CoolInterview.com - World's Largest Collection of Interview Questions & Answers, FAQs, queries, sample papers, exam papers, dumps, what, why, how, where, when questions
Our Services
Get 9,000 Interview Questions & Answers in an eBook.




Get it now !!
Send your Resume to 6000 Companies

Search Interview Questions

Question: Requirements for IP Masquerade on Linux 2.4.x

Answer: ** Please refer to IP Masquerade Resource for the latest information. ** "

* The newest 2.4.x kernels are now using both a completely new TCP/IP
network stack as well as a new NAT sub-system called NetFilter. Within
this NetFilter suite of tools, we now have a tool called IPTABLES for the
2.4.x kernels much like there was IPCHAINS for the 2.2.x kernels and
IPFWADM for the 2.0.x kernels. The new IPTABLES system is far more
powerful (combines several functions into one place like true NAT
functionality), offers better security (stateful inspection), and better
performance with the new 2.4.x TCP/IP stack. But this new suite of tools
can be a bit complicated in comparison to older generation kernels.
Hopefully, if you follow along with this HOWTO carefully, setting up
IPMASQ won't be too bad. If you find anything unclear, downright wrong,
etc. please email David about it.

Unlike the migration to IPCHAINS from IPFWADM, the new NetFilter tool has
kernel modules that can actually support older IPCHAINS and IPFWADM
rulesets with minimal changes. So re-writing your old MASQ or firewall
ruleset scripts is not longer required. BUT.. with the 2.4.x kernels, you
cannot use the old 2.2.x MASQ modules like ip_masq_ftp, ip_masq_irc, etc.
AND IPCHAINS is incompatible with the new IPTABLES modules like
ip_conntrack_ftp, etc. So, what does this mean? It basically means that
if you want to use IPMASQ or PORTFW functionality under a 2.4.x kernel,
you shouldn't use IPCHAINS rules but IPTABLES ones instead. Please also
keep in mind that there might be several benefits in performing a full
ruleset re-write to take advantage of the newer IPTABLES features like
stateful tracking, etc. but that is dependant upon how much time you have
to migrate your old rulesets. Please see Section 7.40 for additional
details.


Some new 2.4.x functionalities include the following:

PROs:

* Lots of new protocols modules like: amanda, eggdrop, ipsec, ipv6,
portscan, pptp, quota, rsh, talk, and tftp

* TRUE 1:1 NAT functionality for those who have TCP/IP addresses and
subnets to use (no more iproute2 commands)

* Stateful application level (FTP, IRC, etc.) and stateful protocol level
(TCP/UDP/ICMP) network traffic inspection

* Built-in PORT Forwarding (no more ipmasqadm or ipportfw commands)

* The built-in PORTFW'ing support works for both external and internal
traffic. This means that users that have PORTFW for external traffic and
REDIR for internal port redirection do not need to use two tools any
more!

* PORT Forwarding of FTP traffic to internal hosts is now completely
supported and is handled in the conn_trak_ftp module

* Full Policy-Based routing features (source-based TCP/IP address routing)

* Compatibility with Linux's FastRoute feature for significantly faster
packet forwarding (a.k.a Linux network switching).

Note that this feature is still not compatible with packet filtering for
strong firewall rulesets.

* Fully supports TCP/IP v4, v6, and even DECnet (ack!)

* Supports wildcard interface names like "ppp*" for serial interfaces like
ppp0, ppp1, etc

* Supports filtering on both input and output INTERFACES (not just IP
addresses)

* Source Ethernet MAC filtering

* Denial of Service (DoS) packet rate limiting

* Packet REJECTs now have user-selectable return ICMP messages

* Variable levels of logging (different packets can go to different SYSLOG
levels)

* Other features like traffic mirroring, securing traffic per login, etc.




CONs:

* Netfilter is an entirely new architechure thus most of the older 2.2.x
MASQ kernel modules written to make non-NAT friendly network applications
work through IPMASQ need to be re-written for the 2.4.x kernels. Because
of this, if you specifically need functionality from some of these
modules (see below), you should stay with a 2.2.x kernel until these
modules have been either ported or the application has been updated to
use NAT-friendly protocols. If you are curious on the porting status of a
given module, please email the author of the module and NOT David or
Ambrose. We don't code.. we just document. :-)

Here is the status of the known IP Masq kernel modules or patches as
found on the IPMASQ WWW site's Application Support Matrix. In addition,
you should also setup out the [http://www.netfilter.org/documentation/
pomlist/pom-summary.html] Netfilter Patch-o-Matic URL as well. If you
have the time and knowledge to help in the porting of code, your efforts
would be highly appreciated:
+----------------------------------------------------------------------------+
| Status = Module name = Description and notes |
|--------- ----------- ---------------------------------- |
| Ported CuSeeme Used for Video conferencing |
| |
|NotPorted DirectPlay Used for online Microsoft-based games |
| |
| Ported FTP Used for file transfers |
| - NOTEs: Built into the kernel and |
| fully supports PORTFWed FTP |
| |
|ReWritten H.323 Used for Video conferencing |
| |
|NotPorted ICQ Used for Instant messaging |
| * No longer required for modern ICQ clients |
| |
| Ported Irc Used for Online chat rooms |
| |
| Ported Quake Used for online Quake games |
| |
| Ported PPTP Allow for multiple clients to the same server |
| |
|NotPorted Real Audio Used for Streaming video / audio |
| * No longer required for modern RealVideo clients |
| |
|NotPorted VDO Live Used for Streaming audio? |
+----------------------------------------------------------------------------+

Documentation on how to perform MASQ module porting is available at
[http://www.netfilter.org/documentation/HOWTO/
netfilter-hacking-HOWTO.html] http://www.netfilter.org/documentation/
HOWTO/netfilter-hacking-HOWTO.html. If you have the time and knowledge,
your talent would highly be appreciated in porting these modules.


If you'd like to read up more on NetFilter and IPTables, please see: [http://
www.netfilter.org/documentation/index.html#HOWTO] http://www.netfilter.org/
documentation/index.html#HOWTO and more specifically [http://
www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html] http://
www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html

Linux 2.4.x IP Masquerade requirements include:

* Any decent computer hardware. See Section 7.2 for more details.

* The 2.4.x kernel source is available from [http://www.kernel.org/] http:/
/www.kernel.org/.

NOTE: Most modern Linux distributions, Section 7.1, that natively come
with 2.4.x kernels are typically modular kernels and have all the IP
Masquerade functionality already included. In such cases, there is no
need to compile a new Linux kernel. If you are UPGRADING your kernel, you
should be aware of other programs that might be required and/or need to
be upgraded as well (mentioned later in this HOWTO).

* The program "iptables" version 1.2.4 or newer ( 1.2.7a or newer is highly
recommended ) archive available from [http://www.netfilter.org/] http://
www.netfilter.org/

+ NOTE #1: All versions of IPTABLES less than 1.2.3 have a FTP module
issue that can bypass any existing firewall rulesets. ALL IPTABLES
users are highly recommended to upgrade to the newest version. The
URL is above.

NOTE #2: All versions of IPTABLES less than 1.2.2 have a FTP "port"
security vulnerability in the ip_conntrack_ftp module. All IPTABLES
users are highly recommended to upgrade to the newest version. The
URL is above.

+ This tool, much like the older IPCHAINS and IPFWADM tools enables the
various Masquerding code, more advanced forms of NAT, packet
filtering, etc. It also makes use of additional MASQ modules like the
FTP and IRC modules. Additional information on version requirements
for the newest IPTABLES howto, etc. is located at the [http://
www.netfilter.org/] Unreliable IPTABLES HOWTOs page.


* Loadable kernel modules, preferably 2.1.121 or higher, are available from
[http://home.pi.se/blox/modutils/index.html] http://home.pi.se/blox/
modutils/index.html or [ftp://ftp.kernel.org/pub/linux/utils/kernel/
modutils ] ftp://ftp.kernel.org/pub/linux/utils/kernel/modutils

* A properly configured and running TCP/IP network running on the Linux
machine as covered in [http://www.tldp.org/HOWTO/Net-HOWTO/index.html]
Linux NET HOWTO and the [http://www.tldp.org/LDP/nag2/index.html] Network
Administrator's Guide . Also check out the [http://www.ecst.csuchico.edu/
~dranch/LINUX/index-linux.html#TrinityOS] TrinityOS document which is
also authored by David Ranch. TrinityOS is a very comprehensive guide for
Linux networking. Some topics include IP MASQ, security, DNS, DHCP,
Sendmail, PPP, Diald, NFS, IPSEC-based VPNs, and performance sections, to
name a few. There are over Fifty sections in all!

* Connectivity to the Internet for your Linux host covered in Linux ISP
Hookup HOWTO, [http://www.tldp.org/HOWTO/PPP-HOWTO/index.html] Linux PPP
HOWTO, and [http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#
TrinityOS] TrinityOS. Other helpful HOWTOs could include: Linux DHCP
mini-HOWTO, [http://www.tldp.org/HOWTO/Cable-Modem/index.html] Linux
Cable Modem mini-HOWTO and [http://www.tldp.org/HOWTO/DSL-HOWTO/
index.html] http://www.tldp.org/HOWTO/DSL-HOWTO/index.html

* Know how to configure, compile, and install a new Linux kernel as
described in the Linux Kernel HOWTO. This HOWTO does cover kernel
compiling but only for IP Masquerade related options.



Category IP Masquerading Interview Questions & Answers - Exam Mode / Learning Mode
Rating (0.4) By 392 users
Added on 5/15/2014
Views 3445
Rate it!
Question: Requirements for IP Masquerade on Linux 2.4.x

Answer:

** Please refer to IP Masquerade Resource for the latest information. ** "

* The newest 2.4.x kernels are now using both a completely new TCP/IP
network stack as well as a new NAT sub-system called NetFilter. Within
this NetFilter suite of tools, we now have a tool called IPTABLES for the
2.4.x kernels much like there was IPCHAINS for the 2.2.x kernels and
IPFWADM for the 2.0.x kernels. The new IPTABLES system is far more
powerful (combines several functions into one place like true NAT
functionality), offers better security (stateful inspection), and better
performance with the new 2.4.x TCP/IP stack. But this new suite of tools
can be a bit complicated in comparison to older generation kernels.
Hopefully, if you follow along with this HOWTO carefully, setting up
IPMASQ won't be too bad. If you find anything unclear, downright wrong,
etc. please email David about it.

Unlike the migration to IPCHAINS from IPFWADM, the new NetFilter tool has
kernel modules that can actually support older IPCHAINS and IPFWADM
rulesets with minimal changes. So re-writing your old MASQ or firewall
ruleset scripts is not longer required. BUT.. with the 2.4.x kernels, you
cannot use the old 2.2.x MASQ modules like ip_masq_ftp, ip_masq_irc, etc.
AND IPCHAINS is incompatible with the new IPTABLES modules like
ip_conntrack_ftp, etc. So, what does this mean? It basically means that
if you want to use IPMASQ or PORTFW functionality under a 2.4.x kernel,
you shouldn't use IPCHAINS rules but IPTABLES ones instead. Please also
keep in mind that there might be several benefits in performing a full
ruleset re-write to take advantage of the newer IPTABLES features like
stateful tracking, etc. but that is dependant upon how much time you have
to migrate your old rulesets. Please see Section 7.40 for additional
details.


Some new 2.4.x functionalities include the following:

PROs:

* Lots of new protocols modules like: amanda, eggdrop, ipsec, ipv6,
portscan, pptp, quota, rsh, talk, and tftp

* TRUE 1:1 NAT functionality for those who have TCP/IP addresses and
subnets to use (no more iproute2 commands)

* Stateful application level (FTP, IRC, etc.) and stateful protocol level
(TCP/UDP/ICMP) network traffic inspection

* Built-in PORT Forwarding (no more ipmasqadm or ipportfw commands)

* The built-in PORTFW'ing support works for both external and internal
traffic. This means that users that have PORTFW for external traffic and
REDIR for internal port redirection do not need to use two tools any
more!

* PORT Forwarding of FTP traffic to internal hosts is now completely
supported and is handled in the conn_trak_ftp module

* Full Policy-Based routing features (source-based TCP/IP address routing)

* Compatibility with Linux's FastRoute feature for significantly faster
packet forwarding (a.k.a Linux network switching).

Note that this feature is still not compatible with packet filtering for
strong firewall rulesets.

* Fully supports TCP/IP v4, v6, and even DECnet (ack!)

* Supports wildcard interface names like "ppp*" for serial interfaces like
ppp0, ppp1, etc

* Supports filtering on both input and output INTERFACES (not just IP
addresses)

* Source Ethernet MAC filtering

* Denial of Service (DoS) packet rate limiting

* Packet REJECTs now have user-selectable return ICMP messages

* Variable levels of logging (different packets can go to different SYSLOG
levels)

* Other features like traffic mirroring, securing traffic per login, etc.




CONs:

* Netfilter is an entirely new architechure thus most of the older 2.2.x
MASQ kernel modules written to make non-NAT friendly network applications
work through IPMASQ need to be re-written for the 2.4.x kernels. Because
of this, if you specifically need functionality from some of these
modules (see below), you should stay with a 2.2.x kernel until these
modules have been either ported or the application has been updated to
use NAT-friendly protocols. If you are curious on the porting status of a
given module, please email the author of the module and NOT David or
Ambrose. We don't code.. we just document. :-)

Here is the status of the known IP Masq kernel modules or patches as
found on the IPMASQ WWW site's Application Support Matrix. In addition,
you should also setup out the [http://www.netfilter.org/documentation/
pomlist/pom-summary.html] Netfilter Patch-o-Matic URL as well. If you
have the time and knowledge to help in the porting of code, your efforts
would be highly appreciated:
+----------------------------------------------------------------------------+
| Status = Module name = Description and notes |
|--------- ----------- ---------------------------------- |
| Ported CuSeeme Used for Video conferencing |
| |
|NotPorted DirectPlay Used for online Microsoft-based games |
| |
| Ported FTP Used for file transfers |
| - NOTEs: Built into the kernel and |
| fully supports PORTFWed FTP |
| |
|ReWritten H.323 Used for Video conferencing |
| |
|NotPorted ICQ Used for Instant messaging |
| * No longer required for modern ICQ clients |
| |
| Ported Irc Used for Online chat rooms |
| |
| Ported Quake Used for online Quake games |
| |
| Ported PPTP Allow for multiple clients to the same server |
| |
|NotPorted Real Audio Used for Streaming video / audio |
| * No longer required for modern RealVideo clients |
| |
|NotPorted VDO Live Used for Streaming audio? |
+----------------------------------------------------------------------------+

Documentation on how to perform MASQ module porting is available at
[http://www.netfilter.org/documentation/HOWTO/
netfilter-hacking-HOWTO.html] http://www.netfilter.org/documentation/
HOWTO/netfilter-hacking-HOWTO.html. If you have the time and knowledge,
your talent would highly be appreciated in porting these modules.


If you'd like to read up more on NetFilter and IPTables, please see: [http://
www.netfilter.org/documentation/index.html#HOWTO] http://www.netfilter.org/
documentation/index.html#HOWTO and more specifically [http://
www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html] http://
www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html

Linux 2.4.x IP Masquerade requirements include:

* Any decent computer hardware. See Section 7.2 for more details.

* The 2.4.x kernel source is available from [http://www.kernel.org/] http:/
/www.kernel.org/.

NOTE: Most modern Linux distributions, Section 7.1, that natively come
with 2.4.x kernels are typically modular kernels and have all the IP
Masquerade functionality already included. In such cases, there is no
need to compile a new Linux kernel. If you are UPGRADING your kernel, you
should be aware of other programs that might be required and/or need to
be upgraded as well (mentioned later in this HOWTO).

* The program "iptables" version 1.2.4 or newer ( 1.2.7a or newer is highly
recommended ) archive available from [http://www.netfilter.org/] http://
www.netfilter.org/

+ NOTE #1: All versions of IPTABLES less than 1.2.3 have a FTP module
issue that can bypass any existing firewall rulesets. ALL IPTABLES
users are highly recommended to upgrade to the newest version. The
URL is above.

NOTE #2: All versions of IPTABLES less than 1.2.2 have a FTP "port"
security vulnerability in the ip_conntrack_ftp module. All IPTABLES
users are highly recommended to upgrade to the newest version. The
URL is above.

+ This tool, much like the older IPCHAINS and IPFWADM tools enables the
various Masquerding code, more advanced forms of NAT, packet
filtering, etc. It also makes use of additional MASQ modules like the
FTP and IRC modules. Additional information on version requirements
for the newest IPTABLES howto, etc. is located at the [http://
www.netfilter.org/] Unreliable IPTABLES HOWTOs page.


* Loadable kernel modules, preferably 2.1.121 or higher, are available from
[http://home.pi.se/blox/modutils/index.html] http://home.pi.se/blox/
modutils/index.html or [ftp://ftp.kernel.org/pub/linux/utils/kernel/
modutils ] ftp://ftp.kernel.org/pub/linux/utils/kernel/modutils

* A properly configured and running TCP/IP network running on the Linux
machine as covered in [http://www.tldp.org/HOWTO/Net-HOWTO/index.html]
Linux NET HOWTO and the [http://www.tldp.org/LDP/nag2/index.html] Network
Administrator's Guide . Also check out the [http://www.ecst.csuchico.edu/
~dranch/LINUX/index-linux.html#TrinityOS] TrinityOS document which is
also authored by David Ranch. TrinityOS is a very comprehensive guide for
Linux networking. Some topics include IP MASQ, security, DNS, DHCP,
Sendmail, PPP, Diald, NFS, IPSEC-based VPNs, and performance sections, to
name a few. There are over Fifty sections in all!

* Connectivity to the Internet for your Linux host covered in Linux ISP
Hookup HOWTO, [http://www.tldp.org/HOWTO/PPP-HOWTO/index.html] Linux PPP
HOWTO, and [http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#
TrinityOS] TrinityOS. Other helpful HOWTOs could include: Linux DHCP
mini-HOWTO, [http://www.tldp.org/HOWTO/Cable-Modem/index.html] Linux
Cable Modem mini-HOWTO and [http://www.tldp.org/HOWTO/DSL-HOWTO/
index.html] http://www.tldp.org/HOWTO/DSL-HOWTO/index.html

* Know how to configure, compile, and install a new Linux kernel as
described in the Linux Kernel HOWTO. This HOWTO does cover kernel
compiling but only for IP Masquerade related options.

Source: CoolInterview.com



If you have the better answer, then send it to us. We will display your answer after the approval

Rules to Post Answers in CoolInterview.com:-

  • There should not be any Spelling Mistakes.
  • There should not be any Gramatical Errors.
  • Answers must not contain any bad words.
  • Answers should not be the repeat of same answer, already approved.
  • Answer should be complete in itself.

Post your answer here

Inform me about updated answers to this question.
Related Questions
View Answer
How does IP Masquerade Work?
View Answer
Who Doesn't Need IP Masquerade?
View Answer
Who Can Benefit From IP Masquerade?
View Answer
What is IP Masquerade?
View Answer

Please Note: We keep on updating better answers to this site. In case you are looking for Jobs, Pls Click Here Vyoms.com - Best Freshers & Experienced Jobs Website.

View All IP Masquerading Interview Questions & Answers - Exam Mode / Learning Mode




India News Network
Latest 20 Questions
Payment of time- barred debt is: (a) Valid (b) Void (c) Illegal (d) Voidable
Consideration is defined in the Indian Contract Act,1872 in: (a) Section 2(f) (b) Section 2(e) (c) Section 2(g) (d) Section 2(d)
Which of the following is not an exception to the rule, "No consideration, No contract": (a) Natural love and affection (b) Compensation for involuntary services (c) Completed gift (d) Agency
Consideration must move at the desire of: (a) The promisor (b) The promisee (c) The promisor or any other party (d) Both the promisor and the promisee
An offer which is open for acceptance over a period of time is: (a) Cross Offer (b) Counter Offer (c) Standing Offer (d) Implied Offer
Specific offer can be communicated to__________ (a) All the parties of contract (b) General public in universe (c) Specific person (d) None of the above
_________ amounts to rejection of the original offer. (a) Cross offer (b) Special offer (c) Standing offer (d) Counter offer
A advertises to sell his old car by advertising in a newspaper. This offer is caleed: (a) General Offer (b) Special Offer (c) Continuing Offer (d) None of the above
In case a counter offer is made, the original offer stands: (a) Rejected (b) Accepted automatically (c) Accepted subject to certain modifications and variations (d) None of the above
In case of unenforceable contract having some technical defect, parties (a) Can sue upon it (b) Cannot sue upon it (c) Should consider it to be illegal (d) None of the above
If entire specified goods is perished before entering into contract of sale, the contract is (a) Valid (b) Void (c) Voidable (d) Cancelled
______________ contracts are also caled contracts with executed consideration. (a) Unilateral (b) Completed (c) Bilateral (d) Executory
A offers B to supply books @ Rs 100 each but B accepts the same with condition of 10% discount. This is a case of (a) Counter Offer (b) Cross Offer (c) Specific Offer (d) General Offer
_____________ is a game of chance. (a) Conditional Contract (b) Contingent Contract (c) Wagering Contract (d) Quasi Contract
There is no binding contract in case of _______ as one's offer cannot be constructed as acceptance (a) Cross Offer (b) Standing Offer (c) Counter Offer (d) Special Offer
An offer is made with an intention to have negotiation from other party. This type of offer is: (a) Invitation to offer (b) Valid offer (c) Voidable (d) None of the above
When an offer is made to the world at large, it is ____________ offer. (a) Counter (b) Special (c) General (d) None of the above
Implied contract even if not in writing or express words is perfectly _______________ if all the conditions are satisfied:- (a) Void (b) Voidable (c) Valid (d) Illegal
A specific offer can be accepted by ___________. (a) Any person (b) Any friend to offeror (c) The person to whom it is made (d) Any friend of offeree
An agreement toput a fire on a person's car is a ______: (a) Legal (b) Voidable (c) Valid (d) Illegal
Cache = 0.031006 Seconds