Firewall Wizards mailing list archives
RE: Linux firewall help...
From: Keith Morgan <kmorgan () imixinc com>
Date: Mon, 14 Aug 2000 10:47:12 -0400
Below is a snippet from a previous thread on this list. I was having basically the same type of problem with my linux firewall at which point Wes Chalfant steered me in a very good direction. Below is a snippet from his response to *MY* question. Thanks again Wes. This has been really helpfull /********** Start Snippet ************/ You can do this by using the port forwarding feature of Linux 2.2 networking. You can configure this most easily with ipmasqadm. ipmasqadm is not included in most standard distributions, however. You can get a copy from the RedHat "contrib" directory; a copy of that rpm is also on "rpmfind.net" at http://rpmfind.net/linux/RPM/contrib/libc6/i386/ipmasqadm-0.4.2-3.i386.html. The commands you'd use would be something like: ipmasqadm portfw -a -P tcp -L <external_ip> http -R <iis_ip> http ipmasqadm portfw -a -P tcp -L <external_ip> https -R <iis_ip> https where external_ip is the external IP address at which you want the web server to appear and iis_ip is the internal address of the IIS server. Note that for the reverse routing to working properly, you need to configure masquerading on connections forwarded from the IIS machine to the Internet. You don't have to configure masquerading for all internal hosts (although perhaps you already do). The masquerading causes the packets returned from the IIS server to have the source address changed to the external address of the firewall (which is what the client is expecting). Incoming packets to the forwarded ports have their destination IP addresses rewritten to "iis_ip" and are forwarded to "iis_ip" by the firewall; their source addresses are unchanged. Packets from "iis_ip" have the client's IP address as their destination; these are routed by the firewall masquerade code which rewrites the source address to the external IP address of the firewall. From the client's standpoint, all packets are between itself and the external IP address; from the IIS server's standpoint all packets are between itself and the actual client IP address. As a result, the logs show actual client IP addresses and everything works. ipmasqadm can also be used to configure the kernel to forward traffic on one port to multiple servers. I've never used that feature so I don't know how well it works. There is some documentation regarding ipmasqadm in section 6.8 of the "Linux IP Masquerade HOWTO" (http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html) /********** End Snippet ************/ -----Original Message----- From: Daniel Linder [mailto:dlinder () iprev com] Sent: Saturday, August 12, 2000 5:57 PM To: firewall-wizards () nfr net Subject: [fw-wiz] Linux firewall help... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok, first off let me apologize for asking quite basic questions, but I have run out of on-line options to study. I'm currently tasked with configuring a Linux firewall (two network cards, one with a "live" IP address, and one with an RFC 1918 address). The firewall will be configured to listen to two additional IP addresses and re-direct specific incoming ports to two servers hidden on the internal network. I have the multiple IP addresses setup on the firewall, and I have setup my home Linux firewall to do Masquerading so I think that is going to go well, but what I need help with is the redirection part. (FYI, I am using an old Pentium with Mandrake 7.1 installed, 2.2.16 kernel.) From reading the IPChains HOWTO file, it appears that the "-j REDIRECT" chain only redirects to a port on the FIREWALL, not to another system. If someone could show me how to redirect a connection to "real IP Address A, Port X" to the "hidden 10.0.0.1, Port X" I would be really happy! (If it helps, the ports are HTTP, HTTPS, PCAnywhere, and FTP, but all I really need is a boiler plate for the inbound redirection.) As a side note, will the reply packet sent back out to the Internet come from the firewall, or is it possible to setup a "Static NAT" between the aliased IP address and the internal IP address of the server? If this is too complicated, can someone show me an example that takes and re-directs EVERYTHING through from address X to address Y (a simple, two-way static NAT)? Dan -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOZXIGGAbmmZFgUT8EQKeDACfeIyAhNxiKWtgzti3+WeElzVzfy0AoIHK 9OcVP88b7FkqnUEYva/2Ct9g =ejx3 -----END PGP SIGNATURE----- _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- RE: Linux firewall help... Keith Morgan (Aug 14)