IPmenu is written in CURSEL, which is available at http://users.pandora.be/stes/compiler.html. The latest version of ipmenu is ipmenu-0.0.3.tar.gz
The server can be managed on the console, or over a serial, terminal or modem dialup, connection, or over SSH, via the command line (with the iptables command) or using IPmenu, which is a more user-friendly alternative.
For example, the command line tool "iptables" allows one to specify various actions to be taken when rejecting (dropping) a packet, such as ICMP host unreachable or TCP reset etc.
IPmenu does the same thing, but IPmenu lists the various possibilities
in "menus" and "forms" that can be navigated through using the arrow and
function keys (see screenshot below) so that one doesn't have to memorize
the various possibilities.
Obviously the necessary kernel modules must be installed (and loaded if necessary) before iptables or IPmenu can work.Module Size Used by sch_cbq 10768 0 (unused) cls_fw 1888 0 (unused) ipt_state 800 0 (unused) ipt_limit 1040 0 (unused) ipt_MASQUERADE 1280 1 ipt_REDIRECT 928 0 (unused) ipt_REJECT 2016 0 (unused) ipt_LOG 3280 0 (unused) iptable_mangle 1856 0 (unused) iptable_filter 1856 0 (unused) iptable_nat 12640 0 [ipt_MASQUERADE ipt_REDIRECT] ip_conntrack 12672 2 [ipt_state ipt_MASQUERADE ipt_REDIRECT iptable_nat] ip_tables 10624 11 [ipt_state ipt_limit ipt_MASQUERADE ipt_REDIRECT ipt_REJECT ipt_LOG iptable_mangle iptable_filter iptable_nat] hisax 127472 0 (unused) isdn 69360 0 [hisax] 3c59x 23584 2 bsd_comp 4144 0 (unused) ppp_generic 12672 0 [bsd_comp] slip 7968 0 (unused) lp 4688 0 (unused) parport_pc 10656 1< parport 14240 1 [lp parport_pc]
The word "masquerading" is used in the context of a gateway that has a dial-up (modem) connection or has a dynamic IP (such as with a cable modem or DSL connection).
Start ipmenu by typing "ipmenu" (you may have to add ipmenu to the PATH). Then navigate through the menu's by using the arrow keys and the Enter key. Choose "NAT", then choose "Post-routing", then choose "Append" then choose "Masquerade" :
Note that the labels at the bottom of the page indicate what the function keys (F1,F3,F4,F5,F6 and F7) are supposed to do. If the function keys don't work you can still use Control-f + 7 to obtain the same result as you'd get by pressing F7.
By pressing Control-j and then typing "unix" one can temporarily "escape" to a Unix shell.
To start masquerading private (RFC 1918) addresses in the 172.16.0.0 range, and replace those source addresses, by the dynamically assigned address of some interface, use the F2 function key to select the Outgoing Interface and enter the source IP addresses :
Note that by using the F2 key ("Choices"), one can cycle through a list of possible values (interfaces).
By pressing the Tab key, the cursor moves on the next text field. When all fields in the form are filled out, press SAVE (F3 or Control-f 3) or CANCEL (F6 or Control-f 6) to close the form without saving.
If you save the rule, the rule is appended to the "Post-routing" chain
of the NAT table. The NAT box starts masquerading immediately; it
is possible to use the "Show" item of the Chain menu to display the rules
in the chain.
Choose 'Filter', then choose 'Custom', this lists the custom chains that are defined in the Filter table.
Choose 'BLOCK' (the custom chain we've just created) and then Append. We will append a REJECT rule to drop packets and send back error packets :
Use the Tab key to go to Connection tracking state, and use F2 (or control-f 2) to choose NEW. We only want to drop 'new' connections, not established or related connections.
Then go to the reject field, and type F2 once more. You can choose an ICMP error control packet such as host unreachable. You may also choose TCP reset but this only works for TCP connections. If you choose TCP reset, also select the TCP protocol in the field "Protocol selection" (by using F2 for that field).
After defining the BLOCK custom chain, we will now use that Chain in the Input chain.
Choose the 'Filter' table, then go to the Input chain, and choose Append. Append a Custom rule.
Pick the incoming interface by pressing F2 (choices) in the "Incoming Interface" text field.
The custom target rule "BLOCK" (see last text field in the form) will be applied to any incoming packet on eth1.
It is possible to save your work by using the 'iptables-save' and 'iptables-restore' utilities that come with IPtables.
Alternatively, inspect the /tmp/ipmenu.log file : most iptables commands are logged in that file.
It is possible to copy/paste iptables commands from that /tmp/ipmenu.log file and have them automatically ran when rebooting the machine.
Note that the levels (choices for the Log level field) are obtained
by pressing F2. Also F2 is used to toggle the value of the booleans
"Log TCP Options" from NO to YES.
Suppose you want a special routing key for all "email" traffic :
After saving (press F3) that routing key, you can check under "show ip rule" that all traffic that will be "marked" by Netfilter as "email" will use the "email" routing tables.
To configure the "email" routing table, go to the "Route" menu, and add a default route :
You could for example set up the default route for the "email" table to use a different outgoing network interface than for the "main" routing key.
What is left to do, is "mark" using Netfilter, the traffic that should use the "email" routing table. In the "Mangle" table, it is possible to add a rule that selects all TCP traffic to port 25 (smtp) and select the routing key "email" for it.
With ipmenu, assuming the sch_tbf, token bucket queueing discipline is loaded into the Linux kernel, one can easily configure a token bucket filter on a given network interface :
The above screenshot shows how to limit traffic to 256 kilobit on interface eth0 by installing a TBF queueing discipline on it.
ipmenu also allows CBQ (class based queueing) to be configured, to divide a link into "chunks" or "classes" of a given bandwidth.
Select 'Add CBQ' from the menu :
The CBQ configuration asks for the total bandwith of interface eth1 and the average packet size (10Mbit and 1000 bytes) :
After setting up the CBQ qeueuing discipline, one can starts adding multiple classes (use the 'Add class' menu) :
The following is an example where a 8Mbit class is added (bounded and isolated) :
A queueing discipline must then be installed for the class that we created (ipmenu has called the class "8001:8001") :
Simply use the default parameters for the SFQ queueing discipline.
The situation is now as follows : eth1 has a CBQ with a class (called 8001:8001) installed on it with a "leaf" queueing discipline of SFQ.
Go to the Netfilter "Mangle" table and mark traffic to go to class 8001:8001 : select 8001:8001 from the Choices menu (F2) for all traffic to TCP port 8080, for example :
The "Show" item can be used to see whether traffic is "matched" and marked by the rule :
If you go to the queuing statistics you can see traffic distribution over the qdiscs. Note that incoming traffic on 8080 (although it was "marked" by netfilter) is not displayed (only outgoing traffic , traffic that is "sent" is classified) :
ipmenu also has some support for adding a "subclass" of a class : select the class 8001:8001 and then go to "Subclasses" (Add class) :
The following screenshot shows how to add a 500K class in the 8Mbit class that we've created before :
The class (when saved using F3) will be assigned a name, such as
8001:8002. Just as before, you can add a SFQ queueing discpline
to this class, and configure the Netfilter Mangle table to MARK traffic
using thet 8001:8002 class key.