Board index Redhat

IP forwarding & Masq from net to Private IP

IP forwarding & Masq from net to Private IP

Post by Stephen Wyndha » Sat, 11 Aug 2001 08:54:14



I have a VPN server on a private IP behind a Redhat Linux 7.1 Box connected
to the net. I can port forward  TCP port 1723 to the VPN server using
xinetd, however I can't forward IP 47 (GRE).

I have looked under the how-to's and they suggest I install ipfwd
(/sbin/ipfwd --masq 10.0.0.2 47 &). As suggested I have tried to do this but
I get the following message:

    error: failed dependencies:
        libc.so.5 is needed by ipfwd-1.0.0-1
Redhat 7.1 has libc.s0.6.

My questions are:
Can two versions of libc (ie libc.s0.6 & libc.s0.5) co-exist allowing me to
use ipfwd? &/or
Is the another way native to RH7.1 to IP forward to a VPN server with a
private IP

STephen

 
 
 
Top

IP forwarding & Masq from net to Private IP

Post by Richard Harmonso » Sat, 11 Aug 2001 10:19:19



> I have a VPN server on a private IP behind a Redhat Linux 7.1 Box
connected
> to the net. I can port forward  TCP port 1723 to the VPN server using
> xinetd, however I can't forward IP 47 (GRE).

> I have looked under the how-to's and they suggest I install ipfwd
> (/sbin/ipfwd --masq 10.0.0.2 47 &). As suggested I have tried to do this
but
> I get the following message:

>     error: failed dependencies:
>         libc.so.5 is needed by ipfwd-1.0.0-1
> Redhat 7.1 has libc.s0.6.

> My questions are:
> Can two versions of libc (ie libc.s0.6 & libc.s0.5) co-exist allowing me
to
> use ipfwd? &/or
> Is the another way native to RH7.1 to IP forward to a VPN server with a
> private IP

> STephen

Stephen,
Are you determined to use ipchains?  If not iptables works well for
forwarding.  Both are already installed with Red Hat 7.1.  You need only
disabled ipchains then enable and configure iptables.  If you are determined
to use ipchains, take a look at the ipchains howto.  It makes a reference to
ipmasqadm which I used for the same purpose as you are trying until the
release of the 2.4 kernel (iptables).

Do you need an example of forwarding with iptables?

Richard Harmonson, RHCE

 
 
 
Top

IP forwarding & Masq from net to Private IP

Post by Stephen Wyndha » Sat, 11 Aug 2001 12:12:46


I don't need to stay with ipchains, but I do understand them - If you have a
good example of iptables that gets me working until I can get a handle on
tables that would be great

Stephen




> > I have a VPN server on a private IP behind a Redhat Linux 7.1 Box
> connected
> > to the net. I can port forward  TCP port 1723 to the VPN server using
> > xinetd, however I can't forward IP 47 (GRE).

> > I have looked under the how-to's and they suggest I install ipfwd
> > (/sbin/ipfwd --masq 10.0.0.2 47 &). As suggested I have tried to do this
> but
> > I get the following message:

> >     error: failed dependencies:
> >         libc.so.5 is needed by ipfwd-1.0.0-1
> > Redhat 7.1 has libc.s0.6.

> > My questions are:
> > Can two versions of libc (ie libc.s0.6 & libc.s0.5) co-exist allowing me
> to
> > use ipfwd? &/or
> > Is the another way native to RH7.1 to IP forward to a VPN server with a
> > private IP

> > STephen

> Stephen,
> Are you determined to use ipchains?  If not iptables works well for
> forwarding.  Both are already installed with Red Hat 7.1.  You need only
> disabled ipchains then enable and configure iptables.  If you are
determined
> to use ipchains, take a look at the ipchains howto.  It makes a reference
to
> ipmasqadm which I used for the same purpose as you are trying until the
> release of the 2.4 kernel (iptables).

> Do you need an example of forwarding with iptables?

> Richard Harmonson, RHCE

 
 
 
Top

IP forwarding & Masq from net to Private IP

Post by Richard Harmonso » Sun, 12 Aug 2001 06:33:39



Quote:> I don't need to stay with ipchains, but I do understand them - If you have
a
> good example of iptables that gets me working until I can get a handle on
> tables that would be great

> Stephen

Stephen, I am not completely clear what you are trying to do and understand,
that I am unfamiliar with Microsoft's VPN.  I am making some assumptions
from this point forward which may not be accurate, so reply with another
post for clarification.

Disable ipchains then verify iptables is enabled. From your shell:
    chkconfig --level 2345 ipchains off
    chkconfig --list iptables

    should already be enabled (2345), however if not
        chkconfig --level 2345 iptables on

Restart the system to have the changes take effect.  There may be another
way of doing this but restarting the network services does not do it.  By
default, iptables is accepting all chains. You may start building rules
either from the shell or from a script.  Initially, I test from the shell,
but you will save time if you create a script file that can be edited and
executed after a flush.  Lets begin with a very simple example. If you are
already familiar with ipchains, this will look very familiar.

This example with setup a network to refuse traffic unless explicitly stated
otherwise and masquerade local network, 192.168.0.0, traffic when the
destination is not the local network.  The box in question has three
interfaces lo, eth0, and eth1.  Eth0 is the external interface.  There is
also a ftp server at 192.168.0.5 that we want to direct external traffic to
on ports 20 and 21.

# modules
    modprobe ip_tables
    modprobe iptable_nat
    modprobe ip_conntrack_ftp

# enable
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter

# policies
    iptables -P FORWARD DROP
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP

# flush
    iptables -F
    iptables -F -t nat

# masquerade; note that we do not use masq as with ipchains, but
'masquerade'
    iptables -t nat -A POSTROUTING \
        -s 192.168.0.0/24 \
        -d ! 192.168.0.0/24 -j MASQUERADE

# allow all traffic on lo and eth1.
    iptables -A FORWARD -i ! eth0 -j ACCEPT
    iptables -A FORWARD -o ! eth0 -j ACCEPT # is this even needed?
    iptables -A INPUT -i ! eth0 -j ACCEPT
    iptables -A OUTPUT -i ! eth0 -j ACCEPT

# distination network address translation
# data-ftp
    iptables -t nat -A PREROUTING -p tcp \
        -s ! 192.168.0.0/24 \
        --dport 20 -i eth0 -j dnat \
        --to 192.168.0.5:20

# ftp
    iptables -t nat -A PREROUTING -p tcp \
        -s ! 192.168.0.0/24 \
        --dport 21 -i eth0 -j dnat \
        --to 192.168.0.5:21

There is a great deal more you can do but this is a start.  Verify it works.
If you have typed each non-commented line at the shell you will loose all
your hard work at the next reboot.  Use iptables-save to view then save the
current rules.

View the current iptables rules using less.
    iptables-save | less

Save to /etc/sysconfig/iptables.  If one already exists, cp to another
filename as a backup.
    iptables-save > /etc/sysconfig/iptables

Done!  When you reboot, this file will be read on boot.

I hope this helps and hope I did not make too many typos.  Anyone else have
any suggestions, criticism?  Jump in.

Richard Harmonson, RHCE

 
 
 
Top

IP forwarding & Masq from net to Private IP

Post by Stephen Wyndha » Tue, 14 Aug 2001 10:56:56


Thanks that is a start but I can already port forward with xinetd, what I am
actually trying to do is IP forward GRE -{IP 47} to 192.168.2.1 as appossed
to TCP or UDP or XTP.

PTPP requires TCP port 1723 to be port forwarded to the private IP server
(which xinetd does) and it also requires GRE to be IP forwarded here is an
example given for Linux kernels 2.2.X for VPN Masq how to

The following command will set up ipfwd to forward the initial inbound 47/ip
traffic to the PPTP

server:

/sbin/ipfwd ??masq 10.0.0.2 47 &

It should only be run once, from your /etc/rc.d/rc.local script.

Ipfwd requires an earlier library version.




> > I don't need to stay with ipchains, but I do understand them - If you
have
> a
> > good example of iptables that gets me working until I can get a handle
on
> > tables that would be great

> > Stephen

> Stephen, I am not completely clear what you are trying to do and
understand,
> that I am unfamiliar with Microsoft's VPN.  I am making some assumptions
> from this point forward which may not be accurate, so reply with another
> post for clarification.

> Disable ipchains then verify iptables is enabled. From your shell:
>     chkconfig --level 2345 ipchains off
>     chkconfig --list iptables

>     should already be enabled (2345), however if not
>         chkconfig --level 2345 iptables on

> Restart the system to have the changes take effect.  There may be another
> way of doing this but restarting the network services does not do it.  By
> default, iptables is accepting all chains. You may start building rules
> either from the shell or from a script.  Initially, I test from the shell,
> but you will save time if you create a script file that can be edited and
> executed after a flush.  Lets begin with a very simple example. If you are
> already familiar with ipchains, this will look very familiar.

> This example with setup a network to refuse traffic unless explicitly
stated
> otherwise and masquerade local network, 192.168.0.0, traffic when the
> destination is not the local network.  The box in question has three
> interfaces lo, eth0, and eth1.  Eth0 is the external interface.  There is
> also a ftp server at 192.168.0.5 that we want to direct external traffic
to
> on ports 20 and 21.

> # modules
>     modprobe ip_tables
>     modprobe iptable_nat
>     modprobe ip_conntrack_ftp

> # enable
>     echo 1 > /proc/sys/net/ipv4/ip_forward
>     echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter

> # policies
>     iptables -P FORWARD DROP
>     iptables -P INPUT DROP
>     iptables -P OUTPUT DROP

> # flush
>     iptables -F
>     iptables -F -t nat

> # masquerade; note that we do not use masq as with ipchains, but
> 'masquerade'
>     iptables -t nat -A POSTROUTING \
>         -s 192.168.0.0/24 \
>         -d ! 192.168.0.0/24 -j MASQUERADE

> # allow all traffic on lo and eth1.
>     iptables -A FORWARD -i ! eth0 -j ACCEPT
>     iptables -A FORWARD -o ! eth0 -j ACCEPT # is this even needed?
>     iptables -A INPUT -i ! eth0 -j ACCEPT
>     iptables -A OUTPUT -i ! eth0 -j ACCEPT

> # distination network address translation
> # data-ftp
>     iptables -t nat -A PREROUTING -p tcp \
>         -s ! 192.168.0.0/24 \
>         --dport 20 -i eth0 -j dnat \
>         --to 192.168.0.5:20

> # ftp
>     iptables -t nat -A PREROUTING -p tcp \
>         -s ! 192.168.0.0/24 \
>         --dport 21 -i eth0 -j dnat \
>         --to 192.168.0.5:21

> There is a great deal more you can do but this is a start.  Verify it
works.
> If you have typed each non-commented line at the shell you will loose all
> your hard work at the next reboot.  Use iptables-save to view then save
the
> current rules.

> View the current iptables rules using less.
>     iptables-save | less

> Save to /etc/sysconfig/iptables.  If one already exists, cp to another
> filename as a backup.
>     iptables-save > /etc/sysconfig/iptables

> Done!  When you reboot, this file will be read on boot.

> I hope this helps and hope I did not make too many typos.  Anyone else
have
> any suggestions, criticism?  Jump in.

> Richard Harmonson, RHCE

 
 
 
Top

1. Configuring net (IP-tunnel, IP-Alias, Proxy-ARP, NAT, IP-Masq?)

2. Wheel Mouse

3. Help - "private" ip address conflict using ip masq.

4. Strange Proglems with log in

5. IP Masq and private net vs. outgoing mail

6. Cookie Jarhead(tm) Prit to C!

7. inbound IP Forwarding to private IP?

8. Not so harmless "accept: protocol error"

9. Kernel 2.2.1:IPCHAINS:IPPORTFW:IP port forwarding: IP Masq: ipmasqadm

10. IP Masq /IP Forwarding (setsockopt error)

11. IP AUTO FORWARDING - IP MASQ

12. IP Masq/IP Chains Question (forwarding smtp to 'internal' mail server...)

13. IP Masq... forward port 113 to internal IP??


All times are UTC
Board index