Next Previous Contents

4. Quick Translation From 2.0 and 2.2 Kernels

Sorry to those of you still shell-shocked from the 2.0 (ipfwadm) to 2.2 (ipchains) transition. There's good and bad news.

Firstly, you can simply use ipchains and ipfwadm as before. To do this, you need to insmod the `ipchains.o' or `ipfwadm.o' kernel modules found in the latest netfilter distribution. These are mutually exclusive (you have been warned), and should not be combined with any other netfilter modules.

Once one of these modules is installed, you can use ipchains and ipfwadm as normal, with the following differences:

Hackers may also notice:

4.1 I just want masquerading! Help!

This is what most people want. If you have a dynamically allocated IP PPP dialup (if you don't know, you do have one), you simply want to tell your box that all packets coming from your internal network should be made to look like they are coming from the PPP dialup box.

# Load the NAT module (this pulls in all the others).
modprobe iptable_nat

# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Note that you are not doing any packet filtering here: for that, see the Packet Filtering HOWTO: `Mixing NAT and Packet Filtering'.

4.2 What about ipmasqadm?

This is a much more niche userbase, so I didn't worry about backwards compatibility as much. You can simply use `iptables -t nat' to do port forwarding. So for example, in Linux 2.2 you might have done:

# Linux 2.2
# Forward TCP packets going to port 8080 on 1.2.3.4 to 192.168.1.1's port 80
ipmasqadm portfw -a -P tcp -L 1.2.3.4 8080 -R 192.168.1.1 80

Now you would do:

# Linux 2.4
# Append a rule pre-routing (-A PREROUTING) to the NAT table (-t nat) that
# TCP packets (-p tcp) going to 1.2.3.4 (-d 1.2.3.4) port 8080 (--dport 8080)
# have their destination mapped (-j DNAT) to 192.168.1.1, port 80
# (--to 192.168.1.1:80).
iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 8080 \
        -j DNAT --to 192.168.1.1:80

If you want this rule to alter local connections as well (i.e., even on the NAT box itself, trying to telnet to 1.2.3.4's port 8080 will get you to 192.168.1.1's port 80), you can insert the same rule in the OUTPUT chain (which is for local outgoing packets):

# Linux 2.4
iptables -A OUTPUT -t nat -p tcp -d 1.2.3.4 --dport 8080 \
        -j DNAT --to 192.168.1.1:80


Next Previous Contents