README FILE FOR IP MASQUERADING The IP masquerading support was implemented by Mario Becroft in May 1999 and is placed in the public domain. The following files changed from the standard net-1.03 distribution: tool/Makefile net/inet/Makefile net/inet/ip.c net/inet/ip.h net/inet/tcp.c net/inet/inet.c The following files were added to the standard net-1.03 distribution: include/masquerade.h include/masqextern.h tool/masqconf.c net/inet/masqdev.c net/inet/masquerade.c README.masquerade INTRODUCTION I implemented IP masquerading for MiNTnet, as well as a quick fix for the "land" bug which would freeze mintnet. I am sure that my implementation is not optimal and contains many bugs, because this is the first low-level network programming I have ever done and I am not very familiar with it. When even experienced programmers get bugs in their code, you can only begin to imagine the kind of errors I am likely to make. Nevertheless it does seem to work, so I must have done something right. To use the IP masquerading features, simply copy the new sockdev.xdd into your mint folder and reboot the machine. IP masquerading is still disabled by default, but can be enabled using the masqconf program, as explained below. USING MASQCONF / QUICK START GUIDE To configure the IP masquerading you use the masqconf program from the tool directory. To show the current configuration and any masquerade database entries, invoke masqconf with no arguments. To get help, invoke masqconf with help or any unknown command as an argument. Normally you don't need to worry about all the available settings, the only important ones are address, netmask and flags. The rest can be left at the default values. address should be set to the address of the network to be masqueraded for, and netmask should be the netmask of that network. For example if you have a local network 10.0.0.0 you might configure IP masquerading for all machines on the network with the following command: masqconf address 10.0.0.0 netmask 255.0.0.0 Once you have correctly set the parameters you must set the ENABLED flag to make IP masquerading operate, like so: masqconf set ENABLED That is all there is to it. Now you can access the internet from any of the machines on your network, even though you only have one actual IP address! PORT REDIRECTION Apart from allowing a masqueraded machine to initiate connections to another computer the IP masquerading supports permanent redirection of certain ports on the masquerading gateway to go to a masqueraded machine. You configure this with the masqconf redirect command. The parameters are gateway port, destination address an destination port. For example to redirect incoming HTTP requests on the gateway machine to port 456 of masqueraded machine 10.0.0.5, you could use the following command: masqconf redirect 80 10.0.0.5 456 To stop redirecting a port, use the masqconf unredirect command. For example to reverse the above redirection, issue the following command: masqconf unredirect 80 FAQ Q. Why does (xyz feature) not work properly? A. Like I said this is my first project with any kind of low-level network programming, and I probably made quite a lot of mistakes. Certainly notify me if you find a bug, but it's even better if you try to fix it yourself then mail me and explain how you fixed it. But also see the next question. Q. Why do some protocols like FTP and DCC not work via IP masquerading? A. Some programs send low-level protocol information in a high-level protocol, including IP addresses and port numbers. IP masquerading doesn't know about that, and doesn't masquerade those addresses properly. Eventually I plan to add support for this, but it is very complicated. In the mean time, you can sometimes avoid the problem by adjusting the settings in the problematic program, for example if you set your FTP client to passive mode it will work ok. Q. Why doesn't this documentation explain a whole lot of things like the timeouts, masquerade database, port redirection, flags, etc., etc.? A. I want to make IP masquerading available, but I did not have time to write lots of documentation. Read the source code! Or if you send me an email I will be happy to help. I hope to write some better documentation later. BUGS Lots! Seriously, it can't be so bad as I've used the IP masquerading quite a lot and it doesn't fail. But I have noticed some inconsistencies. Sometimes a condition occurs where a TCP connection that is not yet opened (or not yet properly closed) tosses lots of packets backwards and forwards in an endless loop. I don't know why this happens, but I am looking into it. If you see this bug, try to track it down and fix it. As a temporary fix, just disable IP masquerading (masqconf unset ENABLED) then enable it again (masqconf set ENABLED) to break the loop. I think there is some sort of bug handling incoming ICMP error messages for a masqueraded host. Particularly, error messages about UDP datagrams seem to get through to the host that sent the datagram which caused the error, but the host doesn't seem to interpret them. Is the checksum wrong, or something? CONTACTING ME I would like to hear anything you have to say about the IP masquerading. Please send an email to: mb@tos.pl.net Please note that this address will become invalid in about a month's time. I will announce my new address at that time via the MiNT mailing list and other appropriate forums.