Linux IP Masquerade

Linux IP Masquerade Resource

Last updated on March 31, 1999

NOTICE

The old site address http://ipmasq.home.ml.org/ is no longer available due to the shutdown of ml.org.
Please bookmark http://ipmasq.cjb.net/ as the primary IP Masquerade Resource page.
A secondary site is available at http://ipmasq2.cjb.net/.

Welcome, you are visitor

SuperStats Counter .

.


What is IP Masquerade for Linux?

IP Masquerade is a networking feature in Linux. If a Linux host is connected to the Internet with IP Masquerade enabled, then computers connecting to it (usually on the same LAN, but can also be connected with other links such as modems or PLIP) can reach the Internet as well, even though they have no officially assigned IP addresses.

Why do I want to use it?

Think about a few people surfing the Internet simultaneously with a single modem connection, only paying for a single phone bill and Internet service charge at the end of the month... Pretty tempting, huh?!

A fellow user Jim also brought up a very good point: "For me the most compelling arguement was competing with my wife for 1 phone line to access the internet. With a Linux gateway with masquerading, we could share (no more arguements about who was connected) the line.", hence reducing the divorce rate. :-)

Well, I only have a 28800bps connection. Is the bandwidth enough for sharing?

It depends on what you're going to do. If a few users oftenly download files at the same time, then you should expect prolonged waiting time. However, if the users are only surfing the web and doing telnet, then it should be enough. As an example, my 28800bps connection works reasonably well with 2 people surfing the web and one doing telnet. IP masquerade can also be useful on a larger user base when it is dedicated for retrieving emails from, let say, a popmail server.

Keep in mind that the Internet connection is not limited to a modem line, you can use an ISDN line, DSL, cable modem, satellite link, or even T1/E1 if available.

Is it reliable?

IP Masquerade had been out for several years and is maturing as Linux heads into the 2.2.x stage. Kernels since 1.3.x had built-in support already. Although some users reported minor problems with it, and not everything is working thru IP Masquerade yet, many people are using it rather satisfied, including businesses with considerably more traffic. So why not give it a try?

Okay, I want to use it! What's up next?

Take a look at the resource list below then. Good luck!



Linux IP Masquerade Resource List

News and Notice

     

    Mar. 31, 1999. -- AA

  • IP Masquerade HOWTO v1.65 is out! Changes include typo fixes, clarifications of required 2.2.x kernel options, added dynamic PPP IP address support to the strong firewall section, additional quake II module ports, noted that the LooseUDP patch is built into later 2.2.x kernels and  added more game info in the compatibility section.

  • LooseUDP patch (portfw) is available for 2.0.36 kernel. Instructions are included in the tgz file.

  • Mar. 23, 1999. -- AA

  • Wow!  Look at what David had done to the IP Masquerade HOWTO...  A major update with tons of new topics, expanded FAQ section, and improved firewall rulesets.  The current version is v1.62, and it is a pre-release of v2.0.  So, take a look at it, let us know if there is any error, send us suggestions, and let us know what you think about this new and improved HOWTO.

  • If you have any new idea on the IP Masquerade HOWTO and this website, please let us know by sending email to David A. Ranch and Ambrose Au. We may not be able to use or acknowledge all your suggestions, but all suggestions will be greatly appreciated. Thank you!

  • John Hardin's new Linux VPN Masquerade page, replacing the old PPTP page.  Please also see his Linux VPN Masquerade HOWTO.

  • More updates to come!  David will be joining me at this website shortly!


  • Feb. 7, 1999. -- AA

  • Finally, with the release of the Linux 2.2.x series of kernels, the IP Masquerade mini HOWTO is updated. Instruction for setting up IP Masquerade on Linux 2.2.x is included. Hopefully with David Ranch's help, the HOWTO can be updated more frequently, and will have more coverage on a variety of ipmasq related topics.

  • I have been pretty bad on replying emails of late, sorry. If you have a problem or question regarding IP Masquerade or Linux networking in general, please join the ipmasq mailing list (see below) or related linux newsgroups. David and I very much appreciate everyone who has sent in suggestions or comments, sorry if we cannot reply to you personally.

    Dec. 19, 1998. -- AA
  • After experiementing with the ddns.org URL redirection service (http://www.ipmasq.ddns.org/) for a week, I find that the service level is less than satisfying. So I decided to go with another service and the new ipmasq page address is http://ipmasq.cjb.net/. Sorry for the confusion this may have created, hopefully this will be a stable service (performance is great) so I can spend my X'mas working on the howto updates.

    Other Notice
  • If you are having problem with the primary IP Masquerade Resource page, please try the backup site at http://ipmasq2.cjb.net

  • To download any files on this page, please right click on the link and select the SAVE AS option. For some of the gz files, you may have to append the .gz extension to it after downloading.

  • Please feel free sending comments to Ambrose Au and David Ranch about the HOWTO and this Resource page.

    Due to personal work load, we cannot promise a reply for all non-website related questions. Please post your questions to the IP Masquerade mailing list instead, users and developers on the list may be more capable fo helping with your problem. Sorry about this, but we don't want to get you a reply after weeks.

IP Masquerade for 2.2.x and 2.0.x Kernels
Notable Information

This section provides information for IP Masquerade that are probably useful or important but not yet updated into the HOWTO.
  • If you are having problem running IP Masquerade with recent kernels, please read on:
    Since kernel 2.0.30, ip_forward is diabled by default. If you have not compiled the kernel with this option, you will have to explicitly specify
       echo "1" > /proc/sys/net/ipv4/ip_forward

    to make IP Masquerade to work.

    For the 2.2.x kernels, the IP Forwarding is disabled by default. To make IP Masquerade functional, you have to enable IP forwarding by specifying

       echo "1" > /proc/sys/net/ipv4/ip_forward

    For Redhat Linux, try setting "FORWARD_IPV4=false" to "FORWARD_IPV4=true" in

    /etc/sysconfig/network
  • Some information on TCPDeath caused by ipautofw.

  • There is a way to get X working over ip masquerade. A compresser and proxy for the X protocal called dxpc.
    If you setup the dxpc server on the gateway/ipmasq host, then get the dxcp file on the other system, and run the client from there.
    It is also possable to get x to run from anywhere after that by seting the x display to the server that is running the client.
    Thanks to Wembly for supplying this information.

  • Regarding using IP Masquerade with DirecPC satellite link and Helius software, Paul Budnik suggested that the firewall rule ipfwadm -F -p deny prevents the Helius software from working, so keep that in mind when you are setting up IP Masquerade or IP Firewall on linux.

  • Bug Alert : There is a bug in the 2.0.x masquerade code that causes improper handling of fragments if the MTU and MRU sizes are set to different numbers, even if the ALWAYS DEFRAGMENT kernel option is set. You can either apply this MTU patch or set the MTU and MRU on your Internet connection to be equal. Thanks for John Hardin for the info.

Patches for 2.0.x Kernel

To download any files on this page, please right click on the link and select the SAVE AS option. For some of the gz files, you may have to append the .gz extension to it after downloading.

With the newly released Linux kernel 2.0.34, all the individual (ICMP, timeout, etc.) and bumper patches are obsolete. Upgrading to the latest stable kernel is highly recommended.
  • There is a bug in the 2.0.x masquerade code that causes improper handling of fragments if the MTU and MRU sizes are set to different numbers, even if the ALWAYS DEFRAGMENT kernel option is set. You can either apply this MTU patch or set the MTU and MRU on your Internet connection to be equal. Thanks for John Hardin for the info.

  • Precompiled version of the ipfwadm (12598 bytes). Simply gunzip and copy this file to /sbin and chmod 755 it. Or if you want to compile it yourself, here is the Ipfwadm timeout patch.

  • PPTP patch to support masquerading for Microsoft Point-to-point Tunneling Protocol clients. Please see the instruction for details.

Bumper patch section, you only need this if you have kernel 2.0.29 or earlier versions.

  • All patches in this section are not being included in any kernel source prior to the 2.0.30 kernel.

  • Please read the instruction before applying any patch.

  • Nigel's bumper masquerading kernel patches BETA 2 for kernel 2.0.29 (not necessary for kernel 2.0.30 or later) (18195 bytes), which includes all patches below. If you have ip_masq_bumper-2.0.28.patch or ip_masq_bumper-2.0.29.patch, you might want to upgrade to this ip_masq_bumper6-2.0.29.patch. Please read the instuction before installation.

  • Precompiled version of the ipfwadm (12598 bytes) for use with the bumper patch. Simply copy this file to /sbin and chmod 755 it.
IP Masquerade Mailing List
  • IP Masquerade Mailing List Archive is a vital part of IP Masquerade's success. It's the best resource if you have any questions or problems about IP Masquerade. Provided by Indyramp Consulting.

    Join the Linux IP Masquerading mailing list by sending an email to masq-subscribe@indyramp.com.

    Subject and body of the message are IGNORED. This gives you every message on the list as it comes out. You are welcome to use this form if you need it, but if you can stand the digest, please choose it instead. The digest puts less of a load on the list servers. Note that you can only post from an account/address you are subscribed from.

    For more commands, email masq-help@tori.indyramp.com.

    Join the Linux IP Masquerading DEVELOPERS list and ask the great developers there, by sending an email to masq-dev-subscribe@tori.indyramp.com (or for a digest format, use masq-dev-digest-subscribe@tori.indyramp.com).

    DON'T ask non IP Masquerade development related questions there!!!!

    If you have any problem regarding the mailing list or the mailing list archive, please contact Robert Novak.

    Please check the mailing archive for the solution before posting to the mailing list.

IP Masquerade and Applications
IP Masquerade for 1.2.x Kernel
  • If you are still using IP Masquerade on kernel 1.2.x, you need the ipfw package, see the IP Masquerade HOWTO for kernel 1.2.x for details. Ipfwadm will NOT work.

  • IP Masquerade HOWTO for kernel 1.2.x contains information on setting up IP Masquerade with the patches on a Linux 1.2.x system.

  • If you're using Linux kernel 1.2.x, please get the MasqPlus 0.5 patch

  • Another source of the MasqPlus 0.5 patch at indyramp.com
Other IP Masquerade Info and Links
  • Indyramp's IP Masquerading site, the official IP Masquerade site maintained by Robert Novak.

  • IP Masquerade FAQ contains many useful information on IP Masquerade, but base on kernel 1.2.x.

  • Ipfwadm Page contains information about the package that does the forwarding task, provided by X/OS.
    Ipfwadm 2.3 had been released for use on 2.0.x kernels.

  • The Indyramp Masquerade ftp site has some packages and patches for 1.2.x
    Note: 57.6kbps EQL connection

  • IP Auto Forwarder (20172 bytes), TCP Port Redirector (8802 bytes), and UDP Port Redirector (1399 bytes) are some of the utilities which may help you to get more out of IP Masquerade. However, use with care since these may create security holes if not used properly.

  • Ipfwadm dotfile module page provides information on a GUI shell configurator for ipfwadm. "It makes setting up IP Masquerade and basic firewalling on a small network easier for Linux users." Thanks to John Hardin.

  • A remote management utiltiy for Linux IP Firewall with other features. Check out Masqd Software for Linux Page for details.

  • A page documenting the steps necessary to get CU-SeeMe and IP Masquerade fully functional, including getting inbound calls, thanks to Michael Owings.

  • Some information on setting up IP masquerade on Linux kernel 2.1.x by Toby Reed. This will be included in the howto once it is updated.

  • John Hardin's Linux VPN Masquerade page, replacing the old PPTP page.  Please also see his Linux VPN Masquerade HOWTO.

  • A software that provides an alternative way of dialing up to an ISP than diald does, with other features that diald doesn't have.

  • A single diskette version of Linux that has enough guts to work as a gateway (using IP Masquerading), and name server for an entire network. There is a freeware version and a commercial version.

  • An IP Masquerade related page in French.

  • A site with the Spanish version of IP Masquerade howto in html, ps and ascii format.

  • Identd designed for IP Masquerade (version 0.1.1) is updated (even though the version number remains the same), it contains bug fixes and improved documentation.

  • A port forwarding related page.

  • The TCP/IP 32b package for Windows 3.11 that was mentioned in section 3.3 of the howto can be obtained at ftp://ftp.microsoft.com/bussys/clients/wfw/TCP32B.EXE

  • TrinityOS Documentation. This is a step-by-step setup doc for Linux to setup :- IP MASQ - advanced IPFWADM rulesets - BIND v8 - PPP - Diald - Dual ethernet nics (for cablemodem users) - SAMBA support - Sound Support

  • A script that implements the masq rules after your linux box received a dynamic IP from the ISP, provided by Robert Geer.

  • This is not IP Masquerade related, but you may find Virtual Network Computing by ORL interesting and useful. It is a remote display system which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures, including any Java capable browsers, WinCE, Win32 systems, DOS, UNIX systems (X and SVGA lib), etc. A host can be a Linux box (or other flavors of UNIX), Windows 9x or Windows NT. I find it very impressive and it is GPLed.

  • Linux NAT page.

IP Masquerade Resource Mirror sites


[ Top of the page | Resource List ]




About the IP Masquerade Resource page and the HOWTO...

All feedback and comments are welcomed, and it'll be great to have someone who knows it well to help for a better HOWTO.

Please send any comments about the HOWTO or about this page to
ambrose@writeme.com and dranch@trinnet.net. Your invaluable comments will certainly be influencing the future of this HOWTO and website!

Hope you enjoy this...

Ambrose Au / David Ranch.




Linux IP Masquerade


Copyright (c) 1999 Ambrose Au and David Ranch. All rights reserved for their respective owners.