3. Quick Translation From 2.0 and 2.2 Kernels

Sorry to those of you still shell-shocked from the 2.0 (ipfwadm) to 2.2 (ipchains) transition. There's good and bad news.

Firstly, you can simply use ipchains and ipfwadm as before. To do this, you need to insmod the `ipchains.o' or `ipfwadm.o' kernel modules found in the latest netfilter distribution. These are mutually exclusive (you have been warned), and should not be combined with any other netfilter modules.

Once one of these modules is installed, you can use ipchains and ipfwadm as normal, with the following differences:

• Setting the masquerading timeouts with ipchains -M -S, or ipfwadm -M -s does nothing. Since the timeouts are longer for the new NAT infrastructure, this should not matter.
• The init_seq, delta and previous_delta fields in the verbose masquerade listing are always zero.

Hackers may also notice:

• You can now bind to ports 61000-65095 even if you're masquerading. The masquerading code used to assume anything in this range was fair game, so programs couldn't use it.
• The (undocumented) `getpeername' hack, which transparent proxy programs could use to find out the real destinations of connections no longer works.
• The (undocumented) bind-to-foreign-address hack is also not implemented; this was used to complete the illusion of transparent proxying.

3.1 I just want masquerading! Help!

This is what most people want. If you have a dynamically allocated IP PPP dialup (if you don't know, you do have one), you simply want to tell your box that all packets coming from your internal network should be made to look like they are coming from the PPP dialup box.

# Linux 2.4:
# Insert a rule (-I) to masquerade (-m masquerade) the source (-b source)
# of any packet coming from the internal network (-s 192.168.1.0/24).
ipnatctl -I -s 192.168.1.0/24 -b source -m masquerade
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

If your internal network is something other than 192.168.1, you'll need to change that part.

3.2 What about ipmasqadm?

This is a much more niche userbase, so I didn't worry about backwards compatibility as much. You can simply use ipnatctl to do port forwarding as follows:

# Linux 2.2
# Add a rule:
# Forward TCP packets going to port 8080 on 1.2.3.4 to 192.168.1.1's port 80
ipmasqadm portfw -a -P tcp -L 1.2.3.4 8080 -R 192.168.1.1 80

becomes:

# Linux 2.4
# Insert a rule (-I):
# TCP packets (-p tcp) going to 1.2.3.4 (-d 1.2.3.4) port 8080 (--dport 8080)
# have their destination mapped (-b dest) to 192.168.1.1 (-t 192.168.1.1) and
# their destination port changed to 80 (--to-port 80).
ipnatctl -I -p tcp -d 1.2.3.4 --dport 8080 -b dest -t 192.168.1.1 --to-port 80

Unlike ipmasqadm, this rule will also alter local connections (ie. even on the ipmasqadm box itself, trying to telnet to 1.2.3.4's port 8080 will get you to 192.168.1.1's port 80). If you don't want this, insert another rule to prevent it:

# Linux 2.4
ipnatctl -I -p tcp -s 1.2.3.4 -d 1.2.3.4 --dport 8080 -b dest -t 1.2.3.4