Provided by: ipmasqadm_0.4.2-2.1_i386
ipmasqadm - IP Masquerading additional modules administration
ipmasqadm <module> [module-specific-options]
ipmasqadm <module> -h
ipmasqadm autofw options
ipmasqadm portfw options
ipmasqadm mfw options
Ipmasqadm is used to configure extra masquerading funcionality, usually
provided by additional kernel modules.
All in-firewall forwarding takes place by reverse-masquerading so you
must create firewall rules that must match desired forwarding as-is the
connection had been outgoing (instead of incoming).
Kernel must have been compiled with
for respective modules.
If you need to forward one (or more) ports to internal hosts, consider
using mfw module.
Short ipmasqadm kernel kernel
descr. module module option
Auto autofw.so ip_masq_autofw.o CONFIG_IP_MASQUERADE_IPAUTOFW
Port portfw.so ip_masq_portfw.o CONFIG_IP_MASQUERADE_IPPORTFW
Fwmark mfw.so ip_masq_mfw.o CONFIG_IP_MASQUERADE_MFW
MODULE autofw - Auto-forwarding
This module is, under some circustances, capable of handling
application protocolos that don’t have support as specific masq
modules. Kernel must have been compiled with
Command help. By now please refer to it.
For lot of useful info about using autofw please visit
MODULE portfw - Port-forwarding
This module is able to forward to-firewall packets to internal hosts,
based on address and port specification.
Command help. By now please refer to it.
MODULE mfw - fwmark-forwarding
This module allows forwarding to-firewall packets to internal hosts,
based on fwmark matching. See ipchains(8) for setting up firewall
rules with fwmarking. Also please note that because this module acts
only in first packet connection, it makes sense to add -y ipchains
switch to TCP fwmark rules.
mfw -A -m fwmark -r address [port] [-p pref]
Append one rule to the end of fwmark list of forwarding hosts.
Packets fwmarked will create a masq-tunnel for redirecting
further connection traffic to address port. This will happen at
most pref times before scheduling another entry with same fwmark
If no port is specified, redirection will use original packet
mfw -I -m fwmark -r address [port] [-p pref]
Same as -A option, except that the rule is inserted at the head.
mfw -D -m fwmark [-r address [port] ]
Delete specified rule(s).
mfw -E -m fwmark [-r address [port] ] -p pref
Edit specified rule(s), currently -p value can be changed.
mfw -S -m fwmark
Force scheduling in fwmark redirect entries.
mfw -F Flush all rules.
mfw -L [-n]
List rules, optionally showing only addresses (no names).
Redirect all web traffic to internals hostA and hostB, where hostB will
serve 2 times hostA connections. Forward rules already masq internal
hosts to outside (typical).
ipchains -I input -p tcp -y -d yours.com/32 80 -m 1
ipmasqadm mfw -I -m 1 -r hostA 80 -p 10
ipmasqadm mfw -I -m 1 -r hostB 80 -p 20
Redirect ssh traffic from external clientA to internal hostB, also show
forward masq rule to allow only hostB incoming connections to ssh port.
ipchains -I forward -p tcp -d clientA/32 -s hostB/32 22
ipchains -I input -p tcp -y -s clientA/32 -d 0/0 22 -m 2
ipmasqadm mfw -I -m 2 -r hostB 22
Redirect all traffic from external clientA to internal hostB, also show
forward masq rule to allow this for hostB only (clean, simple ... just
ipchains -I forward -d clientA/32 -s hostB/32
ipchains -I input -s clientA/32 -m 3
ipmasqadm mfw -I -m 3 -r hostB
Modules used for ipmasqadm kernel interfacing.
/proc/net/ipmasq/* Masquerading modules internal state files.
By 2.2, there is no way to share port numbers with normal sockets.
Currently masq modules take precedence before sockets.
Also because redirections are actually masq tunnels they have same
propierties: idle timeouts, max. number of entries, etc.
Kernel module autoloading will work for -A and -I switches, and not for
-L, so you will see warnings about missing /proc/net/ip_masq/... if
you list entries when module is not (auto)loaded. This will change in
Protocols that use control and data connections are always a headache
when crossing firewalls. Examples of these are ftp, irc, real audio,
etc. Because we are reverse-masq forwarding problems get reversed; for
example: ftp from outside to an internal forwarded server will not work
in PASV mode because server will send its internal address to outside
client, in contrast, traditional non-passive connections will success
(think about this a little, please). Support for bidirectional helper
modules is in the works.
This is my first man page, just in case you didn’t notice ... ;)
Consider it pre-alpha quality.
Juan Jose Ciarlante <email@example.com>
December 1998 IPMASQADM(8)