Slashdot Mirror

← Back to Stories (view on slashdot.org)

IPChains and Firewalling

Posted by Cliff on from the tunneling-through-the-firewall dept.

Vertigo1 asks: &nbsp "I have a Cable Modem with RoadRunner. I have a Dual Pentium 200 machine (w/two NIC's), running Red Hat 6.0 w/the latest errata updates. I am going to setup a firewall w/ipchains. I have a Citrix (ie Terminal Server) behind the firewall I want to connect to from the Internet and an FTP server also. How do I set up IPChains to forward to the Citrix server (which uses tcp port 1494) and then to an internal FTP server (tcp port 21 and ftp-data). I understand how ipchains works and have read thoroughly the IPChains-HOWTO, but I still cannot connect to the Citrix server from the Internet. Please help!" This is a common misconception. IPChains are good for configuring what gets in and out of your network on a packet level, but this is a redirection problem. Anyone know where you can find a a good port redirection program on the 'net?

20 comments

  1. Re:redir Wow! by Anonymous Coward · · Score: 0

    I had been trying to bash this problem out for months using ipchains/portfw/ipmasqadm (sp?) with little success....I assumed my failure was because I only had 1 nic and portfw and ipmasqadm did not account for ip aliasing...However I just read this tidbit on "redir" and WOW it worked simple as that...For my test example I set up port 60170 on my linux box to listen to port 80 (xitami web server) on a local NT client box and redir worked great.....Kudos goes out to Sammy and the rest of the people who created this little marvel....

    D Thomas.

  2. IPChains-Howto by bano · · Score: 1

    One problem i had with ipchains, was the documentation. (IMHO) The offical how-to is geared for people who have previously used IPFWADM.
    I resorted to trial and error and finally gor what i needed from it.

    How about a how-to that has less emphisis on the differences between the 2 and just has information reguarding IPCHAINS.

  3. How to Set Up Masquerading in Simple English by mholve · · Score: 0

    Just head on over to Everything Linux - there's a nice and simple HOWTO on setting up IP masquerading. May be of help to people here.

  4. ipmasqadm by hany · · Score: 1
    RPM package is somwhere here. the only bad thing (right now) is that server is being reinstalled and i do not know when it'll be running again.

    but Vertigol can search for this package on (for example) http://rufus.w3.org/linux/RPM/.

    --
    hany
  5. TCPbridge by Pascal+Q.+Porcupine · · Score: 1

    There's a VERY simple program, called tcpbridge (do a websearch on tcpbridge.c), which does simple forwarding of TCP/IP sockets. It has a few problems, though; for example, under certain circumstances (such as a socket unexpectedly closing or whatever), it goes into a CPU-thrashing state. Also, it has no logging facilities, and any connection will look like it came from the bridge box (this actually caused me some grief, when someone caused some general mischeif and I had no idea where it came from). Something at the protocol/packet level would be much nicer than such an inelegant solution.

    Now, I have seen references to IPchains being used for forwarding, but they didn't go into detail and so I don't know if they're just spread misconceptions (which I am guilty of perpetrating, myself, as is anyone else who reads too much into the description of IPchains).


    ---
    "'Is not a quine' is not a quine" is a quine.
    --
    "'Is not a quine' is not a quine" is a quine.
    Quine "quine?
  6. redir will CHANGE YOUR LIFE by An+Ominous+Cowherd · · Score: 1



    yeah, check the above threads. redir kicks arse. i spent like three hours trying to read the "english" docs to ipmasqadm and dorking around with ipportfw, found redir and had an Exchange box doing SMTP and POP behind a Linux firewall in all of 20 minutes.

    follow the path of least resistance, grasshoppah...

    1. Re:redir will CHANGE YOUR LIFE by Chase · · Score: 2
      I wonder if its possible to use redir with TCPWrappers. Generally you still want to control who is allowed to connect to your system.

      I use a 2.0.36 Linux box that acts as a firewall and IPMasq (NAT) router. In order to play any cool game that requires a connection be made from the game server back to the client (StarCraft etc) I have to create a port forward using `ipautofw`.

      Example of my IPMasq and forwarding setup.

      # Permit IP masquerading for the 192.168.1.* network
      /sbin/ipfwadm -F -p deny
      /sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
      # set up auto forward for StarCraft
      ipautofw -A -r tcp 6112 6112 -h 192.168.1.12
      ipautofw -A -r udp 6112 6112 -h 192.168.1.12
       ipautofw

      -A (add)
      -r tcp 6112 6112 (using PROTOCOL forward ports LOW to HIGH)
      -h 192.168.1.12 (Host to receive forwarded packets)
      I have also used redir. Which is extremely easy to set up on any linux machine. I don't think it requires any special kernel mods.

      Also consider checking out the Linux Router Project. You can download a 1440Kb disk image that contains a complete Linux system already setup with everything you need sans redir. If you compile redir and copy it to the disk, you can mount the disk and back up the root.lrp with redir included. LRP will save you alot of time in building out your own NAT router. Its a really cool tool!

      Chase

      --
      -==-
  7. Re:redir by Booya · · Score: 1

    I have used redir and it works well..

    Pretty simple to configure, here's a sample line:

    $redir --bind_addr=$myip --laddr=$myip --lport=2346 --caddr 192.168.2.4 --cport=2346 -
    -transproxy 2>> /var/log/redir.log &

    $redir = variable I set for my redir binary (/usr/local/sbin/redir)


    $myip = My external IP

    I redirect stderr to a log to find out if things are funky and then send it to the background.

    This particular redirect of port 2346 is for a game that I play (rainbow 6) so I can host games from my workstation inside the firewall.

    I'm assuming your IPChains is configured to let the allowed port in. Here's my IP chain line to let the allowed port in:

    $ipchains -A eth0-in -p TCP -s 0.0.0.0/0 -d $myip 1024:5999 -j ACCEPT

    I basically accept most traffic at unprivvied ports. Again myip = my external nic. $ipchains is my ip chains binary.

    Most of my rules I got from the IPCHains-HOWTO examples. I modified from there..

    --
    -Booya "No Try Not. Do or do not, there is no try." -Yoda
  8. Re:redir Wow! by Twigg · · Score: 1

    I spent weeks dinking around with ipmasqadm and never gotten it to do anything I wanted. Redir fixed the problem in about 15 minutes. Sometimes I guess simplicity wins...

  9. ipmasqadm fortfw by mi-KEE · · Score: 1

    i have an old machine connected to my cablemodem and this old machine isn't enough powerful to handle internet services then i set up another box (192.168.0.250) to handle web traffic. i once used "redir" but all connections appeared to come from the firewalling machine and no logging was correct. i then found "ipmasqadm portfw" and re-compiled my kernel with port forwarding enabled. it all works grrrrreat!
    the command i'm using in my init script is:

    ipmasqadm portfw -a -P tcp -L YOUR.EXTERNAL.IP.ADDRESS 80 -R 192.168.0.250 80

    excuse my bad english... i'm just trying to help! :-)

  10. Re:I'm not the only one! by Bob512 · · Score: 1

    Try changing it to:

    ipmasqadm portfw -a -P tcp -L 47624 -R 192.168.0.3 47624

    in my scripts, I source /etc/dhcpc/hostinfo-eth0 to get the local IP, so it looks like:

    . /etc/dhcpc/hostinfo-eth0
    ipmasqadm portfw -a -P tcp -L $IPADDR 47624 -R 192.168.0.3 47624

    Good luck.

  11. ipchains by Weathros · · Score: 1

    I cannot see the problem and why you should need any other software than ipchains. Enabling masquerading would solve half the problem like wham... ("ipchains -A forward -j MASQ") Then, still using ipchains, redirect connections on certain ports to certain machines. I don't remember exactly, but something like "ipchains -A forward -p 80 -d 10.0.0.1/255.255.255.0 -j MASQ" would forward port 80 to 10.0.0.1...

    --
    Tedd Hansen [Weathros@IRC.Undernet] Networking / Programming ChristianiaNett AS Mobile: (+47) 92 02 83 55 FAX: (+4
  12. Kernel PortFW by Iriantuu · · Score: 2

    The 2.2.x Linux Kernel series has a networking option called "PORTFW" (in Networking, just below the masquerading drivers, I believe). That, coupled with the ipmasqadm utility, allows you to redirect ports to other machines from the kernel level.

    PORTFW needs to be compiled into your kernel, and may still be listed as experimental (it does work, though). With that done, just grab ipmasqadm (probably comes with RH 6.0) and use:
    "ipmasqadm portfw --help" for usage.

    Cheers,
    -Irian

  13. I don't think so... by schon · · Score: 1

    something like
    "ipchains -A forward -p 80 -d 10.0.0.1/255.255.255.0 -j MASQ" would forward port 80 to 10.0.0.1

    I don't think that will work...

    According to the ipchains man page, that command will masquerade all traffic destined to 10.0.0.x using protocol 80 (unknown protocol, my /etc/services goes from AH (51) to OSPF(89)..) since ipchains only works with TCP(6), UDP(17), and ICMP(1), my guess is that the command would error out.

    In any case, ipchains won't do what you're trying here... some sort of redirection program is necessary.

  14. Re:using ipmasquarading and a ftp bad port error by vanne · · Score: 1

    try loading module ip_masq_ftp

    cheers
    vanne

  15. redir by El+Volio · · Score: 1

    I haven't used it personally, but I've heard good things about redir.
    Check it out here.

    --

    "You can never have too many elephants on your team."

  16. I'm not the only one! by Cadrys · · Score: 1

    Thank Ghu! I'm using a linux 2.2.5 box (debian) to route my cablemodem as well, and would *like* to play a game or two on the internet. (Yes, compiled with proper options. Nutscrape, Quake, and Roger-Wilco all work fine, ICQ *mostly* works)

    Checking documentation for the apps in question, I get these answers : 'open port 47624' and 'open ports 2000-2020'

    OK. Hmm, neat. The HOWTOs are all about 2.0.x, ipchains documentation seems kinda minimal.
    I *have* located the ipmasqadm utility and installed it. Trying to *use* it however...

    ipmasqadm portfw -a -P tcp -L 47624 -R 192.168.0.3 47624

    ...which seems to be the apropo cmdline (off of the top of my head anyway, it's been a few days) throws an error message and dies.

    Who has gotten this to work, or is there something better than ipmasqadm?

    AdvTHANKSance

    ----
    It is often easer to gain forgiveness than permission

    --

    ----
    It is often easer to gain forgiveness than permission
  17. No joy... by Cadrys · · Score: 1

    portfw: setsockopt failed: Invalid argument

    Why do I suspect this has not so much to do with the command line as a misconfiguration elsewhere?

    ----
    It is often easer to gain forgiveness than permission

    --

    ----
    It is often easer to gain forgiveness than permission
  18. using ipmasquarading and a ftp bad port error by bulb · · Score: 1

    I don't firewall with my RH 6.0 box, but I do use it to give internet access to some Macs on my LAN.

    I have a DSL connection to static IP address, which is the RH 6.0 box, with a second NIC setup for LAN. On the LAN email clients, web browsing, telnet, and ftp to the RH 6.0 box works, but ftping to outside ftp servers results in bad port errors.

    Any clues, ipchains and ipmasquarading seem to be set up to

    1. Re:using ipmasquarading and a ftp bad port error by bulb · · Score: 1

      worked like a charm.