Next Previous Contents

7. Frequently Asked Questions

If you can think of any useful FAQ suggestions, please send it to ambrose@writeme.com and dranch@trinnet.net. Please clearly state the question and an appropriate answer (if you have it). Thank you!

7.1 What Linux Distributions support IP Masquerading out of the box?

If your Linux distribution doesn't support IP MASQ out of the box, don't worry. All you have to do is re-compile a kernel as shown above in this HOWTO.

NOTE: If you can help us fill out this table, please email ambrose@writeme.com or dranch@trinnet.net.

7.2 What are the minimum hardware requirements and any limitations for IP Masquerade? How well does it perform?

A 486/66 box with 16MB of RAM was more than sufficient to fill a 1.54Mb/s T1 100%! MASQ has also be known run quite well on 386SX-16s with 8MB or RAM. Yet, it should be noted that Linux IP Masquerade starts thrashing with more than 500 MASQ entries.

The only application that I known that can temporarily break Linux IP Masquerade is GameSpy. Why? When it refreshes its lists, it creates 10,000s of quick connections in a VERY short time. Until these sessions timeout, the MASQ tables become "FULL".

While we are at it:

There is a hard limit of 4096 concurrent connections each for TCP & UDP. This limit can be changed by fiddling the values in /usr/src/linux/net/ipv4/ip_masq.h - a upwards limit of 32000 should by OK. If you want to change the limit - you need to change the PORT_MASQ_BEGIN & PORT_MASQ_END values to get an appropriately sized range above 32K and below 64K.

7.3 I've checked all my configurations, I still can't get IP Masquerade to work. What should I do?

7.4 How do I join the IP Masquerade Mailing List?

Join the Linux IP Masquerading mailing list by sending an email to masq-subscribe@tiffany.indyramp.com.

For more commands, email masq-help@tiffany.indyramp.com.

7.5 How does IP Masquerade differ from Proxy or NAT services?


Proxy:  Proxy servers are available for: Win95, NT, Linux, Solaris, etc.

                Pro:    + (1) IP address ; cheap
                        + Optional caching for better performance (WWW, etc.)

                Con:    - All applications behind the proxy server must both SUPPORT 
                          proxy services (SOCKS) and be CONFIGURED to use the Proxy 
                          server
                        - Screws up WWW counters and WWW statistics

         A proxy server uses only (1) public IP address, like IP MASQ, and acts  
         as a translator to clients on the private LAN (WWW browser, etc.).
         This proxy server receives requests like TELNET, FTP, WWW, 
         etc. from the private network on one interface.  It would then in turn,
         initiate these requests as if someone on the local box was making the
         requests.   Once the remote Internet server sends back the requested
         information, it would re-translate the TCP/IP addresses back to the 
         internal MASQ client and send traffic to the internal requesting host.  
         This is why it is called a PROXY server.  

                Note:  ANY applications that you might want to use on the 
                        internal machines *MUST* have proxy server support 
                        like Netscape and some of the better TELNET and FTP 
                        clients.  Any clients that don't support proxy servers 
                        won't work.

         Another nice thing about proxy servers is that some of them
         can also do caching (Squid for WWW).  So, imagine that you have 50 
         proxied hosts all loading Netscape at once.  If they were installed 
         with the default homepage URL, you would have 50 copies of the same 
         Netscape WWW page coming over the WAN link for each respective computer.  
         With a caching proxy server, only one copy would be downloaded by the proxy
         server and then the proxied machines would get the WWW page from the 
         cache.  Not only does this save bandwidth on the Internet connection, 
         it will be MUCH MUCH faster for the internal proxied machines.



MASQ:    IP Masq is available on Linux and a few ISDN routers such
 or      as the Zytel Prestige128, Cisco 770, NetGear ISDN routers, etc.
1:Many
 NAT     
                Pro:    + Only (1) IP address needed (cheap)
                        + Doesn't require special application support
                        + Uses firewall software so your network can become
                          more secure

                Con:    - Requires a Linux box or special ISDN router
                          (though other products might have this..  )
                        - Incoming traffic cannot access your internal LAN
                          unless the internal LAN initiates the traffic or
                          specific port forwarding software is installed.
                          Many NAT servers CANNOT provide this functionality.
                        - Special protocols need to be uniquely handled by
                          firewall redirectors, etc.  Linux has full support
                          for this (FTP, IRC, etc.) capabilty but many routers
                          do NOT (NetGear DOES). 

         Masq or 1:Many NAT is similar to a proxy server in the sense that the 
         server will do IP address translating and fake out the remote server 
         (WWW for example) as if the MASQ server made the request instead of an 
         internal machine.  
        
         The major difference between a MASQ and PROXY server is that MASQ servers
         don't need any configuration changes to all the client machines.  Just 
         configure them to use the linux box as their default gateway and everything 
         will work fine.  You WILL need to install special Linux modules for things 
         like RealAudio, FTP, etc. to work)!  

         Also, many people use IP MASQ for TELNET, FTP, etc. *AND* also setup a caching 
         proxy on the same Linux box for WWW traffic for the additional performance.


NAT:     NAT servers are available on Windows 95/NT, Linux, Solaris, and some of the 
         better ISDN routers (not Ascend)        

                Pro:    + Very configurable
                        + No special application software needed

                Con:    - Requires a subnet from your ISP (expensive)

         Network Address Translation is a name for a box that would have a pool of 
         valid IP addresses on the Internet interface that it can use.  When on the
         Internal network wanted to goto the Internet, it associates an available 
         VALID IP address from the Internet interface to the original requesting PRIVATE 
         IP address.  After that, all traffic is re-written from the NAT public IP
         address to the NAT private address.  Once the associated PUBLIC NAT address 
         becomes idle for some pre-determined amount of time, the PUBLIC IP address 
         is returned back into the public NAT pool.  

         The major problem with NAT is, once all of the free public IP addresses are 
         used, any additional private users requesting Internet service are out of
         luck until a public NAT address becomes free.

7.6 Are there any GUI firewall creation/management tools?

Yes! They vary in user interface, complexity, etc. but they are quite good though most are only for the IPFWADM tool so far. Here is a short list of available tools in alphabetical order. If you know of any others or have any thoughts on which ones are good/bad/ugly, please email Ambrose or David.

7.7 Does IP Masquerade work with dynamically assigned IP addresses?

Yes, it works with either dynamic IP addressed assigned by your ISP via either PPP or a DHCP/BOOTp server. As long as you have an valid Internet IP address, it should work. Of course, static IP works too. Yet, if you plan on implementing a strong IPFWADM/IPCHAINS ruleset and/or plan on using a Port forwarder, your ruleset will have to be re-executed everytime your IP address changes. Please see the top of TrinityOS - Section 10 for additional help with strong firewall rulesets and Dynamic IP addresses.

7.8 Can I use a cable modem (both bi-directional and with modem returns), DSL, satellite link, etc. to connect to the Internet and use IP Masquerade?

Yes, as long as Linux supports that network interface, it should work. If you receive a dynamic IP address, please see the URL under the "Does IP Masquerade work with dynamically assigned IP" FAQ item above.

7.9 Can I use Diald or the Dial-on-Demand feature of PPPd with IP MASQ?

Definitely! IP Masquerading is totally transparent to Diald or PPP. The only thing that might become an issue is if you use STRONG firewall rulesets with dynamic IP addresses. See the FAQ item, "Does IP Masquerade work with dynamically assigned IP addresses?" above for more details.

7.10 What applications are supported with IP Masquerade?

It is very difficult to keep track of a list of "working applications". However, most of the normal Internet applications are supported, such as WWW browsing (Netscape, MSIE, etc.), FTP (such as WS_FTP), TELNET, SSH, RealAudio, POP3 (incoming email - Pine, Eudora, Outlook), SMTP (outgoing email), etc. A somewhat more complete list of MASQ-compatible clients can be found in the Clients section of this HOWTO.

Applications involving more complicated protocols or special connection methods such as video conferencing software need special helper tools.

For more detail, please see this page about applications that work through Linux IP masquerading by Lee Nevo.

7.11 How can I get IP Masquerade running on Redhat, Debian, Slackware, etc.?

No matter what Linux distribution you have, the procedures for setting up IP Masquerade mentioned in this HOWTO should apply. Some distributions may have GUI or special configuration files that make the setup easier. We try our best to write the HOWTO as general as possible.

7.12 TELNET connections seem to break if I don't use them often. Why is that?

IP Masq, by default, sets its timers for TCP session, TCP FIN, and UDP traffic to 15 minutes. It is recommend to use the following settings (as already shown in this HOWTO's /etc/rc.d/rc.firewall ruleset) for most users:

Linux 2.0.x with IPFWADM:

# MASQ timeouts 
#
#   2 hrs timeout for TCP session timeouts
#  10 sec timeout for traffic after the TCP/IP "FIN" packet is received
#  60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall timeout in ICQ itself) 
#
/sbin/ipfwadm -M -s 7200 10 60

Linux 2.2.x with IPCHAINS:

# MASQ timeouts
#
#   2 hrs timeout for TCP session timeouts
#  10 sec timeout for traffic after the TCP/IP "FIN" packet is received
#  60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall timeout in ICQ itself)
#
/ipchains -M -S 7200 10 60

7.13 When my Internet connection first comes up, nothing works. If I try again, everything then works fine. Why is this?

The reason is because you have a dynamic IP address and when your Internet connection first comes up, IP Masquerade doesn't know its IP address. There is a solution to this. In your /etc/rc.d/rc.firewall ruleset, add the following:

# Dynamic IP users:
#
#   If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this following
#       option.  This enables dynamic-ip address hacking in IP MASQ, making the life
#       with Diald and similar programs much easier.
#
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

7.14 IP MASQ seems to be working fine but some sites don't work. This usually happens with WWW surfing.

There is two possible reasons for this. The first one is VERY common and the second is very UNCOMMON.

7.15 IP Masquerading seems slow

There might be a few reasons for this:

7.16 Now that I have IP Masquerading up, I'm getting all sorts of weird notices and errors in the SYSLOG log files. How do I read the IPFWADM/IPCHAINS firewall errors?

There is probably two common things that you are going to see:

7.17 Can I configure IP MASQ to allow Internet users to directly contact internal MASQed servers?

Yes! With IPPORTFW, you can allow ALL or only a select few Internet hosts to contact ANY of your internal MASQed computers. This topic is completely covered in the Forwarders section of this HOWTO.

7.18 IRC won't work properly for MASQed IRC users. Why?

The main possible reason is because most common Linux distribution's IDENT or "Identity" servers can't deal with IP Masqueraded links. Do worries though, there are IDENTs out there that will work.

Installing this software is beyond the scope of this HOWTO but each tool has its own documentation. Here are some of the URLs:

Please note that some Internet IRCs servers still won't allow multiple connections from the same host even if they get Ident info and the users are different though. Complain to the remote sys admin. :)

7.19 mIRC doesn't work with DCC Sends

This is a configuration problem on your copy of mIRC. To fix this, first disconnect mIRC from the IRC server. Now in mIRC, go to File --> Setup and click on the "IRC servers tab". Make sure that it is set to port 6667. If you require other ports, see below. Next, goto File --> Setup --> Local Info and clear the fields for Local Host and IP Address. Now select the checkboxes for "LOCAL HOST" and "IP address" (IP address may be checked but disabled). Next under "Lookup Method", configure it for "normal". It will NOT work if "server" is selected. That's it. Try to the IRC server again.

If you require IRC server ports other than 6667, (for example, 6969) you need to edit the /etc/rc.d/rc.firewall startup file where you load the IRC MASQ modules. Edit this file and the line for "modprobe ip_masq_irc" and add to this line "ports=6667,6969". You can add additional ports as long as they are separated with commas.

Finally, close down any IRC clients on any MASQed machines and re-load the IRC MASQ module:

/sbin/rmmod ip_masq_irc /etc/rc.d/rc.firewall

7.20 Can IP Masquerade work with only ONE Ethernet network card?

Yes. with the "IP Alias" kernel compile-time feature but it IS NOT recommended. Providing a secure firewall becomes very difficult with a single NIC card. In addition to this, you will experience an abnormal amount of errors on this link since incoming packets will almost simultaneously be sent out at the same time. Because of all this and NIC cards now cost less than $10, I highly recommend to just get a NIC card for each MASQed network segment.

If you are still interested in doing this, you need to enable the "IP Alias" feature in the kernel, re-compile, and reboot. Now running the new kernel, you need to configure Linux to use the new interface (i.e. /dev/eth0:1, etc.). After that, you can treat it as a normal Ethernet interface.

7.21 I'm trying to use the NETSTAT command to show my Masqueraded connections but its not working

There is a problem with the "netstat" program. After a Linux reboot, running "netstat -M" works fine but after a MASQed computer runs some successful ICMP traffic like ping, traceroute, etc., you might see something like:

masq_info.c: Internal Error `ip_masquerade unknown type'.

The workaround for this is to use the "/sbin/ipfwadm -M -l" command. You will also notice that once the listed ICMP masquerade entries timeout, "netstat" works again.

7.22 I would like to get Microsoft PPTP (GRE tunnels) and/or IPSEC (Linux SWAN) tunnels running through IP MASQ

This IS possible. Though it is somewhat out of the scope of this document, check out John Hardin's PPTP Masq page for all the details.

7.23 I want to get the XYZ network game to work through IP MASQ but it won't work. Help!

First, check Lee Nevo's MASQ Applications page. If your solution isn't listed there, try patching your Linux kernel with Glenn Lamb's LooseUDP patch which is covered in the LooseUDP section above. Also check out Dan Kegel's NAT Page for more information.

If you are technically inclined, use the program "tcpdump" and sniff your network. Try to find out what protocols and port numbers your XYZ game is using. With this information in hand, subscribe to the IP Masq email list and email your results for help.

7.24 IP MASQ works fine for a while but then it stops working. A reboot seems to fix this for a while. Why?

I bet you are using IPAUTOFW and/or you have it compiled into the kernel huh?? This is a know problem with IPAUTOFW. It is recommend to NOT even install IPAUTOFW into the Linux kernel and use IPPORTFW instead. This is covered in more detail in the Forwarders section.

7.25 Internal MASQed computers cannot send SMTP mail!

Though this isn't a Masquerading issue per se, many people do this. The issue is that you are probably using your Linux box as a SMTP relay server and get the following error:

"error from mail server: we do not relay"
Newer versions of Sendmail and other Mail Transfer Agents (MTAs) disable relaying by default (this is a good thing). So do the following to fix this:

7.26 Why do the new 2.1.x and 2.2.x kernels use IPCHAINS instead of IPFWADM?

IPCHAINS supports the following features that IPFWADM doesn't:

7.27 I've just upgraded to the 2.2.x kernels, why isn't IP Masquerade working?

There are several things you should check assuming your Linux IP Masq box already have proper connection to the Internet and your LAN:

7.28 I've just upgraded to a 2.0.36+ kernels later, why isn't IP Masquerade working?

There are several things you should check assuming your Linux IP Masq box already have proper connection to the Internet and your LAN:

7.29 I need help with EQL connections and IP Masq

EQL has nothing to do with IP Masq though they are commonly teamed up on Linux boxes. Because of this, I recommend to check out the NEW version of Robert Novak's EQL HOWTO for all your EQL needs.

7.30 I can't get IP Masquerade to work! What options do I have for Windows Platforms?

Giving up a free, reliable, high performance solution that works on minimal hardware and pay a fortune for something that needs more hardware, lower performance and less reliable? (IMHO. And yes, I have real life experience with these ;-)

Okay, it's your call. Do a web search on "MS Proxy Server", "Wingate", "WinProxy", or goto www.winfiles.com. And definitely DON'T tell anyone I sent you.

7.31 I want to help on IP Masquerade development. What can I do?

Join the Linux IP Masquerading DEVELOPERS list and ask the great developers there, by sending an email to masq-dev-subscribe@tiffany.indyramp.com (or for a digest format, use masq-dev-digest-subscribe@tiffany.indyramp.com).

DON'T ask NON-IP-Masquerade development related questions there!!!!

7.32 Where can I find more information on IP Masquerade?

You can find more information on IP Masquerade at the Linux IP Masquerade Resource that both David Ranch and Ambrose Au maintain.

You can also find more information at Dranch's Linux page where the TrinityOS and other Linux documents are kept.

You may also find more information at The Semi-Original Linux IP Masquerading Web Site maintained by Indyramp Consulting, who also provides the IP Masq mailing lists.

7.33 I want to translate this HOWTO to another language, what should I do?

Make sure the language you want to translate to is not already covered by someone else. But, most of the translated HOWTOs are now OLD and need to be updated. A list of available HOWTO translations are available at the Linux IP Masquerade Resource.

If a copy of a current IP MASQ HOWTO isn't in your proposed language, please download the newest copy of the IP-MASQ HOWTO SGML code from the Linux IP Masquerade Resource. From there, begin your work while maintaining good SGML coding. For more help on SGML, check out www.sgmltools.org

7.34 This HOWTO seems out of date, are you still maintaining it? Can you include more information on ...? Are there any plans for making this better?

Yes, this HOWTO is still being maintained. In the past, we've been guilty of being too busy working on two jobs and don't have much time to work on this, my apology. As of v1.50, David Ranch has begun to revamp the document and get it current again.

If you think of a topic that could be included in the HOWTO, please send email to ambrose@writeme.com and dranch@trinnet.net. It will be even better if you can provide that information. We will then include the information into the HOWTO once it is both found appropriate and tested. Many thanks for your contributions!

We have a lot of new ideas and plans for improving the HOWTO, such as case studies that will cover different network setup involving IP Masquerade, more on security via strong IPFWADM/IPCHAINS firewall rulesets, IPCHAINS usage, more FAQ entries, etc. If you think you can help, please do! Thanks.

7.35 I got IP Masquerade working, it's great! I want to thank you guys, what can I do?


Next Previous Contents