RE: Linux rinetd and NT IIS logging (synch)

[Keith Morgan <kmorgan () imixinc com>]

Hey, thanks a bunch.

This worked like a charm.  I had considered this before and had trouble with
the ipmasqadm documentation.  The part that I had failed to think of was the
masquerading of the return packets from the webserver through the firewall.


This configuration basically allows me to perform static NAT through linux.
With my background being checkpoint, I saw this as a major limitation of
linux.  Now 'aaah haayave SEEEEN the light!'.

The built-in load balancing is a major plus as well.

Thanks again.

-Keith Morgan
siglite () imixinc com


-----Original Message-----
From: Wes Chalfant [mailto:wes () peabody com]
Sent: Tuesday, August 08, 2000 2:47 PM
To: Keith Morgan
Cc: 'firewall-wizards () nfr net'
Subject: Re: [fw-wiz] Linux rinetd and NT IIS logging (synch)


Keith Morgan wrote:
> I'm running a linux ipchains based firewall.  I've been running rinetd for
> the http and https service ports, redirecting the traffic off to a DMZ.
> (for those of you questioning rinetd's capabilities, so far, no complaints
> with a medium traffic load, and no crashing like redir)
>
> Now, IIS reports the source address as the dmz interface on the firewall,
> just as rinetd's docs indicate it will.  My question of the day, is: Has
> anyone written any scripts or programs to synch rinetd's logs with IIS's
> logs?

        I don't know if this applies to your situation or not, but you may
find it simpler to configure the Linux firewall so that the IIS system
receives actual client source IP addresses instead of the DMZ IP
address.  That way, you don't have to try to merge multiple logs.

        You can do this by using the port forwarding feature of Linux 2.2
networking.  You can configure this most easily with ipmasqadm. 
ipmasqadm is not included in most standard distributions, however. 
You can get a copy from the RedHat "contrib" directory; a copy of that
rpm is also on "rpmfind.net" at
http://rpmfind.net/linux/RPM/contrib/libc6/i386/ipmasqadm-0.4.2-3.i386.html.

The commands you'd use would be something like:
  ipmasqadm portfw -a -P tcp -L <external_ip> http -R <iis_ip> http
  ipmasqadm portfw -a -P tcp -L <external_ip> https -R <iis_ip> https
where external_ip is the external IP address at which you want the web
server to appear and iis_ip is the internal address of the IIS server.

        Note that for the reverse routing to working properly, you need to
configure masquerading on connections forwarded from the IIS machine
to the Internet.  You don't have to configure masquerading for all
internal hosts (although perhaps you already do).  The masquerading
causes the packets returned from the IIS server to have the source
address changed to the external address of the firewall (which is what
the client is expecting).

        Incoming packets to the forwarded ports have their destination IP
addresses rewritten to "iis_ip" and are forwarded to "iis_ip" by the
firewall; their source addresses are unchanged.  Packets from "iis_ip"
have the client's IP address as their destination; these are routed by
the firewall masquerade code which rewrites the source address to the
external IP address of the firewall.  From the client's standpoint,
all packets are between itself and the external IP address; from the
IIS server's standpoint all packets are between itself and the actual
client IP address.  As a result, the logs show actual client IP
addresses and everything works.

        ipmasqadm can also be used to configure the kernel to forward
traffic
on one port to multiple servers.  I've never used that feature so I
don't know how well it works.

        There is some documentation regarding ipmasqadm in section 6.8 of
the
"Linux IP Masquerade HOWTO"
(http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html)

-- 
Wes Chalfant              Peabody Systems             wes () peabody com
                          (714) 639-8643              FAX (714)
639-2817

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards