Provided by: ipmasqadm_0.4.2-2.1_i386 bug

NAME

       ipmasqadm - IP Masquerading additional modules administration

SYNOPSIS

       ipmasqadm <module> [module-specific-options]
       ipmasqadm <module> -h

       ipmasqadm autofw options
       ipmasqadm portfw options
       ipmasqadm mfw options

DESCRIPTION

       Ipmasqadm is used to configure extra masquerading funcionality, usually
       provided by additional kernel modules.

       All in-firewall forwarding takes place by reverse-masquerading  so  you
       must create firewall rules that must match desired forwarding as-is the
       connection had been outgoing (instead of incoming).

       Kernel must have been compiled with
       CONFIG_EXPERIMENTAL=y
       CONFIG_IP_MASQUERADE=y
       CONFIG_IP_MASQUERADE_MOD=y
       and
       CONFIG_IP_MASQUERADE_IPAUTOFW=y/m
       CONFIG_IP_MASQUERADE_IPPORTFW=y/m
       CONFIG_IP_MASQUERADE_MFW=y/m
       for respective modules.

       If you need to forward one (or more) ports to internal hosts,  consider
       using mfw module.

       In short:

       Short    ipmasqadm          kernel                    kernel
       descr.   module             module                    option
       -------------------------------------------------------------------------
       Auto     autofw.so    ip_masq_autofw.o     CONFIG_IP_MASQUERADE_IPAUTOFW
       Port     portfw.so    ip_masq_portfw.o     CONFIG_IP_MASQUERADE_IPPORTFW
       Fwmark   mfw.so       ip_masq_mfw.o        CONFIG_IP_MASQUERADE_MFW

MODULE autofw - Auto-forwarding

       This   module   is,   under  some  circustances,  capable  of  handling
       application  protocolos  that  don’t  have  support  as  specific  masq
       modules.  Kernel must have been compiled with

   autofw -h
       Command help. By now please refer to it.

       For   lot   of   useful   info   about   using   autofw   please  visit
       http://ipmasq.home.ml.org

MODULE portfw - Port-forwarding

       This module is able to forward to-firewall packets to  internal  hosts,
       based on address and port specification.

   portfw -h
       Command help. By now please refer to it.

MODULE mfw - fwmark-forwarding

       This  module  allows  forwarding to-firewall packets to internal hosts,
       based on fwmark matching.  See  ipchains(8)  for  setting  up  firewall
       rules  with  fwmarking.  Also please note that because this module acts
       only in first packet connection, it makes  sense  to  add  -y  ipchains
       switch to TCP fwmark rules.

   COMMANDS
       mfw -A -m fwmark -r address [port] [-p pref]
              Append one rule to the end of fwmark list of forwarding hosts.
              Packets  fwmarked  will  create  a  masq-tunnel  for redirecting
              further connection traffic to address port.  This will happen at
              most pref times before scheduling another entry with same fwmark
              value.
              If no port is specified, redirection will use   original  packet
              destination port.

       mfw -I -m fwmark -r address [port] [-p pref]
              Same as -A option, except that the rule is inserted at the head.

       mfw -D -m fwmark [-r address [port] ]
              Delete specified rule(s).

       mfw -E -m fwmark [-r address [port] ] -p pref
              Edit specified rule(s), currently -p value can be changed.

       mfw -S -m fwmark
              Force scheduling in fwmark redirect entries.

       mfw -F Flush all rules.

       mfw -L [-n]
              List rules, optionally showing only addresses (no names).

   EXAMPLES
       Redirect all web traffic to internals hostA and hostB, where hostB will
       serve  2  times  hostA connections. Forward rules already masq internal
       hosts to outside (typical).

              ipchains -I input -p tcp -y -d yours.com/32 80 -m 1
              ipmasqadm mfw -I -m 1 -r hostA 80 -p 10
              ipmasqadm mfw -I -m 1 -r hostB 80 -p 20

       Redirect ssh traffic from external clientA to internal hostB, also show
       forward masq rule to allow only hostB incoming connections to ssh port.

              ipchains -I forward -p tcp -d clientA/32 -s hostB/32 22
              ipchains -I input -p tcp -y -s clientA/32 -d 0/0 22 -m 2
              ipmasqadm mfw -I -m 2 -r hostB 22

       Redirect all traffic from external clientA to internal hostB, also show
       forward  masq rule to allow this for hostB only (clean, simple ... just
       *grin*)

              ipchains -I forward -d clientA/32 -s hostB/32
              ipchains -I input -s clientA/32 -m 3
              ipmasqadm mfw -I -m 3 -r hostB

FILES

       /usr/lib/ipmasqadm/*.so
                           Modules used for ipmasqadm kernel interfacing.

       /proc/net/ipmasq/*  Masquerading modules internal state files.

BUGS

       By 2.2, there is no way to share  port  numbers  with  normal  sockets.
       Currently masq modules take precedence before sockets.

       Also  because  redirections  are  actually  masq tunnels they have same
       propierties: idle timeouts, max. number of entries, etc.

       Kernel module autoloading will work for -A and -I switches, and not for
       -L,  so  you  will see warnings about missing /proc/net/ip_masq/...  if
       you list entries when module is not (auto)loaded. This will  change  in
       futur releases.

CAVEATS

       Protocols  that  use control and data connections are always a headache
       when crossing firewalls. Examples of these are ftp,  irc,  real  audio,
       etc.  Because we are reverse-masq forwarding problems get reversed; for
       example: ftp from outside to an internal forwarded server will not work
       in  PASV  mode because server will send its internal address to outside
       client, in contrast, traditional non-passive connections  will  success
       (think  about this a little, please).  Support for bidirectional helper
       modules is in the works.

NOTES

       This is my first man page, just in case you didn’t notice ... ;)

       Consider it pre-alpha quality.

SEE ALSO

       ipchains(8)

AUTHOR

       Juan Jose Ciarlante <jjciarla@raiz.uncu.edu.ar>

                                 December 1998                    IPMASQADM(8)