—Protocol-specific masquerading support will be built as mod- (Unlimited web hosting)
—Protocol-specific masquerading support will be built as mod- ules. [*] IP: ipautofw masq support [*] IP: ICMP masquerading Note that some of the masquerade support is available only as a kernel module. This means that you must ensure that you “make modules” in addition to the usual “make zImage” when building your kernel. The 2.4 series kernels no longer offer IP masquerade support as a kernel compile time option. Instead, you should select the network packet filtering option: Networking options —> [M] Network packet filtering (replaces ipchains) In the 2.2 series kernels, a number of protocol-specific helper modules are created during kernel compilation. Some protocols begin with an outgoing request on one port, and then expect an incoming connection on another. Normally these cannot be masqueraded, as there is no way of associating the second connection with the first without peering inside the protocols themselves. The helper modules do just that; they actually look inside the datagrams and allow masquerading to work for supported protocols that otherwise would be impossible to masquerade. The supported protocols are: Module Protocol ip_masq_ftp FTP ip_masq_irc IRC ip_masq_raudio RealAudio ip_masq_cuseeme CU-See-Me ip_masq_vdolive For VDO Live ip_masq_quake IdSoftware’s Quake You must load these modules manually using the insmod command to implement them. Note that these modules cannot be loaded using the kerneld daemon. Each of the modules takes an argument specifying what ports it will listen on. For the RealAudio(TM) module you might use:66 # insmod ip_masq_raudio.o ports=7070,7071,7072 The ports you need to specify depend on the protocol. An IP masquerade mini-HOWTO written by Ambrose Au explains more about the IP masquerade modules and how to configure them.67 The netfilter package includes modules that perform similar functions. For example, to provide connection tracking of FTP sessions, you’d load and use the ip_conntrack_ftp and ip_nat_ftp.o modules. Configuring IP Masquerade If you’ve already read the firewall and accounting chapters, it probably comes as no surprise that the ipfwadm, ipchains, and iptables commands are used to configure the IP masquerade rules as well. Masquerade rules are a special class of filtering rule. You can masquerade only datagrams that are received on one interface that will be routed to another interface. To configure a masquerade rule you construct a rule very similar to a firewall forwarding rule, but with special options that tell the kernel to masquerade the datagram. The ipfwadm command uses the -m option, ipchains uses -j MASQ, and iptables uses -j MASQUERADE to indicate that datagrams matching the rule specification should be masqueraded. Let’s look at an example. A computing science student at Groucho Marx University has a number of computers at home internetworked onto a small Ethernet-based local area network. She has chosen to use one of the re 66 RealAudio is a trademark of the Progressive Networks Corporation. 67 You can contact Ambrose at ambrose@writeme.com.