Firewall Wizards mailing list archives
Re: Linux firewall help... (static NAT)
From: Wes Chalfant <wes () peabody com>
Date: Mon, 14 Aug 2000 13:55:57 -0700
Daniel Linder wrote:
I'm currently tasked with configuring a Linux firewall (two network cards, one with a "live" IP address, and one with an RFC 1918 address). The firewall will be configured to listen to two additional IP addresses and re-direct specific incoming ports to two servers hidden on the internal network. I have the multiple IP addresses setup on the firewall, and I have setup my home Linux firewall to do Masquerading so I think that is going to go well, but what I need help with is the redirection part. (FYI, I am using an old Pentium with Mandrake 7.1 installed, 2.2.16 kernel.) From reading the IPChains HOWTO file, it appears that the "-j REDIRECT" chain only redirects to a port on the FIREWALL, not to another system. If someone could show me how to redirect a connection to "real IP Address A, Port X" to the "hidden 10.0.0.1, Port X" I would be really happy! (If it helps, the ports are HTTP, HTTPS, PCAnywhere, and FTP, but all I really need is a boiler plate for the inbound redirection.)
There are (at least) two ways that you can have a port redirected under Linux. You can run an inbound proxy for the port (e.g. "redir" or "rinetd") or you can configure the firewall kernel routing code to forward traffic. The kernel level forwarding is probably better in most cases; for example, the kernel forwarding retains the source IP information. The code to do kernel level port redirection is included in the 2.2 kernels. ipmasqadm, the utility to configure the kernel level redirection, is not included in most Linux distributions, however. You can get a copy from the RedHat "contrib" directory; a copy of that rpm is also on "rpmfind.net" at http://rpmfind.net/linux/RPM/contrib/libc6/i386/ipmasqadm-0.4.2-3.i386.html. The command you'd use would be something like: ipmasqadm portfw -a -P tcp -L <external_ip> <port> -R <internal_ip> <port> Note that for the reverse routing to working properly, you need to configure masquerading on connections forwarded from the internal hosts to the Internet. You don't have to configure masquerading for all internal hosts; it is sufficient to just enable masquerading for the internal boxes receiving the port mapped packets. The masquerading code will rewrite the source addresses of reply packets appropriately; source port numbers will also be rewritten if necessary (i.e. if the port on the firewall is different from the port on the internal machine). ipmasqadm can also be used to configure the kernel to forward traffic on one port to multiple servers. I've never used that feature so I don't know how well it works. There is some documentation regarding ipmasqadm in section 6.8 of the "Linux IP Masquerade HOWTO" (http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html)
As a side note, will the reply packet sent back out to the Internet come from the firewall, or is it possible to setup a "Static NAT" between the aliased IP address and the internal IP address of the server?
Reply packets will have their source addresses modified to the appropriate external IP address by the masquerading code; that is why you have to enable masquerading of packets forwarded from the internal machine involved to the Internet. Packets will appear to be coming back from the appropriate external IP address/port (the value of the -L option to ipmasqadm portfw).
If this is too complicated, can someone show me an example that takes and re-directs EVERYTHING through from address X to address Y (a simple, two-way static NAT)?
Linux 2.2 kernels can also support static NAT, but it's actually a bit harder to set up than port forwarding. The code needed to support static NAT is included in the 2.2 kernel sources, but most distributions don't configure the routing options needed to support static NAT in their prebuilt kernels -- a kernel rebuild is usually necessary. Oddly enough, the utility that programs NAT (the "ip" program in the "iproute" package) is included with many distributions (e.g. RedHat 6.x). First, you need to configure the kernel with "advanced routing" support. The advanced routing code is included in the standard source, but it isn't normally selected in the standard redhat configurations. You'll need to install the kernel sources (if you haven't already), turn on the "advanced routing" and "policy routing" features and build/install a new kernel. If you haven't reconfigured a kernel before, http://www.redhat.com/mirrors/LDP/HOWTO/Kernel-HOWTO.html may help. The utility that you use to configure the advanced routing is calledc "ip". It's in the iproute package; the iproute package is included in RedHat 6.1/6.2 releases (iproute-2.2.4-2.i386.rpm). iproute is not normally installed; you'll probably have to install it. If you're not using RedHat, note that the iproute package is sometimes call "iproute2" in other distributions. Two ip commands are needed -- one to set up the inbound packet forwarding/translation and one to set up the outbound translation. The commands look like: ip route add nat <external-IP-address> via <internal-IP-address> ip rule add prio 320 from <internal-IP-address> nat <external-IP-address> You don't need to do anything to cause <external-IP-address> to be advertised -- it will be put in the ARP table automatically by the ip route command. It's not necessary to create an "alias" network interface. See /usr/doc/iproute-2.2.4 (after you've installed the iproute package) for what documentation exists. ip-cref.ps in that directory contains information about the "nat" options to "ip route" and "ip rule". -- Wes Chalfant Peabody Systems wes () peabody com (714) 639-8643 FAX (714) 639-2817 _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Re: Linux firewall help... (static NAT) Wes Chalfant (Aug 14)