Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: IP Masquerading Drawbacks?

Posted by Cliff on from the getting-it-working dept.

A Nameless Slashdotter submitted this question: "IP Masquerading (NAT under FreeBSD) is straight from the Gods. Yet it has a few very large drawbacks, such as inability to do DCC or ICQ file transfers, or play games over the internet on one of the Masq'ed machines, even with the "irc" and "quake" masquerading modules loaded. Someone give me options to solve this problem, be it another operating system, a firewall setting, a program or setup!"

5 of 212 comments (clear)

  1. I bet you use Red Hat 6.0 by Eric+Green · · Score: 4

    The reason I say that is because Red Hat 6.0 has a bit of Evilness(tm) in the way it handles modules. Even if you manually 'modprobe' all of your ip_masq*.o proxy modules, Red Hat 6.0 will 'rmmod' them five minutes later (unless they happen to be in use at the time).
    Solution: Create /etc/rc.d/rc.modules and manually insmod your ip_masq* proxy modules there (don't forget to set the #!/bin/sh comment as the first line and do a chmod a+x on it!), and then in your /etc/crontab find where that @#$%!@ rmmod is taking place and zap it.
    Distributions which manually specify modules to be loaded, like Debian or (maybe) Caldera, don't have this problem. It's just distributions which try to get fancy by using the kernel-level module auto-loader that have this problem (and only under the 2.2 kernel, which removed the 2.0 kernel's timeout functionality for the auto-loader).
    With the proxy modules loaded, I've never had any problems with reverse connections on FTP, Quake, etc. That's why I'm suspecting either a) you don't have them loaded, or b) Red Hat 6.0 (or Mandrake 6.0) is helpfully unloading them for you!

    -E

    --
    Send mail here if you want to reach me.
  2. NAT Problem Workarounds by Sly-Guy · · Score: 4

    I have seen a few comments about how evil NAT is. I wholelly agree. But it has it's benefits.

    Being able to have any number of IP's that are needed to complete one's network without having to go through the hassle of paying for an IP space is the one at the top of my list for one... Though:

    For ease of use I would recommend FreeBSD, it has a better suite for NAT (no flames yet plaese... read the rest.) And my statistics for the box actually say that FreeBSD is faster for doing the networking. (non professional... just watching the D/L rates.)

    For functionality I would highly recommend Linux, as it has a much better plug in system for the Masq modules.

    I have used both. And had much success with both. But the one thing I will HIGHLY recommend for both operating system platforms is socks5. Most applications are somewhat aware of it, and those that are not can be made aware with some library tricks. I use ICQ and AIM on a windows box behind my firewall with little to no problems at all. The only problem that I see is that sometimes incoming messages are a little slow (have yet to figure that one out, but I'm sure it's a configuration error).

    The only other thing that may cause problems is if you are using dynamic dialup. Secure web sites sometimes complain about an invalid reverse name lookup.

    I have been happily using a NAT based firewall for about 2 years now both Linux and FreeBSD. I prefer FreeBSD for the networking speed, but that is wholelly my personal opinion.

  3. Masquerade resources by httptech · · Score: 5
    Try this page: http://www.tsmservices.com/masq/

    You can find information there on getting just about any application working with masquerading.

  4. Re:You need a specialised setup for each app by garcia · · Score: 4

    Not true...

    Check out my "howto" on portfw'ing:

    http://www.gargoyle.dyndns.org/linux/portfw-tuto rial.html

    anyway, the webserver itself is behind the IPmasq :) It is really easy to do, all the links are there (or used to be hehe).

  5. How I Do It on Linux by DrKirwin · · Score: 5

    Had the same prob using my masq't machines to ftp to and from the net. So, I telnet to my linux machine, and:

    /sbin/modprobe --list | grep ftp

    which returns:

    /lib/modules/2.2.5-15/ipv4/ip_masq_ftp.o

    Then I (as root):

    /sbin/modprobe ip_masq_ftp.o

    This adds the ability to do ftp from a masq't machine, or does for me. There are other protocols, such as for RealAudio. Grepping on "masq" will find 'em.

    Ie:

    /sbin/modprobe -l | grep masq

    I'm not sure that the loaded module persists if it isn't called for a while. There are parameters governing this sort of thing. You can also add the line to your /etc/rc.local (or whatever).

    Looking forward to seeing other solutions! (Far as I can tell, I'm first post.)

    Anyway, gives you a place to manpage if nothing else....

    -K