Whole document tree


www.fifi.org
    Documentation
        Manpages
        GNU Info
        Debian document tree
        Whole document tree
    Trigance web page
    Public services
    User info
    Mailing lists
    Secure server
    Multilingual usage
 

Copyright (C) 2000-2012
Philippe Troin
<webmaster@fifi.org>.

Validate HTML
Validate CSS

    

Whole document tree

Linux 2.4 NAT HOWTO: Quick Translation From 2.0 and 2.2 Kernels Next Previous Contents

4. Quick Translation From 2.0 and 2.2 Kernels

Sorry to those of you still shell-shocked from the 2.0 (ipfwadm) to 2.2 (ipchains) transition. There's good and bad news.

Firstly, you can simply use ipchains and ipfwadm as before. To do this, you need to insmod the `ipchains.o' or `ipfwadm.o' kernel modules found in the latest netfilter distribution. These are mutually exclusive (you have been warned), and should not be combined with any other netfilter modules.

Once one of these modules is installed, you can use ipchains and ipfwadm as normal, with the following differences:

  • Setting the masquerading timeouts with ipchains -M -S, or ipfwadm -M -s does nothing. Since the timeouts are longer for the new NAT infrastructure, this should not matter.
  • The init_seq, delta and previous_delta fields in the verbose masquerade listing are always zero.
  • Zeroing and listing the counters at the same time `-Z -L' does not work any more: the counters will not be zeroed.
  • The backward compatibility layer doesn't scale very well for large numbers of connections: don't use it for your corporate gateway!

Hackers may also notice:

  • You can now bind to ports 61000-65095 even if you're masquerading. The masquerading code used to assume anything in this range was fair game, so programs couldn't use it.
  • The (undocumented) `getsockname' hack, which transparent proxy programs could use to find out the real destinations of connections no longer works.
  • The (undocumented) bind-to-foreign-address hack is also not implemented; this was used to complete the illusion of transparent proxying.

4.1 I just want masquerading! Help!

This is what most people want. If you have a dynamically allocated IP PPP dialup (if you don't know, this is you), you simply want to tell your box that all packets coming from your internal network should be made to look like they are coming from the PPP dialup box.

# Load the NAT module (this pulls in all the others).
modprobe iptable_nat

# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Note that you are not doing any packet filtering here: for that, see the Packet Filtering HOWTO: `Mixing NAT and Packet Filtering'.

4.2 What about ipmasqadm?

This is a much more niche user base, so I didn't worry about backward compatibility as much. You can simply use `iptables -t nat' to do port forwarding. So for example, in Linux 2.2 you might have done:

# Linux 2.2
# Forward TCP packets going to port 8080 on 1.2.3.4 to 192.168.1.1's port 80
ipmasqadm portfw -a -P tcp -L 1.2.3.4 8080 -R 192.168.1.1 80

Now you would do:

# Linux 2.4
# Append a rule before routing (-A PREROUTING) to the NAT table (-t nat) that
# TCP packets (-p tcp) going to 1.2.3.4 (-d 1.2.3.4) port 8080 (--dport 8080)
# have their destination mapped (-j DNAT) to 192.168.1.1, port 80
# (--to 192.168.1.1:80).
iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 8080 \
        -j DNAT --to 192.168.1.1:80

Next Previous Contents