Abusing the Debian ipmasq package

WhoMartin Schwenke
WhereAUUG System Administration Symposium 2003, Melbourne
WhenApril 2003
Abstract

The ipmasq package, available on Debian GNU/Linux systems, provides a simple, flexible mechanism for setting up IP masquerading on a router. By default, connections from inside the router are allowed and are masqueraded and, due to the masquerading, initiating inbound connections is not possible. Connections between internal networks are also allowed. That's pretty standard. The ipmasq package, available on Debian GNU/Linux systems, provides a simple, flexible mechanism for setting up IP masquerading on a router. By default, connections from inside the router are allowed and are masqueraded and, due to the masquerading, initiating inbound connections is not possible. Connections between internal networks are also allowed. That's pretty standard.

We have configured ipmasq to:

  • use iptables' connection tracking facilities to implement a firewall;
  • automatically forward certain outgoing connections via a SOCKS proxy;
  • implement IP accounting based on addresses either outside or inside the firewall; and
  • destination NAT (Network Address Translate) certain incoming connections, based on combinations of source addresss and destination ports.

This talk provides a brief introduction to ipmasq and details the configuration changes needed to support the above capabilities. Various networking concepts will be explained, but some familiarity will be assumed.

Slides
PDF (306 KB)