Provided by: ipmasqadm_0.4.2-2.1_i386 bug


       ipmasqadm - IP Masquerading additional modules administration


       ipmasqadm <module> [module-specific-options]
       ipmasqadm <module> -h

       ipmasqadm autofw options
       ipmasqadm portfw options
       ipmasqadm mfw options


       Ipmasqadm is used to configure extra masquerading funcionality, usually
       provided by additional kernel modules.

       All in-firewall forwarding takes place by reverse-masquerading  so  you
       must create firewall rules that must match desired forwarding as-is the
       connection had been outgoing (instead of incoming).

       Kernel must have been compiled with
       for respective modules.

       If you need to forward one (or more) ports to internal hosts,  consider
       using mfw module.

       In short:

       Short    ipmasqadm          kernel                    kernel
       descr.   module             module                    option
       Auto    ip_masq_autofw.o     CONFIG_IP_MASQUERADE_IPAUTOFW
       Port    ip_masq_portfw.o     CONFIG_IP_MASQUERADE_IPPORTFW
       Fwmark       ip_masq_mfw.o        CONFIG_IP_MASQUERADE_MFW

MODULE autofw - Auto-forwarding

       This   module   is,   under  some  circustances,  capable  of  handling
       application  protocolos  that  don’t  have  support  as  specific  masq
       modules.  Kernel must have been compiled with

   autofw -h
       Command help. By now please refer to it.

       For   lot   of   useful   info   about   using   autofw   please  visit

MODULE portfw - Port-forwarding

       This module is able to forward to-firewall packets to  internal  hosts,
       based on address and port specification.

   portfw -h
       Command help. By now please refer to it.

MODULE mfw - fwmark-forwarding

       This  module  allows  forwarding to-firewall packets to internal hosts,
       based on fwmark matching.  See  ipchains(8)  for  setting  up  firewall
       rules  with  fwmarking.  Also please note that because this module acts
       only in first packet connection, it makes  sense  to  add  -y  ipchains
       switch to TCP fwmark rules.

       mfw -A -m fwmark -r address [port] [-p pref]
              Append one rule to the end of fwmark list of forwarding hosts.
              Packets  fwmarked  will  create  a  masq-tunnel  for redirecting
              further connection traffic to address port.  This will happen at
              most pref times before scheduling another entry with same fwmark
              If no port is specified, redirection will use   original  packet
              destination port.

       mfw -I -m fwmark -r address [port] [-p pref]
              Same as -A option, except that the rule is inserted at the head.

       mfw -D -m fwmark [-r address [port] ]
              Delete specified rule(s).

       mfw -E -m fwmark [-r address [port] ] -p pref
              Edit specified rule(s), currently -p value can be changed.

       mfw -S -m fwmark
              Force scheduling in fwmark redirect entries.

       mfw -F Flush all rules.

       mfw -L [-n]
              List rules, optionally showing only addresses (no names).

       Redirect all web traffic to internals hostA and hostB, where hostB will
       serve  2  times  hostA connections. Forward rules already masq internal
       hosts to outside (typical).

              ipchains -I input -p tcp -y -d 80 -m 1
              ipmasqadm mfw -I -m 1 -r hostA 80 -p 10
              ipmasqadm mfw -I -m 1 -r hostB 80 -p 20

       Redirect ssh traffic from external clientA to internal hostB, also show
       forward masq rule to allow only hostB incoming connections to ssh port.

              ipchains -I forward -p tcp -d clientA/32 -s hostB/32 22
              ipchains -I input -p tcp -y -s clientA/32 -d 0/0 22 -m 2
              ipmasqadm mfw -I -m 2 -r hostB 22

       Redirect all traffic from external clientA to internal hostB, also show
       forward  masq rule to allow this for hostB only (clean, simple ... just

              ipchains -I forward -d clientA/32 -s hostB/32
              ipchains -I input -s clientA/32 -m 3
              ipmasqadm mfw -I -m 3 -r hostB


                           Modules used for ipmasqadm kernel interfacing.

       /proc/net/ipmasq/*  Masquerading modules internal state files.


       By 2.2, there is no way to share  port  numbers  with  normal  sockets.
       Currently masq modules take precedence before sockets.

       Also  because  redirections  are  actually  masq tunnels they have same
       propierties: idle timeouts, max. number of entries, etc.

       Kernel module autoloading will work for -A and -I switches, and not for
       -L,  so  you  will see warnings about missing /proc/net/ip_masq/...  if
       you list entries when module is not (auto)loaded. This will  change  in
       futur releases.


       Protocols  that  use control and data connections are always a headache
       when crossing firewalls. Examples of these are ftp,  irc,  real  audio,
       etc.  Because we are reverse-masq forwarding problems get reversed; for
       example: ftp from outside to an internal forwarded server will not work
       in  PASV  mode because server will send its internal address to outside
       client, in contrast, traditional non-passive connections  will  success
       (think  about this a little, please).  Support for bidirectional helper
       modules is in the works.


       This is my first man page, just in case you didn’t notice ... ;)

       Consider it pre-alpha quality.




       Juan Jose Ciarlante <>

                                 December 1998                    IPMASQADM(8)