2. Basic configuration - Masquerading
:::[ MASQ_NETWORK ][ MASQ_MODULES_N MASQ_MODULE_x ][ MASQ_FTP_PORT_N MASQ_FTP_PORT_x ][ OPT_PORTFW ][ PORTFW_N ][ PORTFW_x ]:::

MASQ_NETWORK

Enter networks in this variable, which shall be masked for remote. If you use non-official IP addresses - ex.: 192.168.x.x - and the router shall be used for internet access, this variable has to be set under all circumstances.

Format is:

NETWORK_ NUMBER/NUMBER_OF_BITS_SET_IN_NETMASK
    

Example: Networks of format 192.168.x.0:

MASQ_NETWORK='192.168.6.0/24'
    

This example means: first 24 bits of network mask have been set.

If more than one network must be masqueraded, combine them with spaces. If no network has to be masqueraded, leave variable empty.

Important: Because of securita reasons only computers from masqueraded networks get access to the server imond (see below).

[ top ]

MASQ_MODULES_N MASQ_MODULE_x

IP masquerading offers advantages in direct accesses from remote computers to local LAN computers - but there are also disadvantages.

For axample one big problem is: No remote computer will be able to access a LAN computer on its own. This is a phenomenon which is expressly wanted for security reasons, but specific protocols won´t work any longer because they depend on connections from remote..

One classical example is FTP. In addition to a communications channel which is used for command and answer exchange, another channel (in form of an IP port) is used to handle the data themselves. FLI4L uses specific masquerading modules to switch on ports which are used in this kind of connection "ad hoc". That means: these ports are only enabled if data must be sent to the "internal" (LAN) computer. The masquerading module looks at the data stream to find out when an additional port is needed.

Typical applications for masquerading modules are chat protocols and internet games.

Up to now the FTP masquerading module was loaded automatically. In the meantime there are additional modules available:

ftp             File Pransfer Protocol
h323            h323 (Alternatively for: netmeeting for web.de telephoning)
icq             Internet Chat
irc             Internet Relay Chat
raudio          Real Audio
vdolive         Vdolive
quake           Quake
cuseeme         Cuseeme
pptp            PPTP masquerading
ipsec           IPSEC
dplay           Direct Play
msn-0.01        MSN Game Zone - version 0.01
msn-0.02        MSN Game Zone - version 0.02 (beta)
udp_dloose      for internet games
   

Of course it is impossible to program separate masquerading modules for each protocol that uses additional ports. Therefore there is an additional option to forward new ports to an "internal" (LAN) computer. See for this the description about OPT_PORTFW (Port Forwarding). Another tip: At www.fli4l.de there is a separate FAQ page about port forwarding (also on the start page).

The h323 module may be used as an alternative to netmeeting. This will then support telephoning from a PC via internet to a real telephone - as it is provided by the freemail provider web.de.
BUT: NEVER use netmeeting AND h323 module simultaneously !

Configuration variables:

MASQ_MODULE_N gives the number of masquerading modules to be loaded. MASQ_MODULE_x masquerading module 'x' to be loaded.

Default setting for MASQ_MODULE_N is '1'. That means: only the first masquerading module - FTP - will be loaded. If you want to load more modules, you will have to increment MASQ_MODULE_N. The configuration in the included config.txt file is only meant as an example. You may change it to your own needs; ex.:

MASQ_MODULE_N='2'
MASQ_MODULE_1='ftp'
MASQ_MODULE_2='raudio'
   

Additional contents of MASQ_MODULE_x will simply be ignored

[ top ]

MASQ_FTP_PORT_N MASQ_FTP_PORT_x

From time to time it may be necessary ro use the masquerading module not only for port 21. For example if the connection will be established to an external FTP server which uses port 2021.

MASQ_FTP_PORT_N contains the number of ports, MASQ_FTP_PORT_x the 'x'th port. When using these parameters, the default port should always be included - or "normal" FTP connections will fail.
Under normal circumstances there are no changes necessary.

[ top ]

OPT_PORTFW - port forwarding tools

Some internet protocols need forwarding of connection establishing from remote to the internal network. If the network is masqueraded to remote (IP masquerading) - i.e.: only one IP address for the whole LAN available - one may redirect specific ports which have to be available from remote to ONE "internal" computer. This is called port forwarding. Problems of port forwarding was already mentioned in the description of variable MASQ_MODULES_N .

Enabling of those ports is often necessary for games, chat or internet telephone. If masquerading modules are not able to do so, one may install port forwarding.

[ top ]

PORTFW_N

This variable contains the number of "port forwardings". These are defined in detail in PORTFW_x .

[ top ]

PORTFW_x

Each of these variables contains a rule for port forwarding. There are two different formats:

PORTFW_x='<port1> <ip>:<port2>'

This command directs a single port <port1> from the router to the "internal" computer with IP address <ip> to port <port2> of this computer.

PORTFW_x='<port1>-<port2> <ip>'

This command directs a complete port area between <port1> and <port2> to identical ports of the "internal" computer with IP address <ip>.

Alternatively commands for port forwarding may be entered directly into opt/etc/portfw.sh . A short description of program calls and some examples are included in the comments in the shell script. If you want to use your internet game, chat protocol or others in a masqueraded LAN, you may find lots of tips at:

http://www.tsmservices.com/masq/

Most of the port redirections mentioned there are meant directly for ipautofw or ipportfw and are existant as complete solutions which can be included directly into the shell script portfw.sh .

If you want additional information, please use the how-to about IP masquerading. The latest (english) version is available at:

FLI4L homepage

By using the Windows client imonc you are able to change/edit the script during runtime of the router. The actual version may then be sent directly to the FLI4L router.

[ top ]