Free masquerade software for linux

IPTABLES masquerading firewall is a self contained script that enables and sets basic masquerading (assuming kernel kernel support already exists) at boot time. You may use this example, or modify existing init scripts to include the code.

Under Linux kernel 2.4.x, packet mangling has considerably changed. This includes the masquerading, firewalling, and port forwarding features. This document assumes youre using modules, if youre not, disregard the code in the following script that tests for the loaded module.

#!/bin/sh

# YOU MUST SET THE FOLLOWING THREE VARIABLES

# Set the full path to iptables
PROG=/path/to/iptables

# Set network interface to masquerade on. This will be the interface
# thats connected to the Internet. Possibilities include ppp0, eth0,
# eth1, etc.
IFACE=eth0

# Set machine or network to masquerade. This can be set as hostname, IP address,
# or network mask, examples:
# Hostname your_hostname
# IP address 192.168.1.2
# Net mask 192.168.1.0/24 This masquerades ALL machines on 192.168.1.x
INTNET=192.168.1.2

# Enable IP Masquerading in the kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

# Test if iptable_nat module is loaded, its boot time, not likely :)
if [ -z "`lsmod|grep iptable_nat`" ];
then
modprobe iptable_nat
fi

# Test if existing MASQ rules exist, its boot time, not likely :)
if [ -z "`$PROG -L -t nat|grep MASQUERADE`" ];
then
$PROG -t nat -A POSTROUTING -o $IFACE -s $INTNET -j MASQUERADE
fi

ProQuake project is a Quake engine for advanced deathmatch play, including cheat-free mode.
ProQuake is a modification to the Quake source which is specifically intended for intense deathmatch play.
It is a rock solid set of enhancements to unmodified NetQuake, such as precise aim, and other small, simple changes that improve the quality of netplay enormously.
ProQuake is fully compatible with standard NetQuake and Clanring CRMod++ features including team scores, match timer, and client pings.
Main features:
- Eliminated cheat-free lag for modem players on 3.50 servers
- "cheatfree" command tells you if youre connected to a cheat-free server
- Connect to 3.40 servers through routers/NAT/IP Masquerading
- Four button mouse support
- Mouse wheel support
- Fullbright shaft in glpro
- r_polyblend in wqpro
- QuakePro+ bestweapon command
- Recognizes ip_address:port notation
- Remove r from console output
- Added %d for binds to say where you died
- Various minor bug-fixes and improvements
- Eliminated cheat-free lag for 3.50 modem players
- Append "(cheat-free)" to the host name for cheat-free servers
- 3.40 clients can connect through routers/NAT/IP Masquerading
- iplog supports multiple concurrent servers
- Clients without map can connect to cheatfree server
- Cheat protection
- Fixed incoming message buffer overflow (q1crash)
- Added pq_logbinds to store player binds in log file
Enhancements:
- ProQuake 3.50 eliminates the lag that modem users were experiencing on cheat-free servers.

This patch can be used on a masquerading firewall (NAT) to keep a log of all the outgoing masqueraded TCP connections.
Its even possible to log the name of the user who has opened the connection. This can be a useful security tool for many small networks that are hidden by a masquerading box if users cannot be totally trusted. It can be used with linux 2.2.17, 2.2.19, 2.2.20 and maybe other (future) 2.2.x versions.
With this information you can know, in the above scenario, that the connection masquerader.yourdomain.com:666 [-3-] ==> crackme.victim.com:31337 [-2-] was started by attacker.yourdomain.com [-1-] from port 1234.
Now please note that this is NOT enough: if attacker.yourdomain.com is a multiuser machine at that time there could be 100 users logged in. Moreover a malicious user could attack crackme.victim.com from attacker.yourdomain.com even without being logged in (with either cron or with a background job or... etc.).
Since we dont want the users being able to hide themselves in this way, the masquerader makes a IDENT query to the client and, if IDENT is available, adds the response to the log together with [-1-], [-2-] and [-3-].
Its therefore recommended (although its optional) that you enable the IDENT service on all hosts on the internal network. Please note that if you restrict the IDENT service (e.g. with TCP wrappers) to the masquerader it wont work (exercise: can you understand why?). If your network configuration on the masquerader is OK, remote hosts wont be able to do IDENT queries (since they cant pass through the masquerader). Therefore allowing "everyone" to do IDENT queries on the clients should be safe enough. If you wish to allow remote hosts to do IDENT queries you can install a special IDENT server on the masquerade router, like pnidentd (for example).
Enhancements:
- Update for linux 2.2.19

NetTraf consists of a daemon that gets information from a Linux interface and sends it on the network to NetTraf clients. Clients then can use the information to show to the user how the connection status.

NetTraf consists of a daemon running on Linux, and a client application (now Windows and Linux clients are available), that monitors one interface on the Linux machine.

It is mainly used to show the status of a dial-up connection of a Linux masquerade server, so everyone on the network knows if the connection is active and how well the connection is performing.

The supplied Windows client application show lights on the taskbar almost like the standard modem application, and also shows a graphical bar with the connection status over time.

NetTraf now finally have some Linux clients, thanks to the great Linux programmers who did them. You will find them at the bottom of the page.

Now I need more client applications, such as GTK+. The protocol is very simple, but I do not have enough expertise right now to develop client application on Linux (maybe when Borland.com releases Delphi for Linux...)

Multinet is a curses-based solution to sharing a dial-up Internet connection using IP masquerading. It keeps track of time spent online, billing information for each user, and user manangement (so that users cannot kill each others connection).

The program depends on two scripts that bring-up the ppp connection and shut it down again.See the multinet.c code for the NETSTART and NETSTOP defines which specify where these scripts are. In my case, the up script is basically a line that says:

/usr/sbin/pppd call freeserve

...with a few other misc. bits and pieces. The down script basically just has this line:

kill `cat /var/run/ppp0.pid`

Your scripts may be different, but if you use ppp and chat scripts they are going to be pretty similar.

Net activity is logged to a file (defined in multinet.c). This is a plain text file that shows the userid, time, duration and cost of each call.

When you want to start a net connection, simply type multinet. If another user is currently using the Internet, you will be told as much and the program will exit. Lucky you - you can use the net and hell pay for it! Be nice and dont use much bandwidth though, or he might
get upset.

When you make your own connection, dont quit the program! You must keep it running until you press D to disconnect, otherwise everything will go pear-shaped.

When you disconnect by pressing D, to program will calculate how long the call was and how much it cost. It will tell you this information as well as logging it to its log file.

layer7-firewall provides an easily configured layer seven firewall.
layer7-firewall is an easily configured layer seven firewall. It boots from a CD, using a floppy disk for data storage.
Layer7-firewall is a firewall which filters data in layer7 OSI model and has implemented QoS.
Netfilter identifies packets as eDonkey2000, Bittorent, Quake, etc. Many thanks to Justin Levandoski, Ethan Sommer and Matthew Strait for their work in L7-filter. After unpacking bz2 file You get iso image to burn on cd.
Dont forget to connect Your CD as hdb (Primary Slave).
Enhancements:
- added "iptables -I FORWARD -p udp... -j MASQUERADE",
- added "iptables -I FORWARD -p icmp... -j MASQUERADE",
- added "iptables -I INPUT -p udp... -j MASQUERADE",
- added "iptables -I INPUT -p icmp... -j MASQUERADE",
- queues on interfaces have algorithm cbq now (before htb).

Fair NAT is a script for configuring NAT on dedicated Linux routers. This is the home of my linux router shaper script which allows something like fair bandwidth sharing among clients in the local network. The script is not great or anything - please dont expect the holy grail here - I just thought Id publish it because many people helped me write it and maybe someone has some use for it. I bet there are still lots of things that can be improved. Sorry about the crappy design of this page, I dont have time to put more effort in better looks.
You have a certain number of Clients (User A - User N) in your LAN which are connected by a Switch (or a Hub or BNC) to the Linux Router which is supposed to act as a gateway to the internet. The trouble now is, User B has a lot of downloads running and User C uploads stuff day and night, which leaves User A who only wants to use an interactive SSH shell in the rain, since B and C already use up all bandwidth the internet connection offers.
What we need to do is to share available bandwidth fairly among clients. In order to achieve this, I first tried several searches at Google and Freshmeat. This turned up quite a lot of results, like the Linux Advanced Routing & Traffic Control HOWTO which is a must-read and also contains great scripts, like the Wondershaper for single users. Another great general purpose script I found was HTB.init, which doesnt do anything by default, but gives you an easy way to setup HTB queues. In case you prefer CBQ, theres a CBQ.init too. If you dont know what Im talking about, read the HOWTO above or continue reading here.
Since I never found a script that did exactly what I wanted, I decided to write my own. Its designed to be an all-I-need script, therefore it does not just setup Traffic Shaping, but Masquerading and Port Forwarding too. In short, it does everything that has to do with IPTables and Traffic Control. I use HTB (Hierarchical Token Bucket) to share bandwidth among clients (one class per client). On top of that I added a PRIO queue to prioritize interactive traffic on a per-user basis. On top of PRIO I set SFQ to treat connections fairly. In version 0.72, experimental support for IPP2P to recognize peer-to-peer traffic was added.
This is the simplified scheme for routing:
HTB class (for bandwidth sharing)
|
-- PRIO (for prioritizing interactive traffic)
|
--- Interactive: SFQ (to treat concurrent connections fairly)
--- Normal: SFQ
--- High-Traffic: SFQ
[ --- P2P: SFQ (if IPP2P support is enabled only) ]
I bet this can still be improved and Im always interested in ways to do so. In case you want another class structure, this can be done by replacing the parent_class and user_class functions in the script. See CLASS_MODE in Configuration section and the function documentation in the script for details. Feel free to send me your own functions with a short explanation, if you want me to make them available for everybody.
Heres a "real" graphic, which shows the complete qdisc/class structure on $DEV_LAN if you use the unmodified example configuration file. This graphic was created using a hacked version of Stef Coenes show.pl script and GraphViz. Click here to see it, but I warn you: its quite big. Heres a similar picture, which includes IPP2P support. Note that there are more filter rules (the blue arrows) now which put the filesharing traffic into the users prio band 4.
Main features:
- This is a variable with a space-separated list of features that should be enabled. Default is all enabled if you dont set this variable.
- PROC:
- Allow Fair NAT to change some system variables in /proc, like setting /proc/sys/net/ipv4/ip_forward to 1.
- MODULES:
- Try to load kernel modules for QoS first.
- RESET:
- Fair NAT will replace all existing iptables rules with a very basic (empty) configuration. Not healthy for firewalls. You can disable this feature to keep the original rules in place. See Firewall Support below.
- NAT:
- Allow Fair NAT to configure NAT. You could disable this if you prefer to set this up yourself / let your firewall do it.
- FORWARD:
- Allow Fair NAT to configure Port Forwarding. Same as NAT, you can disable this if you dont need it.
- QOS_DOWN:
- Shape download traffic. If you know a little bit about traffic shaping and believe that download shaping is completely useless, feel free to disable this.
- QOS_UP:
- Shaping upload traffic can be disabled also. If you disable this and QOS_DOWN also, you could use Fair NAT for setting up NAT and Port Forwarding only, although thats not really the purpose of the script ;-)
- TOS:
- Allow Fair NAT to modify the TOS (type-of-service) field of packets. Right now, Fair NAT relies on this TOS field for shaping, so using this feature is highly recommended.