ipmasq
ipmasq is a system to securely initialize IP Masquerade for use as
a forwarding firewall. IP Masquerade is a feature of the Linux kernel that
allows an entire network of computers to be connected to another network
(usually the Internet) with only one network address on that other network. IP
Masquerade is often referred to as NAT (Network Address Translation) on other
platforms.
ipmasq started life in the author's dorm room as an instance of
the strong ruleset described in the ipmasq
mini-HOWTO. This was christened the 1.x series, as it grew it
became more robust. However, it only supported the 2.0 kernels, as it used
ipfwadm, and hardcoded the author's dorm room network.
The 2.x series of ipmasq saw its generalization via a
configuration file and its introduction into the Debian distribution.
The 3.0 release of ipmasq was the first release suitable for use
with pppd. It received some much needed intelligence about
interfaces and routes, which allowed it to cope with changing network
connections. Also, version 3.0 introduced support for the
ipchains interface which appears in the 2.2 and the later 2.1
series kernels.
Later releases of the 3.x series added other features. Version 3.1.0 added the flexible rules framework, while version 3.3.0 added infrastructure for loading of ip_masq_* kernel modules.
This document first appeared in version 3.4.0 of ipmasq.
The 3.5 series of ipmasq added support for debconf,
Debian's next-generation configuration management system. It also added
support for the netfilter kernel interface found in later 2.3 and 2.4 kernels.
For more information about netfilter, please see http://netfilter.kernelnotes.org/.
After Brian orphaned this Debian package, Osamu Aoki took over the maintenance of this package. README.Debian was added by Osamu. It contains additional information and expected to be read before this document.
[This is new section added by Osamu Aoki]
Although this script is quite versatile and can be used as the nice skeleton for the creation of the dynamically generating elaborate firewall ruleset by the experienced admin, the default install will focus on the newbie admins who set up firewall under simple network configuration.
Simple network means that one uplink connection and single subnet of LAN hosts all within private network addresses.
This means no VPN and port forwarding unless I get nice patch from the user. (Even if I do, I may provide them just as an example.)
I wanted to support simple port based firewalling using script examples which were written by me and existed in the example section during Brian's maintenance. Since I got enough people complained for the unexpected change, I decided to put them back to the example for the sake of smooth sarge release. I will change this after Sarge. So no more RC bug report nor wishlist bug report please on this subject.
Also current ipmasq package needs not only /
available locally (no NFS root) but also needs /usr to function
properly.
Considering woody did not ship with any 2.0 series kernel, I will soon erase 2.0 series kernel support after sarge release. This post-sarge change may only support 2.4 and may include some menu driven configuration tool which can even control firewall and traffic control. So be warned!
Unless I get someone giving me solid patches, I will not address 2.6 series specifics nor use ip program for now. All bug reports along these topics will be assigned as wishlist.
ipmasq requires the kernel be built with masquerading support.
Debian kernel-package provided kernels are ready to be used with this package.
You still need to activate module if this package fails to activate them for
you somehow during boot process (ipmasq-kmod).
The specific kernel options for each major kernel revision are listed below.
For the detailed guide, please read Linux IP
Masquerade HOWTO.
Kernel versions 2.0.0 through 2.1.100
Kernels 2.1.101 through later 2.3 releases
Later 2.3 kernel versions through 2.4
More information about IP Masquerade can be found at the Linux IP Masquerade
Resource, http://ipmasq.cjb.net/.
Ipmasq User's Manual
Brian Bassettbrianb@debian.orgosamu@debian.org