Slashdot Mirror
Ask Slashdot: IP Masquerading Drawbacks?
A Nameless Slashdotter submitted this question:
"IP Masquerading (NAT under FreeBSD) is straight from the Gods. Yet it has a few very large drawbacks, such as inability to do DCC or ICQ file transfers, or play games over the internet on one of the Masq'ed machines, even with the "irc" and "quake" masquerading modules loaded. Someone give me options to solve this problem, be it another operating system, a firewall setting, a program or setup!"
NAT/masquerading, from a technical perspective, is extremely evil. It changes some very important assumptions that are made in the Internet protocol suite, and this is why it breaks lots of applications. In the general case, it is impossible for a NAT/masquerade box to not break applications. Of course, NAT/masquerade boxen can be taught about specific applications/protocols and, by supporting all the special cases that will actually be seen in your environment, things work and users are happy... at least as long as they don't do anything new.
Though some people will strongly disagree, I've always preferred firewall-traversal approaches such as SOCKS. Under Linux -- and possibly *BSD -- there are shared library tricks you can pull that will automagically add SOCKS support to most applications. Under Windows, some Winsock DLLs (the Trumpet one, I think) have SOCKS proxy support. What SOCKS does is effectively an RPC to the firewall, so that the application knows what addressing information is being used and can generate the right application-layer communications to talk with the other side without things breaking.
The problem with IPMasquerading is that it's a hack. It's a damn good hack, but none the less, it's still a hack. Many of the things which it doesn't do can be implemented, with more hacks, but what you get in the end is a mess.
As with all hacks, you eventually have to figure out what makes it so good, figure out what it needs, and then rewrite it into a clean piece of code.
What makes IPMasquing good is that it effectively sends and retrieves from the internet at the users request. It does it at a very low level, and in the kernel, so it is very fast.
What IPMasquing needs is the ability to allow users to connect to sockets on computers behind the firewall. This can be done, as you said, by having applications tell the masquing box that they need information forwarded. However when you do this, what you effectively have is a SOCKS server.
So maybe the answer lies in implementing socks-like functionality in the Linux kernel. There are probably reasons why this isn't a good idea, but I think you'll agree that the current technique (writing kernel modules for _EVERY_ program which needs bidirectional firewall traversal) needs to be replaced.
... of why so many people continue to have negative feelings about linux and the linux community. The guy who's asking the question obviously isn't completely ignorant of the topic at hand, otherwise he wouldn't have brought up NAT or LKM's. Even if he were, this is a moderated "ask-the-question" forum that exists for the explicit purpose of people who don't know something to be able to, well, ask the question.
Yet you insult the poster for no decernable purpose, and add nothing to the discussion. It's the damn elietism that turns people off. People arn't going to embrace linux if you're being a dick about it. You don't have to help them, but there's no reason to harass them (and many a reason not to).
Ugh.
Windows 98 SE does indeed have IP masquerading built in. I'm not sure if it's the NAT1000 stuff, but I'd assume it is, since it would be fairly pointless for them to write their own parallel version.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Under Windows, you can use the WinGate IP masquerading/SOCKS software. I assume there is similar stuff for Linux and FreeBSD. Once you have that set up, any decently written IRC client will be able to use DCC transfers (for example, mIRC on Windows works flawlessly).
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Well, I use Windows 95 myself, so I can't give you any specifics, sorry. I know a few people that have used it though, and they say that you set it up through one of those "wizards" windows is so fond of.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
No problems for me either, Linux 2.0.36 on the firewall. Normal "active mode" FTP even works, don't have to do passive mode, as long as ip_masq_ftp.o proxy is modprobe'ed into the kernel.
-E
Send mail here if you want to reach me.
The reason I say that is because Red Hat 6.0 has a bit of Evilness(tm) in the way it handles modules. Even if you manually 'modprobe' all of your ip_masq*.o proxy modules, Red Hat 6.0 will 'rmmod' them five minutes later (unless they happen to be in use at the time). /etc/rc.d/rc.modules and manually insmod your ip_masq* proxy modules there (don't forget to set the #!/bin/sh comment as the first line and do a chmod a+x on it!), and then in your /etc/crontab find where that @#$%!@ rmmod is taking place and zap it.
Solution: Create
Distributions which manually specify modules to be loaded, like Debian or (maybe) Caldera, don't have this problem. It's just distributions which try to get fancy by using the kernel-level module auto-loader that have this problem (and only under the 2.2 kernel, which removed the 2.0 kernel's timeout functionality for the auto-loader).
With the proxy modules loaded, I've never had any problems with reverse connections on FTP, Quake, etc. That's why I'm suspecting either a) you don't have them loaded, or b) Red Hat 6.0 (or Mandrake 6.0) is helpfully unloading them for you!
-E
Send mail here if you want to reach me.
The only thing that doesnt work inder IP-masq is
*incoming* connections. That is because the
remote system connects to say, port 1234 on the
server that sends the original packet. As this
is apparently the masquerading host, the masq host
does not know where to send the packet on to,
there is no way to connect an arbitrary portnumber
without configuring that portnumber to ALWAYS be accociated with a unique app.
Your only solution is to have your ISP give you a
group of IPs, and assign one for each box
I have seen a few comments about how evil NAT is. I wholelly agree. But it has it's benefits.
Being able to have any number of IP's that are needed to complete one's network without having to go through the hassle of paying for an IP space is the one at the top of my list for one... Though:
For ease of use I would recommend FreeBSD, it has a better suite for NAT (no flames yet plaese... read the rest.) And my statistics for the box actually say that FreeBSD is faster for doing the networking. (non professional... just watching the D/L rates.)
For functionality I would highly recommend Linux, as it has a much better plug in system for the Masq modules.
I have used both. And had much success with both. But the one thing I will HIGHLY recommend for both operating system platforms is socks5. Most applications are somewhat aware of it, and those that are not can be made aware with some library tricks. I use ICQ and AIM on a windows box behind my firewall with little to no problems at all. The only problem that I see is that sometimes incoming messages are a little slow (have yet to figure that one out, but I'm sure it's a configuration error).
The only other thing that may cause problems is if you are using dynamic dialup. Secure web sites sometimes complain about an invalid reverse name lookup.
I have been happily using a NAT based firewall for about 2 years now both Linux and FreeBSD. I prefer FreeBSD for the networking speed, but that is wholelly my personal opinion.
You can find information there on getting just about any application working with masquerading.
SOCKS works in user mode; I don't see any advantage to that. If you want bidirectional firewall traversal, you could implement similar functionality in the kernel. You need to either notify the firewall machine that a socket on the client is accepting connections and that needs to be forwarded to the firewall machine, or when there is a request coming in, the firewall machine has to try until it finds a machine willing to service it.
Most people don't need, and in fact, don't want that functionality. But people who do already get it: it's part of clustering.
http://ipmasq.cjb.net is the URL for the Linux IP Masquerade Resource page. Once there, consult the IP Masquerade mini-HOWTO (v1.76-Jul18.99), patches for older kernels, the mailing list, the IP masquerade application collection (if you want to configure that one pesky piece of Internet software just right.), the TrinityOS step-by-step documentation for IPMASQ and network security, and even goodies for people on dynamic (gasp!) IP connections.
It's an excellent site, which was truly an invaluable resource when I was trying to put the jumper cables to my own IP MASQ'ing gateway box. Even my Amiga has no problem getting through to the outside world via. the Linux box.
Good luck. It can be a little tricky in spots, but the end result is worth it.
-DrPsycho - Coping with reality since 1975
simple, use the X forwarding in ssh.
IPNetRouter 1.4 for the Mac also works very well. 1.3.3 wasn't able to handle the RTP/RTSP protocol required for quicktime streaming (had to map out the port manually) but they fixed that one right away. ICQ, Real, etc all work great. Wow, I can't believe I almost bought a hardware router for my office. Instead we just took one of our old Macs out of mothballs.
Just out of curiosity, has anyone tried out WinGate 3.0 for windows?
I'm not familiar with ICQ, so I can't help with that. But for DCC over IRC, to load the kernel module, instead of doing:
:) Look for some sort of ip_masq_icq, which would probably let you do the ICQ thing too.
/sbin/modprobe ip_masq_irc
do:
/sbin/modprobe ip_masq_irc ports=6667,7000
and add whatever ports you use for IRC in the ports. I had this same problem about a week ago and a friend was kind enough to let me in on the secret.
Well I've found winroute lite (www.tinysoftware.com) to be an awesome program for running multiple ip's over one connection. Never had a problem with any games or DCC, would suggest to anyone who needs and easy to configure Masquearder for win95/98.
Simple. Make the game writers follow, or create, a standard. They keep creating proprietary data formats which only their software understands. Then customers find that firewalls and competitors (ie, the current AOL and MS squabble) are not compatible.
As programmers we can improve competitors' products who are following standards. As customers we can avoid proprietary products, just as we did with MicroChannel. As reviewers we can mention if products use proprietary methods or standards.
The AOL and MS messaging customers and tech support are getting lessons in that right now.
Hmmm, what's the minimum hardware setup for running a W98 SE box to do NAT? P133 w/ 32 meg - I would probably guess. Nice thing about doing this with Linux is that you can dust off that 486 and put it to use.
;-)
My masq/portfw/gateway/firewall is a 486/100 with 16m running a 2.0.36 kernel on a 202 Mb hard drive. I laid hands on a couple SMC ISA NICs and an ATI mach 8 at a swap-meet and I was in business for about $30. Before I set this up, I was using a PPro 200 with 64mb to run Win98 and Sygate. This did actually work ok, except for having to reboot it when it froze every couple days. (now the ppro is running Debian doing Q2 server duty). Its a real shame you have to run an OS with an integrated GUI and web browser just to do a simple chore like NAT.
And the only real shortcoming I have with my setup is ICQ file transfers, but what I do anyway is set up FTP access for friends that need to send files. Granted, I don't do this very often and it wouldn't be practical for someone trading pr0n with strangers they meet on ICQ.
Maybe on a 386, but on my 486 its fine. I'm connected to a cable modem and the 10BT NIC's run at full speed, the cpu barely ever breaks over 10%, even when holding up a quake3 game with 8 players (no the game doesn't run on the 486, I'm just talking about the network traffic).
just installed this over the weekend, and it does seem to work like a charm.
One gotcha, though, the Win98SE machine has to be "logged in" for it to work, it seems.
Had the same prob using my masq't machines to ftp to and from the net. So, I telnet to my linux machine, and:
/sbin/modprobe --list | grep ftp
/lib/modules/2.2.5-15/ipv4/ip_masq_ftp.o
/sbin/modprobe ip_masq_ftp.o
/sbin/modprobe -l | grep masq
/etc/rc.local (or whatever).
which returns:
Then I (as root):
This adds the ability to do ftp from a masq't machine, or does for me. There are other protocols, such as for RealAudio. Grepping on "masq" will find 'em.
Ie:
I'm not sure that the loaded module persists if it isn't called for a while. There are parameters governing this sort of thing. You can also add the line to your
Looking forward to seeing other solutions! (Far as I can tell, I'm first post.)
Anyway, gives you a place to manpage if nothing else....
-K
yeah win98 se's nat stuff seems to work for everything i've tried (admittedly just telneting and ftping, but hey) the only thing is the default network and netmask are nasty, 192.168.0.0 and 255.255.255.0, and as far as i can tell theres no nice pretty redmond approved way of changing that, but looking through the registry for ICS(internet connection sharing) finds the stuff you need to change, and it seemed pretty intuitive for me......
Need a Catering Connection
it is also possible to forward port 6001 from the firewall box to the port 6000 on a box behind the firewall... that way you can set your DISPLAY variable to myfirewallbox:1 which will be vome screen 0 on the machine running the X server.
i've never actually tried this myself, but know some people who have...
--- sig moved for great justice.