simpler packet forwarding?

simpler packet forwarding?

Post by Jarro » Thu, 06 Jan 2000 04:00:00



Hi,

One of our routers in which our dialup customers are filtered through
currently runs 3.3 and Squid 2.2.  I have compiled its kernel to allow
ipfirewall and presently have it forwarding port 80 packets to port 8080
on the same machine to allow for the transparent proxy. The machines name
is dogbert.

ipfw add fwd dogbert,8080 tcp from any to any 80

What I need to do now, is to transparently filter them through to a proxy
server on another server.  If i change the ipfw rule on dogbert to:

ipfw add fwd wallace,8080 tcp from any to any 80

All the packets are dropped or lost and get operation timed out errors,
the only way i have managed to get it to work so far is by having

ipfw add fwd wallace tcp from any to any 80 (on dogbert)
ipfw add fwd wallace,8080 tcp from any to any 80 (on wallace)

To me, this dosent sound right and it seems to slow things down and
returns errors now and again, im assuming packets are getting lost or not
getting there correctly or something like that.

We use to use ipfilter when the machines were on 2.2.7/2.2.8 and this
seemed to work without a worry.  This was a while ago, and have forgotten
how the hell I had it running.

Has anyone got a better idea on forwarding packets from one machine to
another transparently?  If ipfilter is the way to go, any hints on the
commands and stuff?

BTW, I see IPSTEALTH in the LINT config, sounds pretty nifty, is there any
README's on this.  FreeBSD website comes up blank, man ipfw also comes up
blank.

Thanks,

Jarrod

 
 
 

simpler packet forwarding?

Post by Kristian Ra » Thu, 06 Jan 2000 04:00:00


Hi


>One of our routers in which our dialup customers are filtered through
>currently runs 3.3 and Squid 2.2.  I have compiled its kernel to allow
>ipfirewall and presently have it forwarding port 80 packets to port 8080
>on the same machine to allow for the transparent proxy. The machines name
>is dogbert.

[cut]

I dont know if this is exactly the same problem... but
I tried to use ipfw for connecting port 8080 on the gateway/firewall
machine to port 80 on a local machine behind the gateway.

I couldnt get anything working
I tried socket from ports/net, and it does the trick...

Maybe a combo of filtering and finally redirecting to 8080 on the same
machine, and then a socket to put it onto 80 on the other machine will
do the trick ??? Word of warning ... i'm by no measure skilled enough
to see if this will actually work, or introduces some new problem...

I also tried natd -redirect_port It doesnt do it either....

I have searched high and low... and can see that it works for some,
but a large number of ppl. seems to have problems w. it....

Quote:>Has anyone got a better idea on forwarding packets from one machine to
>another transparently?  If ipfilter is the way to go, any hints on the
>commands and stuff?

See above...

regards

Kristian

 
 
 

simpler packet forwarding?

Post by Ed Bardsle » Sun, 09 Jan 2000 04:00:00


Snipped from 'man ipfw':

(referring to forwarding)
If the IP is not a local
address then the port number (if specified) is ig-
nored and the rule only applies to packets leaving
the system.

So, this means that by the current design of ipfw, you just can't have it
set up to forward to different ports on different machines. Sorry.

And, snipped from the 3.4 release notes,

"Support has been added for forwarding IP datagrams without inspecting or
decreasing the TTL in order to make gateways and firewalls less visible
and therefore less exposed to attacks."

I think thats what your IPSTEALTH is.

--Ed


>Hi,

>One of our routers in which our dialup customers are filtered through
>currently runs 3.3 and Squid 2.2.  I have compiled its kernel to allow
>ipfirewall and presently have it forwarding port 80 packets to port 8080
>on the same machine to allow for the transparent proxy. The machines name
>is dogbert.

>ipfw add fwd dogbert,8080 tcp from any to any 80

>What I need to do now, is to transparently filter them through to a proxy
>server on another server.  If i change the ipfw rule on dogbert to:

>ipfw add fwd wallace,8080 tcp from any to any 80

>All the packets are dropped or lost and get operation timed out errors,
>the only way i have managed to get it to work so far is by having

>ipfw add fwd wallace tcp from any to any 80 (on dogbert)
>ipfw add fwd wallace,8080 tcp from any to any 80 (on wallace)

>To me, this dosent sound right and it seems to slow things down and
>returns errors now and again, im assuming packets are getting lost or not
>getting there correctly or something like that.

>We use to use ipfilter when the machines were on 2.2.7/2.2.8 and this
>seemed to work without a worry.  This was a while ago, and have forgotten
>how the hell I had it running.

>Has anyone got a better idea on forwarding packets from one machine to
>another transparently?  If ipfilter is the way to go, any hints on the
>commands and stuff?

>BTW, I see IPSTEALTH in the LINT config, sounds pretty nifty, is there any
>README's on this.  FreeBSD website comes up blank, man ipfw also comes up
>blank.

>Thanks,

>Jarrod

 
 
 

1. ipchains - forwarding - packet filtering

okay.. here is my scenario..

|---------------------------------------------------ISP
                                         |
                      DSL/CABLE(192.168.0.1)
                          ROUTER / SWITCH
                              |            |
                              |            |------------eth0 - LINUX BOX -
eth1 ------------  WIN2k IIS SERVER (192.168.10.2)
                              |              (192.168.0.2)
(192.168.10.1)
                              |
                              |
                              |---------LAPTOP(192.168.0.3)

The IIS Server is Running on PORT 80
From the Linux BOX, with Netscape Communicator.. I CAN connect to the win2k
IIS Machine by typing in it's IP .. (192.168.10.2)
However from the LAPTOP (192.168.0.3) I type in 192.168.0.2 and I would like
it to forward the request to the Win2k IIS Server on port 80..
This is not the CASE.. instead, the "connection with the server could not be
established"
I'm sure there is a ipchains line that will forward traffic arriving at
192.168.0.2 (eth0) through the Linux Box, out eth1 .. and into the IIS
Server.

The following is the only line in my ipchains..  it is allowing my win2k IIS
Server to communicate with the internet or the Laptop (192.168.0.3)

-A forward -i eth0 -s 192.168.10.0/24 -d 0.0.0.0/0 -j MASQ

At this point I am not concerned in being able to make the connection to the
IIS Server From the internet..  I would like to be able to type the linux
box eth0 IP in my browser (laptop) and have it forward me through to the IIS
Server.

- Thanks -

2. Helen Keller Achievement Award For GNOME Desktop's ATK

3. iptables won't return packets after forwarding!

4. loadlin & win95??

5. Forwarding of Packets

6. Apache and simple redirection CGI script

7. Ipfwadm forwarding UDP and TCP packets- how?

8. Advertise an EAFS as a Netware fileserver???

9. LINUX box won't forward packets between PPP interfaces.

10. X Windows packet forwarding when using IP Masquerading

11. PPP and packet forwarding; kernel 2.0.27

12. Packet forwarding queries

13. Why won't the network forward packets in a dual-homed setup?