To get Port Forwarding working you will need a program call ipmasqadm. This is not packaged with Red Hat 6.2 and you will need to download it yourself. This is quite easy to do as it is a packaged RPM available on-line by doing a simple search. When we setup our machines the latest version was the file ipmasqadm-0.4.2-4.i386.rpm and was found with no problems. Similarly it can be done by downloading and compiling the source which is found in the file ipmasqadm-0.4.2.tar.gz also easily found online.

To install the RPM simply download the appropriate file and install it by using the command rpm -ivh ipmasqadm-0.4.2-4.i386.rpm this will install the ipmasqadm into its default directory which is /user/sbin (as with most system programs). Now it is ready to use.

To install the source code you will need to download it appropriate file to a suitable directory (once again we recommend /usr/sbin). To unzip and untar it you will need to run the following command on the file in the directory to which you save the file; tar -xzvf ipmasqadm-0.4.2.tar.gz this will create the directory ipmasqadm-0.4.2/ in which all the files will be contained. You will now need to change to this directory and proceed with compiling and configuring the source. Before you proceed we recommend you read the latest readme file contained with the source for helpful install information, this is done by cat doc/README | more and using SPACE to scroll down the screens. Once you have read the instructions all that is left to do is compile the source by typing make install. Now it is ready to use.

/usr/sbin/ipmasqadm autofw -A -r tcp <server_port> <client_port> -h <client_ip>

This will forward any port on the server that matches this rule directly to the same port on the client machine. Make sure that the <server_port> and <client_port> are the same otherwise you will get the this error: Illegal port numbers.

/usr/sbin/ipmasqadm portfw -a -P tcp -L <server_ip> <server_port> -R <client_ip> <client_port>

This will forward any port on the server that matches this rule directly to the port specified on the client machine. i.e. if you want to run a FTP on you Windows machine then you would direct a port like 2000 to the port 21 on you Windows client machine. That way people just log into the FTP on <server_ip>:2000 and they will be redirected by Linux to your <client_ip>:21.

If you wish to create a script that allows your ports when Linux is booted then you can just simply create the file like in the Net Sharing section and place the rules in there. To allow a large range of ports that are complete, i.e. from port 2000 to 3000 which included all 1000 port then you can use the following code:

port=2000
while [$port -le 3000]
do
/usr/sbin/ipmasqadm portfw -a -P tcp -L <server_ip> $port -R <client_ip> $port
port=$((port+1))
done

This will loop around 1000 times and add rules for forwarding the ports on the <server_ip> to the same port on the <client_ip>.

To get such programs as FTP, IRC and ICQ working on your client machines, you will need to load the appropriate modules into the system so that it can forward the data. This should be added to the bottom of your rc.firewall script that you would have created earlier.

The ip_masc_ftp, and ip_masc_irc module come with Red Hat 6.2, but the ip_masc_icq will have to be downloaded off the Internet, the latest file is ip_masq_icq-0.56.tar.gz and is easily found by doing a search.

To install this module simply download the file and extract it by typing tar -xzvf ip_masq_icq-0.56.tar.gz, then you can read the README file by typing cat README | more, now all that is left you do is compile the source by typing make. Once the module has been compile form the C source file to make the .o Object file you should copy this file to your kernel model directory by typing cp ip_masq_icq.o /lib/modules/2.2.14-5.0/ipv4/ and then it is ready for you to use.

Now that you have all the modules on your system, you need to edit your rc.firewall and add these lines of code to the bottom of the script:

# Needed to initially load modules into the system kernel
/sbin/depmod -a

# Supports the proper masquerading of FTP transfers using the PORT method
/sbin/modprobe ip_masq_ftp

# Supports the masquerading of IRC DCC file transfers
/sbin/modprobe ip_masq_irc

# Supports the masquerading of ICQ chat/file/message transfers
/sbin/modprode ip_masq_icq

If like us you can't get the ip_masq_icq to work (i.e. it give your errors when compiling), there is another easier way around the problem. In your rc.firewall add this code at the bottom instead of the /sbin/modprobe ip_masq_icq:

port=2000
while [ $port -le 2020 ]
do
/usr/sbin/ipmasqadm portfw -a -P tcp -L <optus_ip> $port -R <client_ip> $port
port=$((port+1))
done

This will loop around 20 times and forwards ports 2000 -> 2020 to your client machine (which has ICQ), now you just have to tell ICQ that your behind a firewall and give it the appropriate settings to use.

Now, in ICQ's Preferences-->Connection, configure it to be "Behind a LAN" and "Behind a firewall or Proxy". Now, click on "Firewall Settings" and configure it to be "I don't use a SOCK5 proxy". Finally, click on Next and configure ICQ to "Use the following TCP listen ports.." from "2000" to "2020". Now click done.

ICQ 2000 is a bit different, you need to goto ICQ -> Preferences -> Connections -> User. Click on "Not using proxy" and then click on "Use the following TCP listen port for incoming event". In the From: you want to enter 2000 and in the To: you want to enter 2020. Now just click on Apply and your almost finished.

Also note that it was repviously recommended to change ICQ's "Firewall session timeouts" to "30" seconds BUT many users have found that ICQ becomes unreliable. It has been found that ICQ is more reliable with its stock timeout setting (don't enable that ICQ option) and simply change MASQ's timeout to 160 seconds. You can change this timeout in the rc.firewall ruleset by adding the line of code /sbin/ipchains -M -S 7200 10 160.

You will probably notice that when you try and connect to an FTP that is not on the default port (i.e. 21) that you will connect but will not be able to do a directory list or anything else for that matter. This is due to the Firewall blocking the ports your ftp client is trying to use for these commands, if you try and forward the ftp port it will still not work (its only connects on that port, the ftp server will use other ports for commands and sends). To fix this, simply look in your FTP Client for a option called "Passive Mode" and enable this, now you should be connect, get a directory list, download and send like normal.

Some IRC servers require Ident checks and this will prevent you from connecting full stop (this can also be seen as when u log-on you are almost immediately logged off) to fix this all you need to do (in mIRC) is go into File -> Options and under "Connect" go into "Ident". In the Ident section you want to check the "Enable Ident server" checkbox and enter a User ID (nickname is recommended), then simply click OK (your screen should look similar to the first image below). After doing this you need to forward the Ident port (113) to your client machine, to do this simply add this line to you Firewall file: /usr/sbin/ipmasqadm portfw -a -P tcp -L <server_ip> 113 -R <client_ip> 113.

Another thing is that your Fserv or XDCC server will not work in mIRC, this is because of the Firewall once again (damn Linux is too secure for its own good). To get this working is even simpler than the above, all you need to do (in mIRC once again) go into File -> Options and under "Connect" this time go to "Local Info". In the "Local Host" and "IP Address" boxes you want them blank (as you want them to be established upon connection), you will need to check both the "On connect, always get:" boxes. The only real change you will need to make is the "Lookup method:", you want to make sure you have "Server" checked otherwise it will find your internal hostname and IP not your external one (your settings should look similar to the second image below). This has been tested and works between both our machines (i.e. from one machine behind a Linux Firewall to another behind a Linux Firewall) which means it should work for any case.

Another thing you might want to do is to allow TCP and UDP ports from 4950 - 5000 through to your machine, once you have done that you can then setup mIRC to use these ports for DCC sends and that will help to make sure that everyone can accept a DCC send from you, below is an example using port auto forwarding:

#!/bin/sh

echo " - Allowing IRC FSERV (TCP 4950 - 5000) ...";
port=4950
while [ $port -le 5000 ]
    do
        /usr/sbin/ipmasqadm autofw -A -r tcp $port $port -h 192.168.0.2
        /usr/sbin/ipmasqadm autofw -A -r udp $port $port -h 192.168.0.2
      port=$((port+1))
    done

In this example the client machine is 192.168.0.2, you can change this to suit your IP and if you want to add more clients simply duplicate the two ipmasqadm lines and change the IP for the second machine, once you have done this then just setup mIRC by going to File -> Options, under DCC select Options, then change the DCC ports from 1024 - 5000 to your new forwarded ports 4950 - 5000.

If you want to use an e-mail account that is provided by another ISP (e.g. OzEmail, iHug etc.) then you are going to have problems trying to send e-mail's using these accounts even if they are properly setup, while receiving e-mail's is not a problem. The error you will get when sending is something like "...doesn't allow mail relaying", this is due to the fact that new versions of sendmail do not allow relaying of messages.

The best way to fix this problem is to disable the sendmail service (you probably don't need it anyway, unless you are running a mail server). To disable the sendmail service login as root and run the command ntsysv this should bring up a window that shows the services that startup at boot time. Find sendmail and disable it. You should now be able to send and receive e-mail's from any POP or SMTP mail server.

You have probably noticed that you can no longer access the Optus@Home members page by typing "www" in to your browser window. This problem is very simple to fix, you just have to put the right proxy information in.

1. On your Linux box type nslookup you should get a response something like this (it is different for many people):

Default Server: proxy2.belrs1.nsw.optushome.com.au
Address: 203.164.20.10
>

To exit nslookup simply type in exit and press ENTER.

2. The default server is what we are after. This is the actual domain name for the proxy server at your node.

3. Now open up the Browser on your client machine and go in to proxy options, check use a proxy server and type in the address you got from the last step and in the port section type 8080.

4. Internet Explorer 5.x should look like this:

- OR -

When you are setting up network preferences on the client machine in the "DNS configuration" tab under domain instead of leaving it blank type in the suffix of the domain from you node, in this case it would be belrs1.nsw.optushome.com.au. This will also solve the problem.