IPChains and Firewalling 20
Vertigo1 asks:  
"I have a Cable Modem with RoadRunner. I have a Dual
Pentium 200 machine (w/two NIC's), running Red Hat 6.0
w/the latest errata updates. I am going to setup a firewall
w/ipchains. I have a Citrix (ie Terminal Server) behind
the firewall I want to connect to from the Internet and an
FTP server also. How do I set up IPChains to forward to
the Citrix server (which uses tcp port 1494) and then to
an internal FTP server (tcp port 21 and ftp-data). I
understand how ipchains works and have read thoroughly the
IPChains-HOWTO, but I still cannot connect to the
Citrix server from the Internet. Please help!" This is
a common misconception. IPChains are good for configuring
what gets in and out of your network on a packet level, but
this is a redirection problem. Anyone know where
you can find a a good port redirection program on the 'net?
IPChains-Howto (Score:1)
I resorted to trial and error and finally gor what i needed from it.
How about a how-to that has less emphisis on the differences between the 2 and just has information reguarding IPCHAINS.
ipmasqadm (Score:1)
but Vertigol can search for this package on (for example) http://rufus.w3.org/linux/RPM/ [w3.org].
TCPbridge (Score:1)
There's a VERY simple program, called tcpbridge (do a websearch on tcpbridge.c), which does simple forwarding of TCP/IP sockets. It has a few problems, though; for example, under certain circumstances (such as a socket unexpectedly closing or whatever), it goes into a CPU-thrashing state. Also, it has no logging facilities, and any connection will look like it came from the bridge box (this actually caused me some grief, when someone caused some general mischeif and I had no idea where it came from). Something at the protocol/packet level would be much nicer than such an inelegant solution.
Now, I have seen references to IPchains being used for forwarding, but they didn't go into detail and so I don't know if they're just spread misconceptions (which I am guilty of perpetrating, myself, as is anyone else who reads too much into the description of IPchains).
---
"'Is not a quine' is not a quine" is a quine.
redir will CHANGE YOUR LIFE (Score:1)
yeah, check the above threads. redir kicks arse. i spent like three hours trying to read the "english" docs to ipmasqadm and dorking around with ipportfw, found redir and had an Exchange box doing SMTP and POP behind a Linux firewall in all of 20 minutes.
follow the path of least resistance, grasshoppah...
Re:redir (Score:1)
Pretty simple to configure, here's a sample line:
$redir --bind_addr=$myip --laddr=$myip --lport=2346 --caddr 192.168.2.4 --cport=2346 -
-transproxy 2>>
$redir = variable I set for my redir binary (/usr/local/sbin/redir)
$myip = My external IP
I redirect stderr to a log to find out if things are funky and then send it to the background.
This particular redirect of port 2346 is for a game that I play (rainbow 6) so I can host games from my workstation inside the firewall.
I'm assuming your IPChains is configured to let the allowed port in. Here's my IP chain line to let the allowed port in:
$ipchains -A eth0-in -p TCP -s 0.0.0.0/0 -d $myip 1024:5999 -j ACCEPT
I basically accept most traffic at unprivvied ports. Again myip = my external nic. $ipchains is my ip chains binary.
Most of my rules I got from the IPCHains-HOWTO examples. I modified from there..
Re:redir will CHANGE YOUR LIFE (Score:2)
I use a 2.0.36 Linux box that acts as a firewall and IPMasq (NAT) router. In order to play any cool game that requires a connection be made from the game server back to the client (StarCraft etc) I have to create a port forward using `ipautofw`.
Example of my IPMasq and forwarding setup.
# Permit IP masquerading for the 192.168.1.* network
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
I have also used redir. Which is extremely easy to set up on any linux machine. I don't think it requires any special kernel mods.# set up auto forward for StarCraft
ipautofw -A -r tcp 6112 6112 -h 192.168.1.12
ipautofw -A -r udp 6112 6112 -h 192.168.1.12
ipautofw
Also consider checking out the Linux Router Project [linuxrouter.org]. You can download a 1440Kb disk image that contains a complete Linux system already setup with everything you need sans redir. If you compile redir and copy it to the disk, you can mount the disk and back up the root.lrp with redir included. LRP will save you alot of time in building out your own NAT router. Its a really cool tool!
Chase
Re:redir Wow! (Score:1)
ipmasqadm fortfw (Score:1)
the command i'm using in my init script is:
ipmasqadm portfw -a -P tcp -L YOUR.EXTERNAL.IP.ADDRESS 80 -R 192.168.0.250 80
excuse my bad english... i'm just trying to help!
Re:I'm not the only one! (Score:1)
ipmasqadm portfw -a -P tcp -L 47624 -R 192.168.0.3 47624
in my scripts, I source
.
ipmasqadm portfw -a -P tcp -L $IPADDR 47624 -R 192.168.0.3 47624
Good luck.
ipchains (Score:1)
Kernel PortFW (Score:2)
PORTFW needs to be compiled into your kernel, and may still be listed as experimental (it does work, though). With that done, just grab ipmasqadm (probably comes with RH 6.0) and use:
"ipmasqadm portfw --help" for usage.
Cheers,
-Irian
I don't think so... (Score:1)
"ipchains -A forward -p 80 -d 10.0.0.1/255.255.255.0 -j MASQ" would forward port 80 to 10.0.0.1
I don't think that will work...
According to the ipchains man page, that command will masquerade all traffic destined to 10.0.0.x using protocol 80 (unknown protocol, my
In any case, ipchains won't do what you're trying here... some sort of redirection program is necessary.
Re:using ipmasquarading and a ftp bad port error (Score:1)
cheers
vanne
redir (Score:1)
Check it out here [qual.net].
I'm not the only one! (Score:1)
Checking documentation for the apps in question, I get these answers : 'open port 47624' and 'open ports 2000-2020'
OK. Hmm, neat. The HOWTOs are all about 2.0.x, ipchains documentation seems kinda minimal.
I *have* located the ipmasqadm utility and installed it. Trying to *use* it however...
ipmasqadm portfw -a -P tcp -L 47624 -R 192.168.0.3 47624
...which seems to be the apropo cmdline (off of the top of my head anyway, it's been a few days) throws an error message and dies.
Who has gotten this to work, or is there something better than ipmasqadm?
AdvTHANKSance
----
It is often easer to gain forgiveness than permission
No joy... (Score:1)
Why do I suspect this has not so much to do with the command line as a misconfiguration elsewhere?
----
It is often easer to gain forgiveness than permission
using ipmasquarading and a ftp bad port error (Score:1)
I have a DSL connection to static IP address, which is the RH 6.0 box, with a second NIC setup for LAN. On the LAN email clients, web browsing, telnet, and ftp to the RH 6.0 box works, but ftping to outside ftp servers results in bad port errors.
Any clues, ipchains and ipmasquarading seem to be set up to
Re:using ipmasquarading and a ftp bad port error (Score:1)