IP Masquerading Between Two Linux Firewalls

IP Masquerading Between Two Linux Firewalls

Post by Jody Sco » Wed, 04 Jul 2001 16:48:14



Hi all

We have configured a network here with Linux acting as a router/firewall for
the Internet and a Terminal Server (yeah Ihate it to) sitting behind the
firewall.

The internal IP of TS is 10.0.0.1 and the firewall is 10.0.0.254.  We have
setup rules on the Linux box to forward all packets on to the internet (so it
is just acting as a gateway) which works fine.

We have also setup a forward rule using ip masquerading on port 3389 to
forward to port 3389 on the TS box - this is to allow for remote clients to
point their terminal server client software to our linux box and have it
forward it to the terminal server box for connection.  All other inbound ports
are blocked.  This works fine when we dial up to the internet on a remote
machine and connect using the IP of the Linux box.

The problem now is we have a Linux box at our office acting as a gateway in a
similar fashion (without anotehr server here) and my laptop is configured to
use our Linux box as its gateway.  I can telnet to the other Linux box fine
but when I try and establish a terminal serevr connection the connection time
s out.  I can telnet to port 3389 on the Linux box and see that the forward is
working.  If I connect directly to the net using a modem it also works.

I setup a similar rule for VNC (using 5900) and the same thing occurs after it
asks for a password it just sits forever 'Initializing' the screen and
eventually terminates.

I'm guessing the problem is with our Linux box here and that after the initial
connection with the remote server another port is being opened for broadcast
that are Linux box here is denying.

How do I get around this problem ?  

My rc.local has the following settings -

ipfwadm -F -p deny
ipfwadm -F -a m -b -S 10.0.0.0/24 -D 0.0.0.0/0

Is it the deny causing the problem ?

 
 
 

IP Masquerading Between Two Linux Firewalls

Post by Dean Thompso » Wed, 04 Jul 2001 23:20:27


Hi!,

Quote:> We have also setup a forward rule using ip masquerading on port 3389 to
> forward to port 3389 on the TS box - this is to allow for remote clients to
> point their terminal server client software to our linux box and have it
> forward it to the terminal server box for connection.  All other inbound
> ports are blocked.  This works fine when we dial up to the internet on a
> remote machine and connect using the IP of the Linux box.

> The problem now is we have a Linux box at our office acting as a gateway in
> a similar fashion (without anotehr server here) and my laptop is configured
> to use our Linux box as its gateway.  I can telnet to the other Linux box
> fine but when I try and establish a terminal serevr connection the
> connection time s out.  I can telnet to port 3389 on the Linux box and see
> that the forward is working.  If I connect directly to the net using a
> modem it also works. I setup a similar rule for VNC (using 5900) and the
> same thing occurs after it asks for a password it just sits forever
> 'Initializing' the screen and eventually terminates.

It sounds like there is a problem with a firewall somewhere which is denying
packets entering your system.  Check to make sure there are no ipchains
commands which might be denying your packets from returning.  Also, check to
make sure you have a valid route back to your Linux server or linux box.  It
is possible that the packets are unable to return back to the originator.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

1. Question: two network cards, IP masquerading, Firewall, etc.

Hello.

First of all please forgive me if this is an FAQ, but I'm not a
networking guru
who wants to set up small network.

We have about 10 PC's some of them running Linux and some of them
running
Windows. Those PC's are connected via AT&T WaveLAN wireless network
cards
(which are supported by Linux BTW).  We have only one designated IP
address.
So we want to make one of the PC's (running Linux with two network cards
installed:
one to internet and the other to other PC's) as the internet gateway for
the remaining
PC's.  (We also need to share a printer connected to Linux machine which
we
think can be handled later by samba). Anyway, the steps we think
necessary are

        1. Configuring Linux box with two network cards.
        2. IP masquerading
        3. Firewall setup (? necessary )

Problem is we don't know the details.

Could someone give me a step by step instructions to do this ?
What documents should I look for ?

Thanks in advance and it would be greatly appreciated if you
could send me an e-mail as well.


2. THANKS -- Slackware Install Problems

3. Backup scripts, IP firewalling and IP masquerading

4. Authen::Smb Perl Module yields "Undefined Symbol" Error

5. Kernel versions, IP firewalls, IP masquerading and stability

6. Host Name aliasing

7. IP Firewall and IP Masquerading Problems

8. two-sided printing with lp or lpr

9. IP Masquerading: dynamic IP assignment beyond the firewall?

10. Solution for Linux IP Masquerade users to run Warftpd behind a firewall! =)

11. IP masquerading/firewalling with a Sparc running Linux?

12. linux IP Masquerading firewall problems

13. Help with Linux firewall and IP Masquerading