings in the NT networking until it worked...

BTW, I used both ICQ's socks5 handling and the Hummingbird AutoSocks winsock replacement with the same results, so I dunno what it is about ICQ. They probably break one of the "don't bind before connect" rules under some circumstances)

Re:Ummm...

[GargoyleMT]

But, you cannot compile the Masquerading modules into the kernel. They're always built as modules, just like the PPP compressors.

BTW - Anyone know why the ip_masq_icq module hasn't become a regular part of the kernel? And when are we going to get some of the neat Masq'ing features that the 2.0.37ac?? patches have?

How to Stream QT 4 with IP Masquerading...

[VValdo]

You need to use the RTSP/RTP proxy (run it on the same box as you're masking from). Works perfectly for me. Builds on a few different platforms.

http://www.apple.com/quicktime/ developers/rtspproxy.html

Dox & source included. Enjoy,
W
-------------------

Re:How to Stream QT 4 with IP Masquerading...

[jeddz]

This segfaults for me everytime a connection is initiated/proxied. Of course, the target platform suggests RH5.0 whereas I'm running RH6.0. Anyone else having similar problems with RH6.0?

Re:How to do DCC

[alhaz]

It does work, but it doesn't understand ICQ's newer protocols.

Thus, it won't work for icq98 or icq99, but it will work with older versions of icq.

The problem is I'm not about to tell my users they should retrograde their icq. So i installed Socks instead.

Ummm...

[sp-]

this advice is assuming the person has everything you talk about loaded as a module and not compiled into the kernel...

in response to the question at hand...
solution: use ipfwadm or ipchains

set up correctly with a newer kernel, this will work for everything.
------------------------------------- -----
Reveal your Source, Unleash the Power. (tm)

Re:Ummm...

[DrPsycho]

ipfwadm has been abandoned for ipchains in the 2.2.x/2.3.x kernel revisions. If you're thinking of using ipfwadm, you should seriously think about compiling a new kernel.

(It's a point of information, not my attempt to make anyone look or feel bad.)

Re:Ummm...

[halfline]

sp- wrote,
>>this advice is assuming the person has

>>everything you talk about loaded as a module

>>and not compiled into the kernel...

In his example he showed that his kernel version was the one that comes with RedHat 6.0 (2.2.5-15), which means that his explanation is good for after recent installs.

Nothing wrong with it.

[jetson123]

I don't see anything evil about it: IP masquerading does what it does and it's useful at that. It is halfway between having separate machines and having a true cluster of computers.

SOCKS works in user mode; I don't see any advantage to that. If you want bidirectional firewall traversal, you could implement similar functionality in the kernel. You need to either notify the firewall machine that a socket on the client is accepting connections and that needs to be forwarded to the firewall machine, or when there is a request coming in, the firewall machine has to try until it finds a machine willing to service it.

Most people don't need, and in fact, don't want that functionality. But people who do already get it: it's part of clustering.

Re:Nothing wrong with it.

[jashamel]

I have a computer w/ RH 6.0 at home which forwards stuff from my win98 box (*cringe*, yes, I know) to the internet. I use ipchains as well, which transfers everything from 10.0.0.1/24 so I can hook up quite a lot more computers, which is nice for when I got friends over :P

Everyone on the internet sees the ip address of the server, though if they try to resolve usernames they get things like: @(ip address). It works fine with things like ICQ, AIM, ftp and almost everything.
The only exception I have found so far is the game Baldur's gate, which won't work over the internet. It works fine on the internal network, but try to connect outside and it just doesn't do squat. I should probably test this with Diablo as well, see if that works.
Oh well, my opinion is that Ipchains works fine.

Re:IP Masquerade Resources

[DrPsycho]

Missed a /B in there. I suck.

Let that be a lesson to you. Always preview before you submit.

IP Masquerade Resources

[DrPsycho]

I wrote this in one thread, but I'm guessing it'll be too buried for a lot of people to get to (or it'll get moderated down, blah blah blah).

http://ipmasq.cjb.net is the URL for the Linux IP Masquerade Resource page. Once there, consult the IP Masquerade mini-HOWTO (v1.76-Jul18.99), patches for older kernels, the mailing list, the IP masquerade application collection (if you want to configure that one pesky piece of Internet software just right.), the TrinityOS step-by-step documentation for IPMASQ and network security, and even goodies for people on dynamic (gasp!) IP connections.

It's an excellent site, which was truly an invaluable resource when I was trying to put the jumper cables to my own IP MASQ'ing gateway box. Even my Amiga has no problem getting through to the outside world via. the Linux box.

Good luck. It can be a little tricky in spots, but the end result is worth it.

Re:Use Win98 Second Edition

[PopeFelix]

I rather think that the original question was regarding IP Masquerading via Linux, and possibly *BSD. It may well be possible via Win98. I won't dispute that, as I don't know. But let's try to stay on topic here.

My question is: why must FTP be in passive mode when it is run from a host on a masqueraded net (the gateway itself excepted, of course)?

A Question about timeouts

[wilkinsm]

I used NAT and the only problem I had was that if a user was telnetted to a site outside the firewall and left it inactive for awhile, it the firewall would think that the connection was dead and close the tunnel. I tried playing with the timeouts, but it seems to work on a global level and it just bogged down the poor machine.

Is there away to make NAT not drop just telnet tunnels or something? Email me if you like, I'd like to know.

Re:Use Win98 Second Edition (j/k)

[dirty]

why bother w/ a 486? I used to have a 386 sx16 or something slow like that w/8megs of ram and a 100meg hdd doing the job. Greatest part, I didn't pay for any of it. I had the nic lying around and I got the 386 from a friend who bought a new computer.

Re:Use Win98 Second Edition (j/k)

[Epitaph]

How do you get Windows98 SE to perform NAT functionality? That would be very useful for me since I'm the firewall machine, but I dual-boot into Windows98 sometimes to play games, and when I do, my brother gets mad. :)

Thanks.

Re:Use Win98 Second Edition (j/k)

[HarveyOpolis]

What good is a gateway machine that you have to reboot every six hours, eh?

I know of commercial solutions for Solaris (FW1E for example) that are EXCELLENT.

Novell has one too that allows quake and stuff too. I haven't played with that one much.

Re:RTSP - Quicktime Streaming

[PoP]

RSP and RTSP or Real Time Streaming Protocol requires special support from the proxy server and fails under most NAT implementations.

RealAudio/Video uses HTTP which is widely supported but far less efficient. Funny thing is that I am using NAT on my Cisco router and RTSP fails, even though Cisco supports RTSP for CiscoTV. So much for Cisco supporting standards.

I'm about to spark up my Novell Border Manager to see if it supports RTSP and if Novell's NAT works.

Re:MASQing at an ISP

[Clockwork]

OK, I fully agree with the fact that masq'n at an ISP is just evil. Some of you might be suprised to learn that ISPs using NAT goes beyond goes beyond three-man operations.

I've got DSL and Internet through USWest (which is huge, and getting even huger merging with Qwest), who used to op for a straight bridging scheme through a Cisco 675 "DSL Modem." No problem. I set it up with a Linux box that I masq'd and put lots of Microsoft boxen behind. Just a couple days ago, though, USWest decides to get freaky and set it up so the Cisco gets a dynamic IP, and then itself acts as a DHCP server for any machines behind it (non-routable private use IPs, 10.0.0.0) and it uses NAT! SUCK! So now, I've got packets traversing two layers of NAT/masq grimore. Almost nothing works.

The moral of the story is, even if you're only going to connect one computer (by the way, USWest does NOT support Unix at all) don't sign up with USWest as an ISP. No lovin' at all. [Well, I guess the actual DSL service is pretty good. Only one outage in over 8 months.]

OK, I be shut up.


/ c l o c k w o r k /

Re:Masqd Connections

[webslacker]

IPNetRouter 1.4 for the Mac also works very well. 1.3.3 wasn't able to handle the RTP/RTSP protocol required for quicktime streaming (had to map out the port manually) but they fixed that one right away. ICQ, Real, etc all work great. Wow, I can't believe I almost bought a hardware router for my office. Instead we just took one of our old Macs out of mothballs.

Just out of curiosity, has anyone tried out WinGate 3.0 for windows?

documentation, documentation, doucmentation

[Null_Packet]

all i can say is- "read it." irc has always worked using the irc module, not to mention quake, etc. just about any game company under the sun will tell you the tcp/udp port settings if you ask... and icq... well, icq is hell-sent anyways... use ftp, http, nfs, ssh or *anything* else for file transfers....

Use Win98 Second Edition (j/k)

[rawrats]

Welp, I hate to say it but the only solution I know of is on Win9x. I'm sure there are others and i can't wait to hear about them. As for the Win9x solution: Nevod Inc used to make a product called Nat1000 which was amazing! You could do everything from the client machines -- run quake servers, dcc serve, run hotline clients -- everything. Unfortunately, these guys were bought out by those folks from Redmond, and supposedly their tech was to be incorporated into Win98 SE. I've long since lost the original need for ipMasq/NAT but would be interested nonotheless in knowing whether it *works* in Win98 SE or how to get it up and running on FreeBSD/Linux.

Re:Use Win98 Second Edition (j/k)

[nd]

My understanding was that Microsoft was going to incorporate NAT1000 into Windows 2000, not Win98 SE. I've never used the software, but I've heard great things about it, and a large majority of NAT1000 users were pissed when they discovered MS bought Nevod out and they lost support.

Re:Use Win98 Second Edition (j/k)

[MindStalker]

Well I've found winroute lite (www.tinysoftware.com) to be an awesome program for running multiple ip's over one connection. Never had a problem with any games or DCC, would suggest to anyone who needs and easy to configure Masquearder for win95/98.

Re:Use Win98 Second Edition (j/k)

[Jburkholder]

Hmmm, what's the minimum hardware setup for running a W98 SE box to do NAT? P133 w/ 32 meg - I would probably guess. Nice thing about doing this with Linux is that you can dust off that 486 and put it to use.

My masq/portfw/gateway/firewall is a 486/100 with 16m running a 2.0.36 kernel on a 202 Mb hard drive. I laid hands on a couple SMC ISA NICs and an ATI mach 8 at a swap-meet and I was in business for about $30. Before I set this up, I was using a PPro 200 with 64mb to run Win98 and Sygate. This did actually work ok, except for having to reboot it when it froze every couple days. (now the ppro is running Debian doing Q2 server duty). Its a real shame you have to run an OS with an integrated GUI and web browser just to do a simple chore like NAT.

And the only real shortcoming I have with my setup is ICQ file transfers, but what I do anyway is set up FTP access for friends that need to send files. Granted, I don't do this very often and it wouldn't be practical for someone trading pr0n with strangers they meet on ICQ. ;-)

Re:Use Win98 Second Edition (j/k)

[dickens]

just installed this over the weekend, and it does seem to work like a charm.

One gotcha, though, the Win98SE machine has to be "logged in" for it to work, it seems.

Re:Use Win98 Second Edition (j/k)

[brad_f]

The redmond approved way is:
Start -> Settings -> Control Panel -> Network -> TCP/IP for your NIC -> Properties -> Set Ip address manually.

I think...

Re:Use Win98 Second Edition (j/k)

[toast0]

yeah win98 se's nat stuff seems to work for everything i've tried (admittedly just telneting and ftping, but hey) the only thing is the default network and netmask are nasty, 192.168.0.0 and 255.255.255.0, and as far as i can tell theres no nice pretty redmond approved way of changing that, but looking through the registry for ICS(internet connection sharing) finds the stuff you need to change, and it seemed pretty intuitive for me......

How to do DCC

[Ryan+Amos]

I'm not familiar with ICQ, so I can't help with that. But for DCC over IRC, to load the kernel module, instead of doing:

/sbin/modprobe ip_masq_irc

do:

/sbin/modprobe ip_masq_irc ports=6667,7000

and add whatever ports you use for IRC in the ports. I had this same problem about a week ago and a friend was kind enough to let me in on the secret. :) Look for some sort of ip_masq_icq, which would probably let you do the ICQ thing too.

It works for me - ooops

[El+Guapo]

Damn Enter key anyways!

I have no problems with any icq function, you just have to make sure that you tell it you are behind a firewall, and that you dont use a socks 4/5 server...as for quake, it works just fine, make sure the quake module is loaded on your linux box...

masq servers cant accept incoming connections to you, so you'll have to initiate them if you want to do something...

El Guapo

Re:RSIP

[BRock97]

The draft for this is located at:
http://www. ietf.org/internet-drafts/draft-ietf-nat-rsip-proto col-01.txt. Pretty interesting read as it looks like it has loads of potential. I can't wait to try out an implementation of this!

Bryan R.

HOWTO to the rescue...

[Chupa]

I'm surprised this hasn't been mentioned already, but David Ranch's IP-masq'ing mini-HOWTO really helped me...I play StarCraft, Quake2, Quake 3 Arena, use AOL IM, ICQ (file transfers can be made to work), and more. Probably the main thing that will help you is IP portforwarding... In any case, check out the HOWTO... IP masq mini-HOWTO

It works if you know what you are doing...

[ShieldWolf]

I have three masqing machines, two at work and one on cable at home ;). Yes you don't have a valid Internet IP on the internal network, but this is a GOOD thing - I would rather be secure than have the ability to run a web server on my box, that is what a SERVER is for.
Most of your faults can be worked around, such as ICQ file transfers, e.g. port forwarding. Games work fine, I play Quake 2 and 3 all the time through my firewall ;) The point is you have to KNOW what you are doing read absolutely everything you can find and then read it again. IP masq is very kewl. You just have to know how it works, and how to configure it properly.

-ShieldWolf

DCC

[An+onymous+Coward]

blow away the vdolive module, which uses port 7000, and use:

modprobe ip_masq_irc ports=6666,6667,6668,6669,7000

Works fine for me on Linux 2.2.5 and 2.2.10. Not sure about BSD though.

Re:hmmm.. masq'd connections?

[sweetooth]

I've had masking set up on more networks than I can count, and I've never had a problem with any ICQ options (after updating the module), games (Quake2, Quake3, Tribes, Civilization: Call To Power), or most other things. Even passive mode ftp can work well with a little setup time.

Use An Old Mac

[richone]

I have an old Mac running Vicom (www.vicomtech.com, I think) Internet gateway. It is way easier to setup than masq and give new life to that old 7200 you have lying around ;)

IRC dcc sends from behind the NAT

[skullY]

I've been using masquerading on a linux machine (And a short time with fbsd, but it has some odd quirks I don't like) and had just resigned myself to not using dcc send beause it never worked using epic. Until a friend pointed out that chat worked both ways so why shouldn't file transfers. So, working with another friend, we tracked down why. Appearantly, if you include extra stuff at the end of the dcc send request, the module ignores it. To fix, we simply commented a few lines in /usr/src/linux/net/ipv4/ip_masq_irc.c. This is all based on Linux 2.0.36.

Line 172, comment out:

if (xtra_args != 0) continue;

Lines 178-182, comment out:


if (data[0] != 0x01)
continue;
if (data[1]!='\r' && data[1]!='\n')
continue;


Then make clean;make modules;make modules_install, quit irc, wait 60 seconds for the connections to timeout, rmmod ip_masq_irc;modprobe ip_masq_irc and you're set. This is a kludge, but it works.

IPCHAINS Works for me

[billpena]

I've been using ipchains for a month now, and I've been playing HalfLife, using ICQ, and just about anything you can think of with it ... yeah, mini-HOWTO is absolutely invaluable for doing it.

Re:I would think that a 386 would give noticable

[mapultian]

Well.... I use my 450mHz K6-3 to do masquerading over a modem for my LAN. :P

(Why? Well, no reason not to, another excuse to leave it running constantly, and best machine around to do it. (Have no running 4 or 386s, anyway.))

Heh, why not?

Standards

[SEWilco]

Simple. Make the game writers follow, or create, a standard. They keep creating proprietary data formats which only their software understands. Then customers find that firewalls and competitors (ie, the current AOL and MS squabble) are not compatible.

How

[SEWilco]

How, indeed. We can't make other programmers do anything.

As programmers we can improve competitors' products who are following standards. As customers we can avoid proprietary products, just as we did with MicroChannel. As reviewers we can mention if products use proprietary methods or standards.

The AOL and MS messaging customers and tech support are getting lessons in that right now.

Re:I would think that a 386 would give noticable

[Jburkholder]

Maybe on a 386, but on my 486 its fine. I'm connected to a cable modem and the 10BT NIC's run at full speed, the cpu barely ever breaks over 10%, even when holding up a quake3 game with 8 players (no the game doesn't run on the 486, I'm just talking about the network traffic).

Re:No problems here...

[spudnic]

What about CuSeeMe? We've had nothing but problems with this here.

If anyone has a good solution to how muliple users behind the Masq box can view seperate feeds I'd appreciate it.

FreeBSD's nat

[npaufler]

I have an old FreeBSD box running 2.2.7 (haven't gotten around to upgrading to 3.2 yet) and have had only a few problems.
Most of those, however, i was able to get around without too much difficulty, too.
1. Quake*.* - No problems here whatsoever, and have never needed to tweak any settings or configs to make it work. It just does. As for servers, Q3Test, and if i'm not mistaken, Quake2, will let you specify the port to use. All you do is use NAT'd port forwarding ability to redirect all connections to a given port.
Certain games (namely baldurs gate) use DirectPlay, which can use an entire range of ports. BG used a random port between 2300 and 2399. So what did i do? Port foward 100 ports ;P
A minor inconvenience, but you shold be able to figure out what ports need to be redirected without a lot of hassle.
2. It is not possible to make an FTP connection between an ipmasq'd/nat'd box when you yourself are nat'd/ipmasq'd. What i do in this situation is rely on a wonderful proggie called Sharity light (available in the freebsd ports collection ;P). Just telnet to the box that's doing the nat'ing, and use sharity light to mount a shared directory on any machine on your network (including fat32 drives. woohoo!). Then just FTP to the site that has the files you require and watch as it automagically downloads to your hard drive. You could even turn on a screen session if you need to close the telnet proggie for whatever reason. Very convenient.
3. DCC's, etc. Occasionally i have DCC problems, but i think, again, this is only for 2 boxen that are both nat'd. If neccesary, you could install an ftp daemon on the machine that is behind the net, and port forward a port (say 1234) to port 21 (or any port, if the daemon supports changing the port) on the box you need to send/recieve files on.

Hope that helps =) I absolutely agree that NAT rocks a whole lot ... it'd be insane if i didn't have it, since my cable provider charges $10 per extra IP.

Re:Bad Idea

[aithien]

Yeah but that also means no free mail service, ftp, your own DNS, etc. Which is lame...

One option

[X-Nc]

I know this is blasphemy but there's a fantastic commercial firewall system called GNAT Box that does all the NTA and statefull packet inspection you'de ever want and it works transperantly with all the fun stuff you mentioned. It's the only high-grade firewall system under $1000 and is completely self-contained (i.e. runs off of one floppy; no need for a HD or OS).

Now, I know that this post might engender some "warm replies" about the touting of non-open source solutions but I am pregmatic about this. I prefer open source solutions but am not against a propriatary/commercial solution to get the job done. If it's a good product it's a good product.

Re:hmmm.. masq'd connections?

[iwoj]

ICQ Chat mode works fine for me.

Case by case

[iwoj]

Unfortunately, I've found that the best way of dealing with masquerading service problems is on a case by case basis. For example, QuickTime streaming doesn't work behind a masquerading firewall, so you install a proxy.

I'm not aware of any general solutions. But there might be a completely different technology that allows for the same connection-sharing features as ip_masq...

Re:Case by case

[jb666]

The source for Apple's rtsp proxy is available here

I've had limited success with this - sometimes it works, other times it just hangs or crashes. Since the existing ip_masq_raudio module already contains some support for rtsp/rtp I'm guessing it would be pretty easy to add in Quicktime 4 streaming?

Re:Case by case

[ncc74656]

For example, QuickTime streaming doesn't work behind a masquerading firewall, so you install a proxy.

This little matter just came up while I was trying to view the Noah Wyle/Steve Jobs thing at Macworld. QuickTime streaming wouldn't work, but RealAudio/RealVideo and Windows Media Player run fine. Where's this proxy you mention?

RTSP Proxy server

[iwoj]

Apple has an RTSP proxy freely available at http://apple.com/quicktime/dev elopers/rtspproxy.html.

SOCKS analysis?

[iwoj]

There have been some comments about SOCKS being a better solution for ip masquerading. Could someone explain the benefits of SOCKS vs. the standard ip_masq modules for Linux?

NAT related Internet Drafts

[darrenmackay]

Current NAT related drafts:

http://www.ietf.org/ids.by.wg/nat.html

Gaming..

[Junta]

I had a small network that was IP masqing, and we were putting it throught its paces. It was really quite good. ICQ had a few problems,and a few games had some problems. Quake was our primary testing game. One client behind the ip-masq machine worked fine, a second tried to sign on, and the server would kick the first. In cases like this, it seems apparant that many applications assume only one copy can be run on a machine. We decided toswtich to freeciv, which had no qualms about multiple clients on a single IP :) I think it would be nice if most applications/protocols that are designed take into account the possibility of IP-masquerading.. In most cases, avoiding a few simple assumptions and making sure to verify a client is truly offline before kicking it would help... In many protocls, I really don't understand the point in encoding things like source and destination IPs redundantly into certain packets.. If anything I said is way off base, you are welcome to correct me politely, just don't start flaming because I was an apparent idiot :)

Hardware Devices

[GrumpyGeek]

I started with a proxy and used it until my wife complained that she could play certain internet games, and I could not figure out to fix it (and really was annoyed at having to try). After that I tried a number of windows programs that do NAT and found a couple that worked well (WinRoute, SyGate). I heard somewhere (and it may be wrong, that NAT1000 was bought by M$).
As of now I used a little blue box from Hawking Technology that works well for me (it supports 2 modems, ISDN, or leased lines). When I can get cable or ADSL I will go back to a PC again. Anyways this box (IR8228 I think) has worked well, although it doesn't like to disconnect for inactivity and I don't mind that. My friend just got another model (IR560) and after flash upgrading the firmware it seems to be working fine (wouldn't work with the game Everquest before flashing). The only reason I mention these devices is that you can get them pretty cheap at ONSALE the "at cost" section. A caution though, I have sent a couple of emails to their Tech Support, and have never gotten a reply (I was trying to figure out the disconnet issue).

In any case, hope this is at least interesting.

Later.

How I Do It on Linux

[DrKirwin]

Had the same prob using my masq't machines to ftp to and from the net. So, I telnet to my linux machine, and:

/sbin/modprobe --list | grep ftp

which returns:

/lib/modules/2.2.5-15/ipv4/ip_masq_ftp.o

Then I (as root):

/sbin/modprobe ip_masq_ftp.o

This adds the ability to do ftp from a masq't machine, or does for me. There are other protocols, such as for RealAudio. Grepping on "masq" will find 'em.

Ie:

/sbin/modprobe -l | grep masq

I'm not sure that the loaded module persists if it isn't called for a while. There are parameters governing this sort of thing. You can also add the line to your /etc/rc.local (or whatever).

Looking forward to seeing other solutions! (Far as I can tell, I'm first post.)

Anyway, gives you a place to manpage if nothing else....

-K

Re:How I Do It on Linux

[Mr.+Peabody]

The protocol specific ip masq stuff is always compiled as a module, as someone already mentioned. I just have a script that loads all the modules at bootup, they persist just fine, I went on vacation for 3 weeks once and they were working just fine when I got back. You also have to enable ip forwarding by giving a command like echo "1" > /proc/sys/net/ipv4/ip_forward and, of course, configure ipchains.

IPNetRouter

[pageman]

You can look at IPNetRouter (may be Mac only). It allows you to designate a machine that accepts incoming packets that it can't use NAT to route.

How?

[Chandon+Seldon]

How, exactly, do you intend to make the game wrighters do anything? That sounds right up there with "making" the game wrighters switch to GPLing all their games instead of MSLing as they do now.

I would think that a 386 would give noticable

[Chandon+Seldon]

lag on doing anything, even more than the noticable lag when using a 486.

"Just because you can, doesn't mean it's the best solution"

UDP Anyone?

[Unnoticed]

I've had great luck with IP Masq so far, It seems that the only thing I can't get to work is UDP packets. Does anyone have this working? And if so how?

Thanks,
Brian

Re:How to make Masq'ed ICQ chat work

[iserlohn]

It's easy.. enable firewall support.. that's all..

Re:hmmm.. masq'd connections?

[KRachyn]

I've got RH 6 set up with the same successes: Quake, IRC work fine. ICQ works except for receiving File transfers. I tried to get Warlords 3: Darklords Rising and Total Anihilation playing this weekend to no avail. What the heck does it take to get these other programs working properly?

Re:MASQing at an ISP - Be Careful

[Local+Loop]

I would be seriously annoyed if you were my ISP and did this without telling me. I don't run publicly available services, but I do expect to be able to ssh or http my box from work.

You'd break that if you went to a masq'd service.

I guess it depends on how many sophisticated users you have. You could try scanning ftp, www, and telnet ports on your dialup lines for a few weeks to see what percentage of users might be inconvenienced by this particular issue.

You might be able to offer a slightly more expensive upgraded service to folks who need a real IP. Pitch it as a "server enabled" service. The clued will get it and either upgrade or jump ship... But at least you didn't just cut them off with no warning. The average users will just think it's a new service that they don't need.

Are you actually running out of IPs to dynamically assign?

I don't know anything about gaming so I can't comment on that.

Good Luck,

Loopy

It works for me!

[oki900]

I have no trouble at all with ICQ file transfers using a Linux IPCHAINS firewall and IPMASQADM. It is a bit of a pain in the ass if you have a lot of machines behind the firewall. for ICQ I simply forward all ports above 1500 to each machine that uses ICQ. If done right it should be little trouble just make sure you put the machines in in the order they are most used. As far as IRC goes I think proper tweaking with DCC options and IDENT settings on both the firewall and the IRCing machine might help as I noticed when I was forwarding port 113 to my IRC machine I had less problems then when I dont. Please be careful though port forwarding can get very tricky and very complex. I only wish someone would write a good HOWTO on it as all the current IPMASQ/IPCHAINS HOWTOs are severly lacking, and no I cant do it myself, or I wouldnt be asking for one. Basicaly what this says is that if it can't be done in Linux, it cant be done at ALL!


Power to the People, or are the People the Power?

Re:MASQing at an ISP - Be Careful

[rbridal]

Its a public service .. I imagine they have a very strict time limit, something like 15 or 20 hours a month .. If this were somehting the people payed for, or something that they could use 24 hours a day, then I'd agree .. But its free, so you can't complain too much, if they don't like it they should go out an make their own free ISP, or *gasp* pay for internet access.

And if they really wanted to ssh to the box? first ssh to the masq box, then ssh to your machine, which I assume would ge assigned an IP like 192.186.xx.xx, like on a regular VPN.

Re:Ip Masquerading

[toast0]

Ummm recieving files by DCC requires that your system act as a client, when you sendout a send request it includes your ip and port, which i would assume the ipmasq irc would alter if its coming from inside.... and to know where to send the incomming connection from the reciever, i'm assuming from not actually having read the source to that module that it would take it from the source of the irc connection to the server.

If you're gonna tell people they're wrong, at least warn ppl that you might be, unless you're right.....

Good Old DOS to the rescue

[doddsy]

IPRoute from David Mischler, www.mischler.com works very well as a NAT router and firewall. Quake, ICQ, and DCC all work. PPTP and other tunneling and security stuff need certain ports to be opened and mapped to the private side of the network for them to work but I find it more secure than the Linux box we used to use. This could be because IPRoute closes all listening ports until you tell it to open them rather than linux (and Mac and NT) which has them all open until you close them. This is not making much sense but I forgot to sleep last night.

RE: Use Win98 Second Edition -- are you kidding...

[quade]CnM[]

I would like win 98(or even NT with proxy Server) to do this. run NAT (IP Masquarading) over a dynamic PPP link, route between two seperate ethernet networks, run a wins server on each network, and run a caching proxy server like squid. all on a 486 66Mhz, with 16 Megs of RAM. and add to this not ever having to re-boot the machine.

To Microsoft, I dare you:

Simple kludge for DCCs

[nathanroberts]

A simple trick (although I have no idea how secure it is) I've found to make DCCs work is to use a program such as redir (look on sunsite) to redirect ports on the linux machine to another IP address. Set aside a port (or block of ports) on each masqueraded machine that's unique to each machine (this is assuming you can do so on your IRC software; mIRC can), and run several copies of redir to redirect those ports to the desired machine. (Running it through inetd would probably be better; I haven't tried to do this yet)

Bad Idea

[My+Little+Pony]

Win98's NAT may work great and be easy to use, but remember that this probably means that you are using the world's least secure operating system as your firewall.

Caveat emptor!

Re:Bad Idea

[My+Little+Pony]

• God help him if someone runs a remote root exploit against the Win98 box! Wait a minute.. there aren't any! Same thing as Linux with all the services disabled.

I'm such an idiot sometimes. Of course, you're right AC. In fact, you can make a system really secure by pulling out the CPU(s). Like, one time, I, like, had a like, 486 box with Linux, and I like, pulled out the 486 and crushed it into powder and no one could hack into it. I'm so 31337. You, on the other hand, have probably never cracked anything tougher than a peanut.

Seriously, the worst of Win98's services can be disabled, but most people don't have any idea how. Worse yet, the ease with which you can take down a Win9x box with DOS attacks makes them the worst possible choice for a gateway machine.

Hey, if you want to build your house out of straw, piggy, go ahead. Just don't whine to me when the B1g b4D W01F takes out your system.

Try to use application proxies

[My+Little+Pony]

This "cost of IP addresses" argument for NAT is bullshit. Circuit-level and application-level proxies such as squid and Socks also hide IP space. They also provide security.

NAT helps if there isn't a "socksified" client or an existing proxy. Otherwise, you are saving yourself a lot of potential IP headache...

FTP Upload problem through IP MASQ

[AXIOM13]

I've got REDHAT 6 with the 2.2.5-15 kernal. I have IP MASQ running on it and everything works fine. Quake 1,2,3 and ICQ all work fine. The problem i get is on the client machiens running bulletproof ftp on win 98. The fire wall setting for bulletproof is set to pasive. I can connect no probs and download too, but as soon as i try to upload it's a no go. I get to about 12k on the file and it doesn't alow any more to be uploaded.
I tried the no firewall option but the same happens. But if i dial in with the client computer to my isp directly the upload works fine. Does anyone have an idea as to what the prob is.
Thanx

FreeBSD -not- Linux ... read his original question

[Hivelord]

In his original question, he states he's using FreeBSD and NAT (the natd daemon). NAT on FreeBSD is similar in concept but not in usage to IP Masq on Linux.

While most answers here would be greatly helpful if he were running Linux or had an old Mac lying around, he may not.

We have clients using both FreeBSD and Linux, and here at my office we use FreeBSD 3.1-RELEASE for our NAT.

With NAT properly configured, ICQ, DCC, IRC, Half-Life TFC, Quake 3, anything else I can think of - all work without any problems.

Follow these steps (this is FreeBSD not Linux):

If you're using 3.1-RELEASE or better, you're 90% of the way there.

1. Set GATEWAY="YES", NATD="YES", FIREWALL="YES", FIREWALL_TYPE="open" in /etc/rc.conf

2. Rebuild the kernel to include IPFIREWALL and IPDIVERT.

Rebuild the kernel and you're all set. Reboot.

-Hivelord

Masq FTP

[cyberjb]

The only Prob i have is with FTPs on a diff port then 21. it sits at Listing /bin/ls or something..
they say to put it on pasv mode in the ftp client but cuteftp doesnt work right anyone know of a better ftp client that does work right and download multi files with pasv mode on?

Re:MASQing at an ISP

[zgas]

I too was using Linux & IP Masq when I switched to USWest DSL. However, I read all the documentation, play no games, and don't use ICQ, so I simply activated the NAT in the Cisco and REMOVED my Linux IP Masqing box. It has worked perfectly ever since!

So, I have found USWest's NAT support very useful.

However, I wish they offered an option to "rent" a single fixed IP for say $5 instead of 5 for $15.

SSH tunnels work fine

[WKN]

Simple. You use SSH, which tunnels your X protocol back. No sweat, and it Just Works. If you're running on a Wintel machine, the clients out there (I use SecureCRT) work just fine too.