Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Linux firewall help...

From: Keith Morgan <kmorgan () imixinc com>
Date: Mon, 14 Aug 2000 10:47:12 -0400
Below is a snippet from a previous thread on this list.
I was having basically the same type of problem with my linux firewall at
which point Wes Chalfant steered me in a very good direction.

Below is a snippet from his response to *MY* question.

Thanks again Wes.  This has been really helpfull


/********** Start Snippet ************/

        You can do this by using the port forwarding feature of Linux 2.2
networking.  You can configure this most easily with ipmasqadm. 
ipmasqadm is not included in most standard distributions, however. 
You can get a copy from the RedHat "contrib" directory; a copy of that
rpm is also on "rpmfind.net" at
http://rpmfind.net/linux/RPM/contrib/libc6/i386/ipmasqadm-0.4.2-3.i386.html.

The commands you'd use would be something like:
  ipmasqadm portfw -a -P tcp -L <external_ip> http -R <iis_ip> http
  ipmasqadm portfw -a -P tcp -L <external_ip> https -R <iis_ip> https
where external_ip is the external IP address at which you want the web
server to appear and iis_ip is the internal address of the IIS server.

        Note that for the reverse routing to working properly, you need to
configure masquerading on connections forwarded from the IIS machine
to the Internet.  You don't have to configure masquerading for all
internal hosts (although perhaps you already do).  The masquerading
causes the packets returned from the IIS server to have the source
address changed to the external address of the firewall (which is what
the client is expecting).

        Incoming packets to the forwarded ports have their destination IP
addresses rewritten to "iis_ip" and are forwarded to "iis_ip" by the
firewall; their source addresses are unchanged.  Packets from "iis_ip"
have the client's IP address as their destination; these are routed by
the firewall masquerade code which rewrites the source address to the
external IP address of the firewall.  From the client's standpoint,
all packets are between itself and the external IP address; from the
IIS server's standpoint all packets are between itself and the actual
client IP address.  As a result, the logs show actual client IP
addresses and everything works.

        ipmasqadm can also be used to configure the kernel to forward
traffic
on one port to multiple servers.  I've never used that feature so I
don't know how well it works.

        There is some documentation regarding ipmasqadm in section 6.8 of
the
"Linux IP Masquerade HOWTO"
(http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html)


/********** End Snippet ************/


        


-----Original Message-----
From: Daniel Linder [mailto:dlinder () iprev com]
Sent: Saturday, August 12, 2000 5:57 PM
To: firewall-wizards () nfr net
Subject: [fw-wiz] Linux firewall help...


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok, first off let me apologize for asking quite basic questions, but
I have run out of on-line options to study.

        I'm currently tasked with configuring a Linux firewall (two network
cards,  one with a "live" IP address, and one with an RFC 1918
address).  The firewall will be configured to listen to two
additional IP addresses and re-direct specific incoming ports to two
servers hidden on the internal network.  I have the multiple IP
addresses setup on the firewall, and I have setup my home Linux
firewall to do Masquerading so I think that is going to go well, but
what I need help with is the redirection part.  (FYI, I am using an
old Pentium with Mandrake 7.1 installed, 2.2.16 kernel.)

        From reading the IPChains HOWTO file, it appears that the "-j
REDIRECT" chain only redirects to a port on the FIREWALL, not to
another system.  If someone could show me how to redirect a
connection to "real IP Address A, Port X" to the "hidden 10.0.0.1,
Port X" I would be really happy!  (If it helps, the ports are HTTP,
HTTPS, PCAnywhere, and FTP, but all I really need is a boiler plate
for the inbound redirection.)

        As a side note, will the reply packet sent back out to the Internet
come from the firewall, or is it possible to setup a "Static NAT"
between the aliased IP address and the internal IP address of the
server?

        If this is too complicated, can someone show me an example that
takes and re-directs EVERYTHING through from address X to address Y
(a simple, two-way static NAT)?

Dan

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOZXIGGAbmmZFgUT8EQKeDACfeIyAhNxiKWtgzti3+WeElzVzfy0AoIHK
9OcVP88b7FkqnUEYva/2Ct9g
=ejx3
-----END PGP SIGNATURE-----


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: