IPMENU is a user interface to Netfilter/iptables and Linux policy routing or traffic control, allowing you to edit firewall rules and configure the firewall to "mark" packets for policy routing or for class based queueing (CBQ).

Netfilter is the Linux 2.4 subsystem for configuring a multi-homed Linux server as a packet filter or as a NAT (network address translation) device.

The server can be managed on the console, or over a serial, terminal or modem dialup, connection, or over SSH, via the command line (with the iptables command) or using IPmenu, which is a more user-friendly alternative.

For example, the command line tool "iptables" allows one to specify various actions to be taken when rejecting (dropping) a packet, such as ICMP host unreachable or TCP reset etc.

IPmenu does the same thing, but IPmenu lists the various possibilities in "menus" and "forms" that can be navigated through using the arrow and function keys (see screenshot below) so that one doesn't have to memorize the various possibilities.

Setting up netfilter and iptables

This is beyond the scope of this document, but you have to configure the Linux 2.4 kernel and enable Netfilter. For example, on my machine I have the following iptable modules loaded :

Module Size Used by
sch_cbq 10768 0 (unused)
cls_fw 1888 0 (unused)
ipt_state 800 0 (unused)
ipt_limit 1040 0 (unused)
ipt_MASQUERADE 1280 1
ipt_REDIRECT 928 0 (unused)
ipt_REJECT 2016 0 (unused)
ipt_LOG 3280 0 (unused)
iptable_mangle 1856 0 (unused)
iptable_filter 1856 0 (unused)
iptable_nat 12640 0 [ipt_MASQUERADE ipt_REDIRECT]
ip_conntrack 12672 2 [ipt_state ipt_MASQUERADE ipt_REDIRECT iptable_nat]
ip_tables 10624 11 [ipt_state ipt_limit ipt_MASQUERADE ipt_REDIRECT ipt_REJECT ipt_LOG iptable_mangle iptable_filter iptable_nat]
hisax 127472 0 (unused)
isdn 69360 0 [hisax]
3c59x 23584 2
bsd_comp 4144 0 (unused)
ppp_generic 12672 0 [bsd_comp]
slip 7968 0 (unused)
lp 4688 0 (unused)
parport_pc 10656 1<
parport 14240 1 [lp parport_pc]

Obviously the necessary kernel modules must be installed (and loaded if necessary) before iptables or IPmenu can work.
