I've got a P166 with the Red Hat 6.0 distribution on it. I've built and
booted a kernel with CONFIG_EXPERIMENTAL=y CONFIG_IP_MASQUERADE_IPPORTFW=m
... and most other masq, routing, and firewall related stuff turned on.
My firewall box has an eth0 which talks to the outside world and eth1 for
the inside (our 10.0.1.0/24 network, its IP is 10.0.1.254).
I've tried using this to turn on the "reverse" masq ...
ipchains -I forward -p tcp -s 10.0.1.52/32 80 -j MASQ
... then tried using this to turn on port forwarding (we'll pretend
here that I'm on the 126.96.36.199 public network) ...
ipmasqadm portfw -a -P tcp -L 188.8.131.52 80 -R 10.0.1.52 80
... but clients trying to reach 184.108.40.206:80 still just wait and
finally time out.
Because I've also got ipchains configured masquerading letting our
inside systems get to the outside world, I used this command to try
letting the port forwarding allow connections through ...
ipchains -A input -i eth0 -p tcp -s any/0 -d 220.127.116.11 80 -j ACCEPT
ipchains -A output -i eth0 -p tcp ! -y -s 18.104.22.168 80 -d any/0 -j ACCEPT
That's based on the rule I've got which I believe allows outside
connections to port 80 on the firewall. In these rules,
EXTERNAL_INTERFACE=eth0 ANYWHERE=any/0 UNPRIVPORTS=1024:65535
# HTTP server (80)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 80 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 80 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# HTTP client (80)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 80:65535 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 80:65535 -j ACCEPT
Ow, my aching brain! What have I screwed up?
Thanks for any pointers -