Incoming services using IP masqueradeing

Incoming services using IP masqueradeing

Post by Chuck McCollu » Thu, 03 Jul 1997 04:00:00



I have implemented the ipfwadm, and setup a Linux IP pseudo firewall.

The reason is to set up a private network behind a Linux box in a telco
facility on the net through an OC-3.  This particular facility charges $450
a month per registered IP on a shared ethernet type of service.  The
downside is that with only one IP, only one box can be connected unless
using something like the IP masqueradeing capability of the Linux kernel,
and the ipfwadm utility.

The question is, how can this be set up to allow for incoming service
requests (ie. ftp, www, telnet, etc) to initiate a session with the servers
on the boxes behind the masquerade box.

Example:
4 Linux boxes.  The Masq Box has 2 ethernet cards: one w/IP
111.222.000.111, and the others are on the network 192.168.1.0 as shown.
The first interface eth0 is connected to the internet, and assigned a
single registered IP.  The second one (eth1) is connected to the reserved
network 192.168.1.0  (as outlined in RFC 1597), and all of the other boxes
shown are connected and assigned IPs from this network.
                                         _____________
Internet  111.222.000.111   |                      |
----------------------------------|                      |
                                 eth0  |  Masq Box      |
                                         |                      |
                                         |                      |
                                         --------------------
                                               | 192.168.1.1
                                               | eth1
                                               |
                                ------------*----------------
                                |              |                  |
                                |              |                  |
                                |.4            |.5               |.6
                          ---------       ---------      -----------
                         |           |     |          |     |             |
                         |   A      |     |    B    |     |      C    |
                         |           |     |          |     |             |
                         -----------     ----------     ------------

referring to the mini HOW-TO by Ambrose Au, the private network can reach
any host on the Internet by initiating the session.  This is accomplished
after issuing the commands:
ipfwadm -F -p deny
ipfwadm -F -a masquerade -S 192.168.1.0/24 -D 0.0.0.0/0

This works fine and boxes A, B, and C can indeed see the Internet, and the
remote host see that it is connected to the masq box, however any host on
the internet can not initiate a session with either of the  3 (A,B, or C),
on the private network, and therefore can not use servers that are running
on them.

I have attempted to use:
ipfwadm -F -a masquerade -P tcp -S 111.222.000.111/32 6500 -D
192.168.1.4/32 http

for example in the vein hope that this will redirect the incoming request
on the registered IP 111.222.000.111 at port number 6500 to the private IP
192.168.1.4 at port 80, and masquerade it back again to the originating
host. I must be laboring under some false assumptions about how all of this
works because i have gotten exactly zero results with many variations on
the above attempt.

Can anybody give any insight as to what i can do in order to proceed with
this process?

Is this the wrong approach?
Should i atttempt to use the Input, and Output firewalls instead, and can
this be done using private IPs?
Will the ipautofw utility be of any use for this purpose, and how should it
be used?
What about the TIS firewall toolkit mentioned in Ambrose Au's HOW-TO?

Any help would be very appreciated!

Chuck McCollum