Incoming services using IP masqueradeing

Incoming services using IP masqueradeing

Post by Chuck McCollu » Thu, 03 Jul 1997 04:00:00



I have implemented the ipfwadm, and setup a Linux IP pseudo firewall.

The reason is to set up a private network behind a Linux box in a telco
facility on the net through an OC-3.  This particular facility charges $450
a month per registered IP on a shared ethernet type of service.  The
downside is that with only one IP, only one box can be connected unless
using something like the IP masqueradeing capability of the Linux kernel,
and the ipfwadm utility.

The question is, how can this be set up to allow for incoming service
requests (ie. ftp, www, telnet, etc) to initiate a session with the servers
on the boxes behind the masquerade box.

Example:
4 Linux boxes.  The Masq Box has 2 ethernet cards: one w/IP
111.222.000.111, and the others are on the network 192.168.1.0 as shown.
The first interface eth0 is connected to the internet, and assigned a
single registered IP.  The second one (eth1) is connected to the reserved
network 192.168.1.0  (as outlined in RFC 1597), and all of the other boxes
shown are connected and assigned IPs from this network.
                                         _____________
Internet  111.222.000.111   |                      |
----------------------------------|                      |
                                 eth0  |  Masq Box      |
                                         |                      |
                                         |                      |
                                         --------------------
                                                  | 192.168.1.1
                                                  | eth1
                                                  |
                                   ------------*----------------
                                   |              |                  |
                                   |              |                  |
                                   |.4            |.5               |.6
                             ---------       ---------      -----------
                            |           |     |          |     |          
 |
                            |   A      |     |    B    |     |      C    |
                            |           |     |          |     |          
 |
                            -----------     ----------     ------------

referring to the mini HOW-TO by Ambrose Au, the private network can reach
any host on the Internet by initiating the session.  This is accomplished
after issuing the commands:
ipfwadm -F -p deny
ipfwadm -F -a masquerade -S 192.168.1.0/24 -D 0.0.0.0/0

This works fine and boxes A, B, and C can indeed see the Internet, and the
remote host see that it is connected to the masq box, however any host on
the internet can not initiate a session with either of the  3 (A,B, or C),
on the private network, and therefore can not use servers that are running
on them.

I have attempted to use:
ipfwadm -F -a masquerade -P tcp -S 111.222.000.111/32 6500 -D
192.168.1.4/32 http

for example in the vein hope that this will redirect the incoming request
on the registered IP 111.222.000.111 at port number 6500 to the private IP
192.168.1.4 at port 80, and masquerade it back again to the originating
host. I must be laboring under some false assumptions about how all of this
works because i have gotten exactly zero results with many variations on
the above attempt.

Can anybody give any insight as to what i can do in order to proceed with
this process?

Is this the wrong approach?
Should i atttempt to use the Input, and Output firewalls instead, and can
this be done using private IPs?
Will the ipautofw utility be of any use for this purpose, and how should it
be used?
What about the TIS firewall toolkit mentioned in Ambrose Au's HOW-TO?

Any help would be very appreciated!

Chuck McCollum

 
 
 

Incoming services using IP masqueradeing

Post by Jarrod Lo » Fri, 11 Jul 1997 04:00:00



Quote:>I have implemented the ipfwadm, and setup a Linux IP pseudo firewall.

>The reason is to set up a private network behind a Linux box in a telco
>facility on the net through an OC-3.  This particular facility charges $450
>a month per registered IP on a shared ethernet type of service.  The
>downside is that with only one IP, only one box can be connected unless
>using something like the IP masqueradeing capability of the Linux kernel,
>and the ipfwadm utility.

>The question is, how can this be set up to allow for incoming service
>requests (ie. ftp, www, telnet, etc) to initiate a session with the servers
>on the boxes behind the masquerade box.
[snipped]
>Is this the wrong approach?

Yes, it is.
Run the services on the linux machine.

Say, for ftp, mount the drive on the machine behind the firewall as a
dir on the linux machine, under /home/ftp. Now it is the gateway
machine which is running the server.

Jarrod Lowe

(This email address will be invalidated within 2 months.)

 
 
 

Incoming services using IP masqueradeing

Post by Damion Yate » Wed, 30 Jul 1997 04:00:00


: I have implemented the ipfwadm, and setup a Linux IP pseudo firewall.

A recent post to comp.os.linux.announce about rinetd is probably exactly what
you are looking for, I just moved house and lost my ISDN line, so I would be
happy to hear success stories about this with demon (uk) because they send
mail out when you connect using sendmail (port 25) so I could have allowed
the win95 machine that the owner of the account had to grab mail.

Damion


Newsgroups: comp.os.linux.announce
Subject: rinetd TCP address/port redirection demon
-----BEGIN PGP SIGNED MESSAGE-----

I'd like to announce the release of version 0.1 of rinetd,
a convenient port redirection tool for firewall administrators,
virtual server administrators and the like. It is especially
useful if you have an IP masquerading firewall and would
like to run a few services on the inside of the firewall.

rinetd is a single-process, non-forking server which accepts
connections on a list of IP address/port pairs specified in the
file /etc/rinetd.conf and redirects those connections to
other address/port pairs, usually servers within the firewall
that are visible to the gateway machine but not to the
outside world. Since rinetd was designed with virtual
servers in mind, it binds only to the specific addresses
you instruct it to. You can have entries for port 80 on
several different virtual interfaces and redirect them
to different destinations inside your firewall.

rinetd is useful for TCP protocols only (not UDP), and is
currently in version 0.1. Constructive feedback and code
contributions would be gratefully accepted. Since rinetd
uses nonblocking I/O, the code is a bit more complex than other
similar tools, so there may be a few bugs left in this release.

rinetd is released under the terms of the GNU Public
License, version 2.

You can obtain the software by anonymous FTP from
ftp.boutell.com in the directory pub/boutell as the
file rinetd0.1.tar.gz:

ftp://ftp.boutell.com/pub/boutell/rinetd0.1.tar.gz

Here's the LSM entry:

Title:          rinetd internet port redirection demon          
Version:        0.1
Entered-date:   05/12/1997
Description:    Redirects TCP connections between IP address/port pairs.
Keywords:       rinetd internet firewall virtual server port redirect


Primary-site:   ftp.boutell.com /pub/boutell
                                      16kB rinetd0.1.tar.gz
Copying-policy: GPL

- -T

-----END PGP SIGNATURE-----

--