home " subscribe " advertise " customer service " back issues " " contacts

Sections
  Newbies
  Reviews
  How To
    Best Defense
    Guru Guidance
    On The Desktop
  Developer's Den
    Gearheads Only
    Compile Time
    Perl of Wisdom
  Who's Who
 
Indexes
  Issue Archive
  Author Index
 
Linux Magazine
  Subscribe
  Advertise
  Customer Service
  Back Issues
  
  Contacts
 
On Stands Now Click to view Table of Contents for Linux Magazine March 2000 Issue
 
Subscribe to Linux Magazine

Linux Magazine / August 1999 / GURU GUIDANCE
Setting Up IP Masquerade
 
<< prev   page 01 02 03       

Bugs and Annoyances

IP Masq users will find that most Web or FTP servers work just fine, but from time to time there will be a Web or FTP site that simply refuses to work properly.

The Linux IP Masquerade feature, as of kernel 2.2.9, has an MTU problem. MTU, or Maximum Transmit Unit, is the largest size of packet your machine can send out the external interface without breaking it into smaller pieces (this process is called fragmentation). So why is this broken? There are lots of servers out on the Internet that don't properly support the request for fragmentation of TCP/IP packets. Because of this, you need to make sure your box sends common 1,500 byte packets over the Internet.

If you're connected via PPP, you can adjust your MTU by adding the line mtu1500 to the /etc/ppp/ options file and then restarting your PPP connection. If you're connected via Ethernet, you should be okay; 1,500 bytes is its default setting.

Further Reading on IP-Masq


 Linux IP Masquerade Hompage:  http//ipmasq.cjb.net

 Linux IP-MASQ-HOWTO:
http//www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#ipmasq

 The Masq Apps page:  http//www.atlantic-online.ns.ca/ipmasq_apps/

 TrinityOS:  http//www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html

 Linux Documentation Project:  http//metalab.unc.edu/LDP/

 NAT RFC:  http//www.cis.ohio-state.edu/htbin/rfc/rfc1631.html

Another issue is that many servers out on the Internet pass through Internet routers that are either broken or under too much load. Because of this, they occasionally corrupt packets. When you receive the Failed TCP Checksum error error in your SYSLOG file, Linux is basically telling you that you it has received a corrupt packet.

If you find yourself receiving too many corrupt packets, you should follow the troubleshooting recommendations in the FAQ section of the IP-MASQ-HOWTO. You may have to do something like turning off VJ header compression in PPP or changing your modem interrupt (IRQs for IBM PCs) priorities.

That's about it. Once you are comfortable with IP Masquerade, I highly recommend that you setup a strong firewall ruleset to keep remote Internet users out. And have a look at the URLs listed below to learn more about IP Masq.

David Ranch is a full-time network consultant, and the maintainer of the IP-MASQ-HOWTO. He can be reached at .
<< prev   page 01 02 03       
 
Linux Magazine / August 1999 / GURU GUIDANCE
Setting Up IP Masquerade

Listing One: IP-Masq Minimal Ruleset.


 --

 #!/bin/sh
 #
 # rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels using IPCHAINS
 #

 #Initialize the IP Masquerade kernel modules

 /sbin/depmod -a
 
 #Load the kernel modules
 #
 #  NOTE:  Only enable the modules you need and leave the rest "#"ed out
 #
 
 # Supports the proper masquerading of FTP file transfers using the PORT
 /sbin/modprobe ip_masq_ftp
 
 # Supports the masquerading of RealAudio over UDP.  Without this module,
 #       RealAudio WILL function but in TCP mode.  This can cause a reduction
 #       in sound quality
 /sbin/modprobe ip_masq_raudio
 
 # Supports the masquerading of IRC DCC file transfers
 #
 /sbin/modprobe ip_masq_irc
 
 # Supports the masquerading of Quake I, II, III and QuakeWorld by default.  
 #   This modules is for multiple users behind the Linux IP-Masq server.  
 #
 /sbin/modprobe ip_masq_quake ports=26000,27000,27910
 
 # Supports the masquerading of the CuSeeme video conferencing software
 #
 /sbin/modprobe ip_masq_cuseeme
 
 #Supports the masquerading of the VDO-live video conferencing software
 #
 /sbin/modprobe ip_masq_vdolive
 
 # Dynamic IP users:
 #
 #If you get your Internet IP address dynamically from SLIP, PPP, or DHCP, enable this
 # option. 
 #

 #echo "1" > /proc/sys/net/ipv4/ip_dynaddr

 #Enable IP Forwarding in the Linux kernel.  A requirement to later enable

 #IP Masq.
 #
 echo "1" > /proc/sys/net/ipv4/ip_forward
 
 # Enable MASQ timeouts
 #
 #   2 hrs timeout for TCP session timeouts
 #  10 sec timeout for traffic after the TCP/IP "FIN" packet is received
 #  60 sec timeout for UDP traffic 
 #
 ipchains -M -S 7200 10 160
 
 # Enable simple IP Masquerading for the internal 192.168.0.x network
 #
 ipchains -P forward DENY
 ipchains -A forward -s 192.168.0.0/24 -j MASQ
 
 echo "/etc/rc.d/rc.firewall done."

home " subscribe " advertise " customer service " back issues " " contacts