For those of you running the bleeding edge development kernels, I modified
the /etc/rc.boot/ipmasq script (from Debian's ipmasq package) so it can be
used with either ipfwadm or ipchains.
You'll need to add variables "EXTERNAL" and "INTERNAL" to your
configuration (/etc/ipmasq.conf). These variables should be set to the
corresponding interface, in the same manner as the IPs are configured.
Here is an example:
EXTERNAL=eth1 <--------- added
EXTERNAL_IP=198.109.162.43
EXTERNAL_NETMASK=255.255.255.224
INTERNAL=( eth0 eth2 ) <--------- added
INTERNAL_IP=( 192.168.100.2 192.168.200.2 )
INTERNAL_NETMASK=( 255.255.255.0 255.255.255.0 )
I made up eth2 to show how multiple adaptor could be configured.
... it also doesn't require the /sbin/ipmasq program included in Debian's
package.
-Paul
BTW- I've sent a bug report with my updated version to the maintainer.
#!/bin/bash
#
# ipmasq Set up IP Masquerading for Debian systems
#
# v2.1 14-June-1998
# support for both ipfwadm and ipchains
IPFWADM=/sbin/ipfwadm
IPCHAINS=/sbin/ipchains
# Source configuration
. /etc/ipmasq.conf
# helper function
function xto {
if [ $1 -eq -1 ]; then
return;
else
xto $(($1 - 1));
echo $1
fi
}
# ipfwadm compatible kernels (2.0.x and 2.1.x(x <= 103))
function ipfwadm-rules {
echo -n "Initializing IP Masquerading..."
# flush all
# Incoming, flush and set default policy of deny.
$IPFWADM -I -f
$IPFWADM -I -p deny
# Outgoing, flush and set default policy of deny.
$IPFWADM -O -f
$IPFWADM -O -p deny
# Forwarding, flush and set default policy of deny.
$IPFWADM -F -f
$IPFWADM -F -p deny
# set rules
for i in `xto $(( ${#INTERNAL_IP[*]} - 1 ))`; do
$IPFWADM -I -a accept -V ${INTERNAL_IP[$i]} -S
${INTERNAL_IP[$i]}/${INTERNAL_NETMASK[$i]}
$IPFWADM -I -a deny -V $EXTERNAL_IP -S
${INTERNAL_IP[$i]}/${INTERNAL_NETMASK[$i]} -o
$IPFWADM -I -a accept -V $EXTERNAL_IP -D $EXTERNAL_IP/32
$IPFWADM -I -a accept -W lo
$IPFWADM -O -a accept -V ${INTERNAL_IP[$i]} -D
${INTERNAL_IP[$i]}/${INTERNAL_NETMASK[$i]}
$IPFWADM -O -a deny -V $EXTERNAL_IP -D
${INTERNAL_IP[$i]}/${INTERNAL_NETMASK[$i]} -o
$IPFWADM -O -a accept -V $EXTERNAL_IP -S $EXTERNAL_IP/$EXTERNAL_NETMASK
$IPFWADM -O -a accept -W lo
$IPFWADM -F -a masquerade -V $EXTERNAL_IP -S
${INTERNAL_IP[$i]}/${INTERNAL_NETMASK[$i]}
done
}
# linux 2.1.x (x > 101) kernels
function ipchains-rules {
if [ "$EXTERNAL" == "" -o "$INTERNAL" == "" ]; then
echo '
Invalid configuration. Kernel 2.1.x (x > 101) no longer supports the use of
IP addresses in its rules. The interface name must now be used instead. To
fix this error message, please re-run ipmasqconfig.
You may also add the variables "EXTERNAL" and "INTERNAL" using the interface
name of variables "EXTERNAL_IP" and "INTERNAL_IP" in a similar manner.
'
exit 1
fi
echo -n "Initializing IP Masquerading..."
# flush all
# Incoming, flush and set default policy of deny"
$IPCHAINS -F input
$IPCHAINS -P input DENY
# Outgoing, flush and set default policy of deny"
$IPCHAINS -F output
$IPCHAINS -P output DENY
# Forwarding, flush and set default policy of deny"
$IPCHAINS -F forward
$IPCHAINS -P forward DENY
for i in `xto $(( ${#INTERNAL[*]} - 1 ))`; do
$IPCHAINS -A input -j ACCEPT -i ${INTERNAL[$i]} -s
${INTERNAL_IP[$i]}/${INTERNAL_NETMASK[$i]}
$IPCHAINS -A input -j DENY -i $EXTERNAL -s
${INTERNAL_IP[$i]}/${INTERNAL_NETMASK[$i]} -l
$IPCHAINS -A input -j ACCEPT -i $EXTERNAL -d $EXTERNAL_IP/32
$IPCHAINS -A input -j ACCEPT -i lo
$IPCHAINS -A output -j ACCEPT -i ${INTERNAL[$i]} -d
${INTERNAL_IP[$i]}/${INTERNAL_NETMASK[$i]}
$IPCHAINS -A output -j DENY -i $EXTERNAL -d
${INTERNAL_IP[$i]}/${INTERNAL_NETMASK[$i]} -l
$IPCHAINS -A output -j ACCEPT -i $EXTERNAL -s
$EXTERNAL_IP/$EXTERNAL_NETMASK
$IPCHAINS -A output -j ACCEPT -i lo
$IPCHAINS -A forward -j MASQ -i $EXTERNAL -s
${INTERNAL_IP[$i]}/${INTERNAL_NETMASK[$i]}
done
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo "1" > /proc/sys/net/ipv4/ip_forward
fi
}
# linux 2.1.x (x > 101) kernels
if [ -e /proc/net/ip_fwchains ]; then
test -x $IPCHAINS || exit 1
ipchains-rules
else
test -x $IPFWADM || exit 1
ipfwadm-rules
fi
echo "done."
