Firewall Wizards mailing list archives
Re: Linux firewall help... (static NAT)
From: Wes Chalfant <wes () peabody com>
Date: Mon, 14 Aug 2000 13:55:57 -0700
Daniel Linder wrote:
I'm currently tasked with configuring a Linux firewall (two network
cards, one with a "live" IP address, and one with an RFC 1918
address). The firewall will be configured to listen to two
additional IP addresses and re-direct specific incoming ports to two
servers hidden on the internal network. I have the multiple IP
addresses setup on the firewall, and I have setup my home Linux
firewall to do Masquerading so I think that is going to go well, but
what I need help with is the redirection part. (FYI, I am using an
old Pentium with Mandrake 7.1 installed, 2.2.16 kernel.)
From reading the IPChains HOWTO file, it appears that the "-j
REDIRECT" chain only redirects to a port on the FIREWALL, not to
another system. If someone could show me how to redirect a
connection to "real IP Address A, Port X" to the "hidden 10.0.0.1,
Port X" I would be really happy! (If it helps, the ports are HTTP,
HTTPS, PCAnywhere, and FTP, but all I really need is a boiler plate
for the inbound redirection.)
There are (at least) two ways that you can have a port redirected
under Linux. You can run an inbound proxy for the port (e.g. "redir"
or "rinetd") or you can configure the firewall kernel routing code to
forward traffic. The kernel level forwarding is probably better in
most cases; for example, the kernel forwarding retains the source IP
information.
The code to do kernel level port redirection is included in the 2.2
kernels. ipmasqadm, the utility to configure the kernel level
redirection, is not included in most Linux distributions, however.
You can get a copy from the RedHat "contrib" directory; a copy of that
rpm is also on "rpmfind.net" at
http://rpmfind.net/linux/RPM/contrib/libc6/i386/ipmasqadm-0.4.2-3.i386.html.
The command you'd use would be something like:
ipmasqadm portfw -a -P tcp -L <external_ip> <port> -R <internal_ip>
<port>
Note that for the reverse routing to working properly, you
need to configure masquerading on connections forwarded from the
internal hosts to the Internet. You don't have to configure
masquerading for all internal hosts; it is sufficient to just enable
masquerading for the internal boxes receiving the port mapped
packets. The masquerading code will rewrite the source addresses of
reply packets appropriately; source port numbers will also be
rewritten if necessary (i.e. if the port on the firewall is different
from the port on the internal machine).
ipmasqadm can also be used to configure the kernel to forward
traffic on one port to multiple servers. I've never used that feature
so I don't know how well it works.
There is some documentation regarding ipmasqadm in section 6.8
of the "Linux IP Masquerade HOWTO"
(http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html)
As a side note, will the reply packet sent back out to the Internet come from the firewall, or is it possible to setup a "Static NAT" between the aliased IP address and the internal IP address of the server?
Reply packets will have their source addresses modified to the
appropriate external IP address by the masquerading code; that is why
you have to enable masquerading of packets forwarded from the internal
machine involved to the Internet. Packets will appear to be coming
back from the appropriate external IP address/port (the value of the
-L option to ipmasqadm portfw).
If this is too complicated, can someone show me an example that takes and re-directs EVERYTHING through from address X to address Y (a simple, two-way static NAT)?
Linux 2.2 kernels can also support static NAT, but it's actually a
bit harder to set up than port forwarding. The code needed to support
static NAT is included in the 2.2 kernel sources, but most
distributions don't configure the routing options needed to support
static NAT in their prebuilt kernels -- a kernel rebuild is usually
necessary. Oddly enough, the utility that programs NAT (the "ip"
program in the "iproute" package) is included with many distributions
(e.g. RedHat 6.x).
First, you need to configure the kernel with "advanced routing"
support. The advanced routing code is included in the standard
source, but it isn't normally selected in the standard redhat
configurations. You'll need to install the kernel sources (if you
haven't already), turn on the "advanced routing" and "policy routing"
features and build/install a new kernel. If you haven't reconfigured
a kernel before,
http://www.redhat.com/mirrors/LDP/HOWTO/Kernel-HOWTO.html may help.
The utility that you use to configure the advanced routing is calledc
"ip". It's in the iproute package; the iproute package is included in
RedHat 6.1/6.2 releases (iproute-2.2.4-2.i386.rpm). iproute is not
normally installed; you'll probably have to install it. If you're not
using RedHat, note that the iproute package is sometimes call
"iproute2" in other distributions.
Two ip commands are needed -- one to set up the inbound packet
forwarding/translation and one to set up the outbound translation.
The commands look like:
ip route add nat <external-IP-address> via <internal-IP-address>
ip rule add prio 320 from <internal-IP-address> nat
<external-IP-address>
You don't need to do anything to cause <external-IP-address> to be
advertised -- it will be put in the ARP table automatically by the ip
route command. It's not necessary to create an "alias" network
interface.
See /usr/doc/iproute-2.2.4 (after you've installed the iproute
package) for what documentation exists. ip-cref.ps in that directory
contains information about the "nat" options to "ip route" and "ip
rule".
--
Wes Chalfant Peabody Systems wes () peabody com
(714) 639-8643 FAX (714)
639-2817
_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Re: Linux firewall help... (static NAT) Wes Chalfant (Aug 14)