ipchains/firewall/dmz question

ipchains/firewall/dmz question

Post by Alni » Wed, 11 Apr 2001 00:25:23



Just wonder : How could I make ipchains rules in order to make one of my W9x
LAN stations behind my linux gateway fully visible from the Internet (like
if there was no router at all..)

Don't take care about scurity :) Just want to make some tries...

My provider affects me only1 dynamic IP address.
Will a DMZ helps for that ? (with another NIC on the gateway)

NB: I've read/use enought on linux gateway to build and run successfully
486/66 LRP based router/firewall.

 
 
 

ipchains/firewall/dmz question

Post by Alni » Wed, 11 Apr 2001 00:25:23


Just wonder : How could I make ipchains rules in order to make one of my W9x
LAN stations behind my linux gateway fully visible from the Internet (like
if there was no router at all..)

Don't take care about scurity :) Just want to make some tries...

My provider affects me only1 dynamic IP address.
Will a DMZ helps for that ? (with another NIC on the gateway)

NB: I've read/use enought on linux gateway to build and run successfully
486/66 LRP based router/firewall.

 
 
 

ipchains/firewall/dmz question

Post by Alni » Wed, 11 Apr 2001 00:33:39


Just wonder : How could I make ipchains rules in order to make one of my W9x
LAN stations behind my linux gateway fully visible from the Internet (like
if there was no router at all..)

Don't take care about security :) Just want to make some tries...

My provider affects me only1 dynamic IP address.
Will a DMZ helps for that ? (with another NIC on the gateway)

NB: I've read/use enought on linux gateway to build and run successfully
486/66 LRP based router/firewall.

 
 
 

ipchains/firewall/dmz question

Post by Alni » Wed, 11 Apr 2001 00:25:23


Just wonder : How could I make ipchains rules in order to make one of my W9x
LAN stations behind my linux gateway fully visible from the Internet (like
if there was no router at all..)

Don't take care about scurity :) Just want to make some tries...

My provider affects me only1 dynamic IP address.
Will a DMZ helps for that ? (with another NIC on the gateway)

NB: I've read/use enought on linux gateway to build and run successfully
486/66 LRP based router/firewall.

 
 
 

ipchains/firewall/dmz question

Post by Dean Thompso » Wed, 11 Apr 2001 22:54:50


Hi!,

Quote:> Just wonder : How could I make ipchains rules in order to make one of my
> W9x LAN stations behind my linux gateway fully visible from the Internet
> (like if there was no router at all..)

> Don't take care about security :) Just want to make some tries...

You will have to use something like port redirection to make your win9x box
visible, although what you will end up doing is something like the following:

redir --laddr=111.222.333.444 --lport=8080 --daddr=192.168.0.1 --dport=80

This redirects traffic coming in on port 8080 from your gateway to 192.168.0.1
port 80 on your local network.  You need to enable IP forwarding at your
gateway and insert a IP forwarding rule using ipchains.  You might like to
take a look at the IPCHAINS-HOWTO document at http://www.linuxdoc.org as well
as searching the net for programs like ipmasqadm portfw, and redir.  All of
these packages can be found at http://www.rpmfind.net.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

ipchains/firewall/dmz question

Post by Alni » Thu, 12 Apr 2001 21:41:53


Thanks for your reply but, I know about ipportfw, ifautofw and so on, but it
doesn't help me, because I can't predict what port will be used for the
send/reply transaction.
What I want to have is a station that will acts exactly like if no router at
all was present in the port range 1024-60000.
Should I use something like (don't care about syntax errors)
ipmasqadm autofw -A -r tcp 1024 60000 -h <my_host_ip>
ipmasqadm autofw -A -r udp 1024 60000 -h <my_host_ip>



Quote:

> Hi!,

> > Just wonder : How could I make ipchains rules in order to make one of my
> > W9x LAN stations behind my linux gateway fully visible from the Internet
> > (like if there was no router at all..)

> > Don't take care about security :) Just want to make some tries...

> You will have to use something like port redirection to make your win9x
box
> visible, although what you will end up doing is something like the
following:

> redir --laddr=111.222.333.444 --lport=8080 --daddr=192.168.0.1 --dport=80

> This redirects traffic coming in on port 8080 from your gateway to
192.168.0.1
> port 80 on your local network.  You need to enable IP forwarding at your
> gateway and insert a IP forwarding rule using ipchains.  You might like to
> take a look at the IPCHAINS-HOWTO document at http://www.linuxdoc.org as
well
> as searching the net for programs like ipmasqadm portfw, and redir.  All
of
> these packages can be found at http://www.rpmfind.net.

> See ya

> Dean Thompson

> --

+____________________________+____________________________________________+

|
> | Bach. Computing (Hons)     | ICQ     - 45191180
|
> | PhD Student                | Office  - <Off-Campus>
|
> | School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)
|
> | MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077
|
> | Melbourne, Australia       |
|

+----------------------------+--------------------------------------------+
 
 
 

ipchains/firewall/dmz question

Post by Dean Thompso » Thu, 12 Apr 2001 21:53:14


Hi!,

Quote:> Thanks for your reply but, I know about ipportfw, ifautofw and so on, but
> it doesn't help me, because I can't predict what port will be used for the
> send/reply transaction. What I want to have is a station that will acts
> exactly like if no router at all was present in the port range 1024-60000.
> Should I use something like (don't care about syntax errors)
> ipmasqadm autofw -A -r tcp 1024 60000 -h <my_host_ip>
> ipmasqadm autofw -A -r udp 1024 60000 -h <my_host_ip>

Can't you just tell the router/gateway that you want to do the following:

/sbin/ipchains -A forward -i eth0 -p tcp -s 192.168.0.1 -d 0.0.0.0/0 -j MASQ
/sbin/ipchains -A forward -i eth0 -p udp -s 192.168.0.1 -d 0.0.0.0/0 -j MASQ

This would allow only that machine (192.168.0.1) to get out to the outside
world and act as if there was no router in the way.  However, you would have
to make some sort of arrangement at the router/gateway to allow packets that
come into the router at a certain port to be forwarded directly off to the
workstation in question.

However, if you are interested in just getting that one machine to be out on
the net as such, then the ipchains rules mentioned above would do that.  They
would forward all packets that came from the selected workstation out to the
internet through your default gateway device.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

1. Linux Firewall/Router w/DMZ setup questions

Hello all,

    Been searching archives for sometime now, and figured I should just ask
the question(s) and take my RTFM lumps (but please tell me which M ;)

    I have setup several IPChains Masq Firewalls in the past, but this is my
first with 3 NIC's.  Quick and dirty: eth0 is internal masq (10.0.0.1/24),
eth1 is the world (1.2.3.130), and eth2 is the dmz (1.2.3.131/27).  RH 6.2,
with 2.2.16 kernel (custom compile - not an rpm update) I am petty
confidante in the ipchain rules i have, but have problems with routing.  A
route -n shows (not quite thrilled with the ip route show version's output):

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.0.0.1        0.0.0.0         255.255.255.255 UH    0      0        0 eth0
1.2.3.129       0.0.0.0         255.255.255.255 UH    0      0        0 eth1
1.2.3.130       0.0.0.0         255.255.255.255 UH    0      0        0 eth1
1.2.3.128       0.0.0.0         255.255.255.224 U     0      0        0 eth2
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
1.2.3.0         0.0.0.0         255.255.255.0   U     0      0        0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         1.2.3.129       0.0.0.0         UG    0      0        0 eth1

    I manually added the 1.2.3.129 route, so that it can find the default
gateway on eth1 - because it's in the eth2's network.  Problem is, once this
is running, I cannot ping anything (although using ping I can see that it is
trying to go out over the correct interface).  I cannot even ping the IPs
assingened to the cards, i.e. 1.2.3.130 - but I can ping the box from other
machines in the masq zone or dmz.  I have disabled the IPchains rules to
rule out any problems comming from there.  Taking down eth2, all is well
(and even masq'd correctly).

    On a side note, I would like to know if it is possible (and if so where
to get more info) to have this box be a "transparent gateway" - I would like
to have the DMZ boxes keep a GW of 1.2.3.129 if possible, so that should the
firewall fail, a quick changing of cables can have all the DMZ boxes online
without the need to reconfigure them.  Of course, the masq boxes would be
down...

Thanks,
Mike

2. Webmasters + Access rights

3. Problems with ipchain, masq and dmz

4. === HELP: Low-cost internal modems compat. w/ Linux ??? ===

5. Use ipchains for DMZ

6. Dual monitors with independent resolutions?

7. Problem with ipchains routing/masquerading/dmz

8. C99 initializers for drivers/block/genhd.c

9. DMZ and ipchains and routing

10. Routing ipchains and DMZ

11. Port mapping using ipchains (act as DMZ mode)

12. DMZ host like Linksys HW router using ipchains?

13. DMZ, ipchains, DNS name resolution problem ???