ipmasqadm man page on Peanut

Man page or keyword search:  
man Server   7435 pages
apropos Keyword Search (all sections)
Output format
Peanut logo
[printable version]

IPMASQADM(8)							  IPMASQADM(8)

NAME
       ipmasqadm - IP Masquerading additional modules administration

SYNOPSIS
       ipmasqadm <module> [module-specific-options]
       ipmasqadm <module> -h

       ipmasqadm autofw options
       ipmasqadm portfw options
       ipmasqadm mfw options

DESCRIPTION
       Ipmasqadm is used to configure extra masquerading funcionality, usually
       provided by additional kernel modules.

       All in-firewall forwarding takes place by reverse-masquerading  so  you
       must create firewall rules that must match desired forwarding as-is the
       connection had been outgoing (instead of incoming).

       Kernel must have been compiled with
       CONFIG_EXPERIMENTAL=y
       CONFIG_IP_MASQUERADE=y
       CONFIG_IP_MASQUERADE_MOD=y
       and
       CONFIG_IP_MASQUERADE_IPAUTOFW=y/m
       CONFIG_IP_MASQUERADE_IPPORTFW=y/m
       CONFIG_IP_MASQUERADE_MFW=y/m
       for respective modules.

       If you need to forward one (or more) ports to internal hosts,  consider
       using mfw module.

       In short:

       Short	ipmasqadm	   kernel		     kernel
       descr.	module		   module		     option
       ─────────────────────────────────────────────────────────────────────────
       Auto	autofw.so    ip_masq_autofw.o	  CONFIG_IP_MASQUERADE_IPAUTOFW
       Port	portfw.so    ip_masq_portfw.o	  CONFIG_IP_MASQUERADE_IPPORTFW
       Fwmark	mfw.so	     ip_masq_mfw.o	  CONFIG_IP_MASQUERADE_MFW

MODULE autofw - Auto-forwarding
       This  module  is, under some circustances, capable of handling applica‐
       tion protocolos that don't have support as specific masq modules.  Ker‐
       nel must have been compiled with

   autofw -h
       Command help. By now please refer to it.

       For   lot   of	useful	 info	about	using	autofw	 please	 visit
       http://ipmasq.home.ml.org

MODULE portfw - Port-forwarding
       This module is able to forward to-firewall packets to  internal	hosts,
       based on address and port specification.

   portfw -h
       Command help. By now please refer to it.

MODULE mfw - fwmark-forwarding
       This  module  allows  forwarding to-firewall packets to internal hosts,
       based on fwmark matching.  See  ipchains(8)  for	 setting  up  firewall
       rules  with  fwmarking.	Also please note that because this module acts
       only in first packet connection, it makes  sense	 to  add  -y  ipchains
       switch to TCP fwmark rules.

   COMMANDS
       mfw -A -m fwmark -r address [port] [-p pref]
	      Append one rule to the end of fwmark list of forwarding hosts.
	      Packets  fwmarked will create a masq-tunnel for redirecting fur‐
	      ther connection traffic to address port.	This  will  happen  at
	      most pref times before scheduling another entry with same fwmark
	      value.
	      If no port is specified, redirection will use   original	packet
	      destination port.

       mfw -I -m fwmark -r address [port] [-p pref]
	      Same as -A option, except that the rule is inserted at the head.

       mfw -D -m fwmark [-r address [port] ]
	      Delete specified rule(s).

       mfw -E -m fwmark [-r address [port] ] -p pref
	      Edit specified rule(s), currently -p value can be changed.

       mfw -S -m fwmark
	      Force scheduling in fwmark redirect entries.

       mfw -F Flush all rules.

       mfw -L [-n]
	      List rules, optionally showing only addresses (no names).

   EXAMPLES
       Redirect all web traffic to internals hostA and hostB, where hostB will
       serve 2 times hostA connections. Forward rules  already	masq  internal
       hosts to outside (typical).

	      ipchains -I input -p tcp -y -d yours.com/32 80 -m 1
	      ipmasqadm mfw -I -m 1 -r hostA 80 -p 10
	      ipmasqadm mfw -I -m 1 -r hostB 80 -p 20

       Redirect ssh traffic from external clientA to internal hostB, also show
       forward masq rule to allow only hostB incoming connections to ssh port.

	      ipchains -I forward -p tcp -d clientA/32 -s hostB/32 22 -j MASQ
	      ipchains -I input -p tcp -y -s clientA/32 -d 0/0 22 -m 2
	      ipmasqadm mfw -I -m 2 -r hostB 22

       Redirect all traffic from external clientA to internal hostB, also show
       forward	masq rule to allow this for hostB only (clean, simple ... just
       *grin*)

	      ipchains -I forward -d clientA/32 -s hostB/32 -j MASQ
	      ipchains -I input -s clientA/32 -m 3
	      ipmasqadm mfw -I -m 3 -r hostB

FILES
       /usr/lib/ipmasqadm/*.so
			   Modules used for ipmasqadm kernel interfacing.

       /proc/net/ipmasq/*  Masquerading modules internal state files.

BUGS
       By 2.2, there is no way to share port numbers with normal sockets. Cur‐
       rently masq modules take precedence before sockets.

       Also  because  redirections  are	 actually  masq tunnels they have same
       propierties: idle timeouts, max. number of entries, etc.

       Kernel module autoloading will work for -A and -I switches, and not for
       -L,  so	you  will see warnings about missing /proc/net/ip_masq/...  if
       you list entries when module is not (auto)loaded. This will  change  in
       futur releases.

CAVEATS
       Protocols  that	use control and data connections are always a headache
       when crossing firewalls. Examples of these are ftp,  irc,  real	audio,
       etc.  Because we are reverse-masq forwarding problems get reversed; for
       example: ftp from outside to an internal forwarded server will not work
       in  PASV	 mode because server will send its internal address to outside
       client, in contrast, traditional non-passive connections	 will  success
       (think  about this a little, please).  Support for bidirectional helper
       modules is in the works.

NOTES
       This is my first man page, just in case you didn't notice ... ;)

       Consider it pre-alpha quality.

SEE ALSO
       ipchains(8)

AUTHOR
       Juan Jose Ciarlante <jjciarla@raiz.uncu.edu.ar>

				 December 1998			  IPMASQADM(8)
[top]

List of man pages available for Peanut

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net