Getting ipmasqadm to play nice with ipchains rules for port forwarding

Getting ipmasqadm to play nice with ipchains rules for port forwarding

Post by Iain O'Ca » Sat, 05 Jun 1999 04:00:00



I've got a P166 with the Red Hat 6.0 distribution on it.  I've built and
booted a kernel with CONFIG_EXPERIMENTAL=y CONFIG_IP_MASQUERADE_IPPORTFW=m
... and most other masq, routing, and firewall related stuff turned on.

My firewall box has an eth0 which talks to the outside world and eth1 for
the inside (our 10.0.1.0/24 network, its IP is 10.0.1.254).

I've tried using this to turn on the "reverse" masq ...

ipchains -I forward -p tcp -s 10.0.1.52/32 80 -j MASQ

... then tried using this to turn on port forwarding (we'll pretend
here that I'm on the 111.111.111.0 public network) ...

ipmasqadm portfw -a -P tcp -L 111.111.111.158 80 -R 10.0.1.52 80

... but clients trying to reach 111.111.111.158:80 still just wait and
finally time out.

Because I've also got ipchains configured masquerading letting our
inside systems get to the outside world, I used this command to try
letting the port forwarding allow connections through ...

ipchains -A input -i eth0 -p tcp -s any/0 -d 111.111.111.158 80 -j ACCEPT
ipchains -A output -i eth0 -p tcp ! -y -s 111.111.111.158 80 -d any/0 -j ACCEPT

That's based on the rule I've got which I believe allows outside
connections to port 80 on the firewall.  In these rules,
EXTERNAL_INTERFACE=eth0 ANYWHERE=any/0 UNPRIVPORTS=1024:65535
IPADDR=111.111.111.156 ...

    # HTTP server (80)
    # ----------------

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR 80  -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 80 \
             -d $ANYWHERE $UNPRIVPORTS  -j ACCEPT

    # HTTP client (80)
    # ----------------
    ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 80:65535 \
             -d $IPADDR $UNPRIVPORTS  -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 80:65535  -j ACCEPT

Ow, my aching brain!  What have I screwed up?

Thanks for any pointers -

- I

 
 
 

Getting ipmasqadm to play nice with ipchains rules for port forwarding

Post by Bj?rn Gerhar » Sun, 06 Jun 1999 04:00:00


RedHat 6 doesn't need to recompile the kernel for supporting ip-masquerading.

There's a good website on IP-Masquerading:

http://members.home.net/ipmasq/

Maybe you'll find a hint..

Best regards.
        Bjoern

--

  TFH-Berlin  University of Applied Sciences

 
 
 

Getting ipmasqadm to play nice with ipchains rules for port forwarding

Post by Iain O'Ca » Tue, 08 Jun 1999 04:00:00


Still no luck getting port forwarding up.

I've found that if I wipe out the firewall rules ("ipchains -F") and
set up an "ACCEPT" policy for everything, I can get the "redir"
program to forward traffic on port 80, but even then not with the
"--transproxy" option.  I've checked that what I get from:
    cat /proc/sys/net/ipv4/ip_forward
is:
    1
and ipmasqadm doesn't complain, for that matter.

The network device I'm actually trying to use is eth0:0.  Is there
anything special with that?

Any ideas at all...?

- I

 
 
 

1. Kernel 2.2.1:IPCHAINS:IPPORTFW:IP port forwarding: IP Masq: ipmasqadm

Thanks to a kind soul from this forum (gweeks) we've just saved $5000 on
new firewall software.

Remember to compile Kernel 2.2.1 with the experimental options under
"Code maturity level options" and the you will have access to the IP
port forwarding options under "Networking options".

Only then can your IP port forward work.  Maybe you all know this, and
I'm slow.  Hope this helps someone besides me.  (I can't wait for you to
pick this up on Dejanews.)

:-)

2. ZSH oddity: solutions or causes known?

3. port forwarding problems (ipmasqadm + ipchains)

4. Auto-page

5. ipchains, ipmasqadm and port forwarding to apache

6. Difference between vmstat and topas

7. ipchains port forward, ipmasqadm mfw

8. 2.4.20 (-aa1): System hang during second (?) /dev/fd0 access

9. Can't forward ports w/ ipchains ipmasqadm

10. ipmasqadm & ipchains: port forwarding

11. IPCHAINS & IPMASQADM Port Forwarding

12. ipmasqadm port forward collides with other ports

13. ipchains and tcp-wrappers not playing nice?