The newest 2.4.x kernels are now using both a completely new TCP/IP network
stack as well as a new NAT sub-system called NetFilter. Within this NetFilter
suite of tools, we now have a tool called IPTABLES for the 2.4.x kernels much
like there was IPCHAINS for the 2.2.x kernels and IPFWADM for the 2.0.x kernels.
The new IPTABLES system is far more powerful (combines several functions into
one place like true NAT functionality), offers better security (stateful
inspection), and better performance with the new 2.4.x TCP/IP stack. But this
new suite of tools can be a bit complicated in comparison to older generation
kernels. Hopefully if you carefully follow along with this HOWTO it won't be
too bad. If you find anything unclear, downright wrong, etc. please email
David about it.
Unlike the migration to IPCHAINS from
IPFWADM, the new NetFilter tool has kernel modules that can actually
support older IPCHAINS and IPFWADM rulesets with minimal changes. So
re-writing your old MASQ or firewall ruleset scripts is not longer required.
Please keep in mind that there might be several benefits in performing a full
ruleset re-write to take advantage of the newer IPTABLES features like
stateful tracking, etc. but that is dependant upon how much time you have
to migrate your old rulesets.
Some new 2.4.x functionalities include the following:
PROs:
TRUE 1:1 NAT functionality for those who have TCP/IP addresses and subnets to
use (no more iproute2 commands)
Built-in PORT Forwarding (no more ipmasqadm or ipportfw commands)
The built-in PORTFW'ing support works for both external and internal
traffic. This means that users that have PORTFW for external traffic and
REDIR for internal port redirection do not need to use two tools any more!
PORT Forwarding of FTP traffic to internal hosts is now completely supported
and is handled in the conn_trak_ftp module
Full Policy-Based routing features (source-based TCP/IP address routing)
Compatibility with Linux's FastRoute feature for significantly faster packet
forwarding (a.k.a Linux network switching).
Note that this feature is still not compatible with packet filtering
for strong firewall rulesets.
Fully supports TCP/IP v4, v6, and even DECnet (ack!)
Supports wildcard interface names like "ppp*" for serial interfaces like
ppp0, ppp1, etc
Supports filtering on both input and output INTERFACES (not just IP addresses)
Source Ethernet MAC filtering
Denial of Service (DoS) packet rate limiting
Stateful TCP/UDP/ICMP network traffic inspection
Packet REJECTs now have user-selectable return ICMP messages
Variable levels of logging (different packets can go to different SYSLOG
levels)
Other features like traffic mirroring, securing traffic per login, etc.
CONs:
Netfilter is an entirely new architechure thus most of the older 2.2.x
MASQ kernel modules written to make non-NAT friendly network applications
work through IPMASQ need to be re-written for the 2.4.x kernels. Because of
this, if you specifically need functionality from some of these modules
(see below), you should stay with a 2.2.x kernel until these modules have
been ported. If you are curious on the porting status of a given module,
please email the author of the module and NOT David or Ambrose. We don't
code.. we just document. :-)
Here is the status of the known IP Masq kernel modules or patches as found
on the IPMASQ WWW site's Application Support
Matrix. If you have the time and knowledge to help in the porting
of code, your efforts would be highly appreciated:
Status = Module name = Description and notes
--------- ----------- ----------------------------------
NotPorted CuSeeme Used for Video conferencing
NotPorted DirectPlay Used for online Microsoft-based games
Ported FTP Used for file transfers
- NOTEs: Built into the kernel and
fully supports PORTFWed FTP
NotPorted H.323 Used for Video conferencing
NotPorted ICQ Used for Instant messaging
Ported Irc Used for Online chat rooms
- NOTEs: Not included in the kernel.
Part of the extra iptables package
NotPorted Quake Used for online Quake games
Beta Avail PPTP Allow for multiple clients to the same server
NotPorted Real Audio Used for Streaming video / audio
NotPorted VDO Live Used for Streaming audio?
NOTE: Most modern Linux Section 7.1 that
natively come with 2.4.x kernels are typically modular kernels and have
all the IP Masquerade functionality already included. In such cases,
there is no need to compile a new Linux kernel. If you are UPGRADING your
kernel, you should be aware of other programs that might be required and/or
need to be upgraded as well (mentioned later in this HOWTO).
NOTE #1: All versions of IPTABLES less than 1.2.3 have a FTP module issue
that can bypass any existing firewall rulesets. ALL IPTABLES users are
highly recommended to upgrade to the newest version. The URL is above.
NOTE #2: All versions of IPTABLES less than 1.2.2 have a FTP "port" security
vunerability in the ip_conntrack_ftp module. All IPTABLES users are highly
recommended to upgrade to the newest version. The URL is above.
This tool, much like the older IPCHAINS and IPFWADM tools enables the various
Masquerding code, more advanced forms of NAT, packet filtering, etc. It also
makes use of additional MASQ modules like the FTP and IRC modules. Additional
information on version requirements for the newest IPTABLES howto, etc. is
located at the
Unreliable IPTABLES HOWTOs
page (mirror at Samba.org).
A properly configured and running TCP/IP network running on the Linux machine
as covered in
Linux NET-3-4 HOWTO and the
Network Administrator's Guide . Also check out the
TrinityOS document which is also authored by David Ranch. TrinityOS is a
very comprehensive guide for Linux networking. Some topics include IP MASQ, security,
DNS, DHCP, Sendmail, PPP, Diald, NFS, IPSEC-based VPNs, and performance sections,
to name a few. There are over Fifty sections in all!
Know how to configure, compile, and install a new Linux kernel as described in
the Linux Kernel
HOWTO. This HOWTO does cover kernel compiling but only for IP
Masquerade related options.