2.4 and ipmasq modules

2.4 and ipmasq modules

[Aaron Lehmann]

It was great to see that 2.4.0 reintroduced ipfwadm support! I had no
need for ipchains and ended up using the wrapper around it that
emulated ipfwadm. However, 2.[02].x used to have "special IP
masquerading modules" such as ip_masq_ftp.o, ip_masq_quake.o, etc. I
can't find these in 2.4.0. Where have they gone? Without important
modules such as ip_masq_ftp.o I cannot use non-passive ftp from behind
the masquerading firewall.

Thanks,
Aaron Lehmann
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: 2.4 and ipmasq modules

[Daniel Stone]

FTP is under Connection Tracking support, FTP connection tracking. Does
the same stuff as ip_masq_ftp. IRC is located in patch-o-matic -
download iptables 1.2 and do a make patch-o-matic, there is also RPC and
eggdrop support in there. I'm half in the middle of porting ip_masq_icq,
but it's one hideously ugly kludge after another. Such is life.

d


On 20 Jan 2001 14:46:16 -0800, Aaron Lehmann wrote:
> It was great to see that 2.4.0 reintroduced ipfwadm support! I had no
> need for ipchains and ended up using the wrapper around it that
> emulated ipfwadm. However, 2.[02].x used to have "special IP
> masquerading modules" such as ip_masq_ftp.o, ip_masq_quake.o, etc. I
> can't find these in 2.4.0. Where have they gone? Without important
> modules such as ip_masq_ftp.o I cannot use non-passive ftp from behind
> the masquerading firewall.
> 
> Thanks,
> Aaron Lehmann
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> Please read the FAQ at http://www.tux.org/lkml/



-- 
Daniel Stone
Linux Kernel Developer
daniel@kabuki.eyep.net

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
G!>CS d s++:- a---- C++ ULS++++$>B P---- L+++>++++ E+(joe)>+++ W++ N->++ !o
K? w++(--) O---- M- V-- PS+++ PE- Y PGP>++ t--- 5-- X- R- tv-(!) b+++ DI+++ 
D+ G e->++ h!(+) r+(%) y? UF++
------END GEEK CODE BLOCK------



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: 2.4 and ipmasq modules

[Aaron Lehmann]

On Sun, Jan 21, 2001 at 10:32:15AM +1100, Daniel Stone wrote:
> FTP is under Connection Tracking support, FTP connection tracking. Does
> the same stuff as ip_masq_ftp. IRC is located in patch-o-matic -
> download iptables 1.2 and do a make patch-o-matic, there is also RPC and
> eggdrop support in there. I'm half in the middle of porting ip_masq_icq,
> but it's one hideously ugly kludge after another. Such is life.

That option seems to conflict with "ipfwadm (2.0-style) support".
Preferably, I'd like to stay with friendly old ipfwadm rather than
switching firewalling tools _again_.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: 2.4 and ipmasq modules

[Daniel Stone]

On 20 Jan 2001 15:34:03 -0800, Aaron Lehmann wrote:
> On Sun, Jan 21, 2001 at 10:32:15AM +1100, Daniel Stone wrote:
> > FTP is under Connection Tracking support, FTP connection tracking. Does
> > the same stuff as ip_masq_ftp. IRC is located in patch-o-matic -
> > download iptables 1.2 and do a make patch-o-matic, there is also RPC and
> > eggdrop support in there. I'm half in the middle of porting ip_masq_icq,
> > but it's one hideously ugly kludge after another. Such is life.
> 
> That option seems to conflict with "ipfwadm (2.0-style) support".
> Preferably, I'd like to stay with friendly old ipfwadm rather than
> switching firewalling tools _again_.


Your choice, but if you choose not to switch, you lose the power of:
* stateful inspection
* modules
* a sane command line
* a metric shitload of extensions

"I'd rather stay with my friendly old pushbike than my car!"
So don't complain when you can't use cruise control.

d

-- 
Daniel Stone
Linux Kernel Developer
daniel@kabuki.eyep.net

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
G!>CS d s++:- a---- C++ ULS++++$>B P---- L+++>++++ E+(joe)>+++ W++ N->++ !o
K? w++(--) O---- M- V-- PS+++ PE- Y PGP>++ t--- 5-- X- R- tv-(!) b+++ DI+++ 
D+ G e->++ h!(+) r+(%) y? UF++
------END GEEK CODE BLOCK------



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: 2.4 and ipmasq modules

[Aaron Lehmann]

On Sun, Jan 21, 2001 at 11:08:00AM +1100, Daniel Stone wrote:
> > That option seems to conflict with "ipfwadm (2.0-style) support".
> > Preferably, I'd like to stay with friendly old ipfwadm rather than
> > switching firewalling tools _again_.
> 
> "I'd rather stay with my friendly old pushbike than my car!"
> So don't complain when you can't use cruise control.

ipfwadm used to support the modules. Why have the modules for ipfwadm
been removed from the kernel source?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: 2.4 and ipmasq modules

[Doug McNaught]

Aaron Lehmann <aaronl@vitelus.com> writes:

> On Sun, Jan 21, 2001 at 11:08:00AM +1100, Daniel Stone wrote:

> > "I'd rather stay with my friendly old pushbike than my car!"
> > So don't complain when you can't use cruise control.
> 
> ipfwadm used to support the modules. Why have the modules for ipfwadm
> been removed from the kernel source?

Umm, because the underlying infrastructure is completely different?

You're confusing 'ipfwadm' (a program that uses an old API that is
emulated by the new kernel) and the kernel ipfw code, which is gone,
gone, gone.

-Doug
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

[OT] Re: 2.4 and ipmasq modules

[J Sloan]

[-- Attachment #1: Type: text/plain, Size: 925 bytes --]

Aaron Lehmann wrote:

> It was great to see that 2.4.0 reintroduced ipfwadm support! I had no
> need for ipchains and ended up using the wrapper around it that
> emulated ipfwadm. However, 2.[02].x used to have "special IP
> masquerading modules" such as ip_masq_ftp.o, ip_masq_quake.o, etc. I
> can't find these in 2.4.0. Where have they gone? Without important
> modules such as ip_masq_ftp.o I cannot use non-passive ftp from behind
> the masquerading firewall.

It's working here for me - the netfilter modules are named differently:

# lsmod
Module                 Size  Used by

<snip>

iptable_filter          1824   0 (autoclean) (unused)
ip_nat_ftp              3280   0 (unused)
iptable_nat            13120   1 [ip_nat_ftp]
ip_conntrack_ftp        2016   0 (unused)
ip_conntrack           13408   2 [ip_nat_ftp iptable_nat ip_conntrack_ftp]
ip_tables              10784   4 [iptable_filter iptable_nat]

<snip>




[-- Attachment #2: Type: text/html, Size: 2053 bytes --]

Re: 2.4 and ipmasq modules

[John Jasen]

On Sat, 20 Jan 2001, Aaron Lehmann wrote:

> It was great to see that 2.4.0 reintroduced ipfwadm support! I had no
> need for ipchains and ended up using the wrapper around it that
> emulated ipfwadm. However, 2.[02].x used to have "special IP
> masquerading modules" such as ip_masq_ftp.o, ip_masq_quake.o, etc. I
> can't find these in 2.4.0. Where have they gone? Without important
> modules such as ip_masq_ftp.o I cannot use non-passive ftp from behind
> the masquerading firewall.

I think its ip_conntrack_ftp, but I'll check my fw setup to verify if you
still can't find it.

--
-- John E. Jasen (jjasen1@umbc.edu)
-- In theory, theory and practise are the same. In practise, they aren't.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: 2.4 and ipmasq modules

[Paul Jakma]

On 21 Jan 2001, Daniel Stone wrote:

> FTP is under Connection Tracking support, FTP connection tracking. Does
> the same stuff as ip_masq_ftp. IRC is located in patch-o-matic -
> download iptables 1.2 and do a make patch-o-matic, there is also RPC and
> eggdrop support in there. I'm half in the middle of porting ip_masq_icq,
> but it's one hideously ugly kludge after another. Such is life.
>

uhmm... ICQ seems to work fine through connection tracking for me, so
is there a need for a special ip_masq_icq module?

> d

regards,
-- 
Paul Jakma	paul@clubi.ie	paul@jakma.org
PGP5 key: http://www.clubi.ie/jakma/publickey.txt
-------------------------------------------
Fortune:
[We] use bad software and bad machines for the wrong things.
		-- R.W. Hamming

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: 2.4 and ipmasq modules

[Rusty Russell]

In message <20010120144616.A16843@vitelus.com> you write:
> It was great to see that 2.4.0 reintroduced ipfwadm support! I had no
> need for ipchains and ended up using the wrapper around it that
> emulated ipfwadm. However, 2.[02].x used to have "special IP
> masquerading modules" such as ip_masq_ftp.o, ip_masq_quake.o, etc. I
> can't find these in 2.4.0. Where have they gone? Without important
> modules such as ip_masq_ftp.o I cannot use non-passive ftp from behind
> the masquerading firewall.

Hi Aaron,

The entire point of the netfilter kernel architecture is that we can
just ask for packets at certain points, no #ifdefs, special hacks,
etc.  Unfortunately, the previous masquerading code (used in 2.0 and
2.2) looked really difficult to extract from the kernel.  Netfilter
has changed a little since then (particularly NF_STOLEN), so it might
be possible now.

So I reimplimented 2.2-style masquerading on top of the new NAT
infrastructure: ideally this would mean that it could use the new
helpers, but there were some minor technical problems, and it was
never tested.  

Those who berated Aaron for not wanting to upgrade: he is the Debian
maintainer for crashme, gtk-theme-switch, koules, pngcrush, and
xdaliclock.  By wasting his time making him convert a perfectly
working system, you are taking away time from those projects.  I'd
rather see him spend time on Cool Stuff(TM) which benefits all of us.

Cheers,
Rusty.
--
Premature optmztion is rt of all evl. --DK
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: 2.4 and ipmasq modules

[Aaron Lehmann]

On Tue, Jan 23, 2001 at 12:48:20PM +1100, Rusty Russell wrote:
> So I reimplimented 2.2-style masquerading on top of the new NAT
> infrastructure: ideally this would mean that it could use the new
> helpers, but there were some minor technical problems, and it was
> never tested.
> 
> Those who berated Aaron for not wanting to upgrade: he is the Debian
> maintainer for crashme, gtk-theme-switch, koules, pngcrush, and
> xdaliclock.  By wasting his time making him convert a perfectly
> working system, you are taking away time from those projects.  I'd
> rather see him spend time on Cool Stuff(TM) which benefits all of us.

Thank you for your support, but it seems clear that they were right.
I changed the kernel settings to have pure netfilter configuration,
read the NAT-HOWTO, and followed its instructions. I reccomend that any
others still trying to use the 2.[02].x style interfaces do the same.

netfilter seems not only much cleaner than ipchains or ipfwadm, but also
much more powerful. I read into the HOWTO a bit and was very impressed
by the capabilities. In particular, it's nice to have port forwarding
integrated with NAT rather than as a seperate chunk of kernel code using
different userspace tools.

I hope that netfilter will last longer than the last two packet
filtering/mangling/masquerading mechanisms. :)

P.S.: The only thing I did not get working successfully was IRC DCC. I
sent a bug report to the maintainer of the patch from the
patch-o-matic, but did not recieve an immediate response, so I'll
include it below in case anyone else has any ideas.
_______________________________________________________________________________

>From aaronl@vitelus.com Sun Jan 21 00:44:17 2001
Date: Sun, 21 Jan 2001 00:44:17 -0800
From: Aaron Lehmann <aaronl@vitelus.com>
To: laforge@gnumonks.org
Subject: irc-conntrack-nat doesn't work for me

I applied irc-conntrack-nat from iptables-1.2's patch-o-matic onto a
Linux 2.4.0 kernel with XFS support. I tried several different IRC
clients on the sending end (which was of course behind this NAT box)
and different IRC servers (all on port 6667). On the recieving end, I
would always get:

-:- DCC GET request from aaronl_[aaronl@vitelus.com
          [64.81.36.147:33989]] 150 bytes /* That's the NAT box's IP */
-:- DCC Unable to create connection: Connection refused

Any idea what's wrong? I have irc-conntrack-nat compiled into the
kernel.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: 2.4 and ipmasq modules

[Daniel Stone]

On 22 Jan 2001 18:01:58 -0800, Aaron Lehmann wrote:
> On Tue, Jan 23, 2001 at 12:48:20PM +1100, Rusty Russell wrote:
> > Those who berated Aaron for not wanting to upgrade: he is the Debian
> > maintainer for crashme, gtk-theme-switch, koules, pngcrush, and
> > xdaliclock.  By wasting his time making him convert a perfectly
> > working system, you are taking away time from those projects.  I'd
> > rather see him spend time on Cool Stuff(TM) which benefits all of us.

I don't use any of that :P

> Thank you for your support, but it seems clear that they were right.
> I changed the kernel settings to have pure netfilter configuration,
> read the NAT-HOWTO, and followed its instructions. I reccomend that any
> others still trying to use the 2.[02].x style interfaces do the same.

Hallelujiah, brother!

> netfilter seems not only much cleaner than ipchains or ipfwadm, but also
> much more powerful. I read into the HOWTO a bit and was very impressed
> by the capabilities. In particular, it's nice to have port forwarding
> integrated with NAT rather than as a seperate chunk of kernel code using
> different userspace tools.

Among other things. It originally started out having NAT and filtering
controlled by two different userspace tools - iptables and ipnatctl, but
they were eventually merged. 

> I hope that netfilter will last longer than the last two packet
> filtering/mangling/masquerading mechanisms. :)


Looking at something ages ago that I now cannot find, Rusty apparently
realised that ipchains was wrong when he was writing it; no such
admission (at least, that I know about) yet.

> P.S.: The only thing I did not get working successfully was IRC DCC. I

> sent a bug report to the maintainer of the patch from the
> patch-o-matic, but did not recieve an immediate response, so I'll
> include it below in case anyone else has any ideas.
> _______________________________________________________________________________
> 
> >From aaronl@vitelus.com Sun Jan 21 00:44:17 2001
> Date: Sun, 21 Jan 2001 00:44:17 -0800
> From: Aaron Lehmann <aaronl@vitelus.com>
> To: laforge@gnumonks.org
> Subject: irc-conntrack-nat doesn't work for me
> 
> I applied irc-conntrack-nat from iptables-1.2's patch-o-matic onto a
> Linux 2.4.0 kernel with XFS support. I tried several different IRC
> clients on the sending end (which was of course behind this NAT box)
> and different IRC servers (all on port 6667). On the recieving end, I
> would always get:
> 
> -:- DCC GET request from aaronl_[aaronl@vitelus.com
>           [64.81.36.147:33989]] 150 bytes /* That's the NAT box's IP */
> -:- DCC Unable to create connection: Connection refused
> 
> Any idea what's wrong? I have irc-conntrack-nat compiled into the
> kernel.


Well, it's NAT'ing it OK. Are you sure you have a rule like the
following:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
?

d

PS: If you're trying to NAT a DCC RESUME, don't even bother.

-- 
Daniel Stone
Linux Kernel Developer
daniel@kabuki.eyep.net

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
G!>CS d s++:- a---- C++ ULS++++$>B P---- L+++>++++ E+(joe)>+++ W++ N->++ !o
K? w++(--) O---- M- V-- PS+++ PE- Y PGP>++ t--- 5-- X- R- tv-(!) b+++ DI+++ 
D+ G e->++ h!(+) r+(%) y? UF++
------END GEEK CODE BLOCK------



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: 2.4 and ipmasq modules

[Martin Josefsson]

On 23 Jan 2001, Daniel Stone wrote:

[snip]
> > -:- DCC GET request from aaronl_[aaronl@vitelus.com
> >           [64.81.36.147:33989]] 150 bytes /* That's the NAT box's IP */
> > -:- DCC Unable to create connection: Connection refused
> > 
> > Any idea what's wrong? I have irc-conntrack-nat compiled into the
> > kernel.
> 
> 
> Well, it's NAT'ing it OK. Are you sure you have a rule like the
> following:
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> ?
> 
> d
> 
> PS: If you're trying to NAT a DCC RESUME, don't even bother.

DCC Resume works fine here behind a NAT-box running 2.4

/Martin

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: 2.4 and ipmasq modules

[Aaron Lehmann]

On Tue, Jan 23, 2001 at 06:29:34PM +1100, Daniel Stone wrote:
> Well, it's NAT'ing it OK. Are you sure you have a rule like the
> following:
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> ?
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables: No chain/target/match by that name


Hmm??

I tried iptables -A INPUT -j ACCEPT and it did not fix DCC.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: 2.4 and ipmasq modules

[Harald Welte]

On Sat, Jan 20, 2001 at 04:08:43PM -0800, Aaron Lehmann wrote:
> On Sun, Jan 21, 2001 at 11:08:00AM +1100, Daniel Stone wrote:
> > > That option seems to conflict with "ipfwadm (2.0-style) support".
> > > Preferably, I'd like to stay with friendly old ipfwadm rather than
> > > switching firewalling tools _again_.
> > 
> > "I'd rather stay with my friendly old pushbike than my car!"
> > So don't complain when you can't use cruise control.
> 
> ipfwadm used to support the modules. Why have the modules for ipfwadm
> been removed from the kernel source?

If you look at the code, you will discover, that a certain core-layer of 
netfilter and iptables are used all the time, regardless if you choose to
use iptables, ipchains or ipfwadm backwards compatibility.

The backwards compatibility (either ipfwadm or ipchains) modules are built
on top of this core. The frontend (setsockopt/getsockopt to userspace 
config tool) looks the same, the backend is totally different.

This is the reason why - of course - the old ip_masq_XXX helpers don't
work anymore. They are written for a kludgy old backend which isn't present
anymore.

There is no particular reason why the current ipchains / ipfwadm emulation
modules don't use the new ip_conntrack_XXX / ip_nat_XXX stuff, just nobody
got around implementing it. (there are comments at the respective position
inside the code).

If you or somebody else wants to volunteer writing this, we'll appreciate
any patches.

btw: it's probably a good idea to move this discussion to 
netfilter@lists.samba.org

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org                http://www.gnumonks.org
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: 2.4 and ipmasq modules

[Harald Welte]

On Sun, Jan 21, 2001 at 07:47:30AM +0000, Paul Jakma wrote:
> 
> uhmm... ICQ seems to work fine through connection tracking for me, so
> is there a need for a special ip_masq_icq module?

Certain features of ICQ, which require direct client to client connections,
don't work. 

Please move further discussion to the netfilter user mailinglist at
netfilter@lists.samba.org
> -- 
> Paul Jakma	paul@clubi.ie	paul@jakma.org

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org                http://www.gnumonks.org
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Re: 2.4 and ipmasq modules

[Harald Welte]

On Tue, Jan 23, 2001 at 08:56:33AM -0800, Aaron Lehmann wrote:
> On Tue, Jan 23, 2001 at 06:29:34PM +1100, Daniel Stone wrote:
> > Well, it's NAT'ing it OK. Are you sure you have a rule like the
> > following:
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > ?
> # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables: No chain/target/match by that name

please move this discussion to the netfilter mailinglist.

> Hmm??
> 
> I tried iptables -A INPUT -j ACCEPT and it did not fix DCC.

It seems like you didn't understand the very basics of netfilter/iptables.
Please read the available HOWTO's. the INPUT chain of the filter table is
in no way related to any packet on your NAT box.

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org                http://www.gnumonks.org
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/