Slashdot Mirror

← Back to Stories (view on slashdot.org)

IPChains and Firewalling

Posted by Cliff on from the tunneling-through-the-firewall dept.

Vertigo1 asks: &nbsp "I have a Cable Modem with RoadRunner. I have a Dual Pentium 200 machine (w/two NIC's), running Red Hat 6.0 w/the latest errata updates. I am going to setup a firewall w/ipchains. I have a Citrix (ie Terminal Server) behind the firewall I want to connect to from the Internet and an FTP server also. How do I set up IPChains to forward to the Citrix server (which uses tcp port 1494) and then to an internal FTP server (tcp port 21 and ftp-data). I understand how ipchains works and have read thoroughly the IPChains-HOWTO, but I still cannot connect to the Citrix server from the Internet. Please help!" This is a common misconception. IPChains are good for configuring what gets in and out of your network on a packet level, but this is a redirection problem. Anyone know where you can find a a good port redirection program on the 'net?

2 of 20 comments (clear)

  1. Re:redir will CHANGE YOUR LIFE by Chase · · Score: 2
    I wonder if its possible to use redir with TCPWrappers. Generally you still want to control who is allowed to connect to your system.

    I use a 2.0.36 Linux box that acts as a firewall and IPMasq (NAT) router. In order to play any cool game that requires a connection be made from the game server back to the client (StarCraft etc) I have to create a port forward using `ipautofw`.

    Example of my IPMasq and forwarding setup.

    # Permit IP masquerading for the 192.168.1.* network
    /sbin/ipfwadm -F -p deny
    /sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
    # set up auto forward for StarCraft
    ipautofw -A -r tcp 6112 6112 -h 192.168.1.12
    ipautofw -A -r udp 6112 6112 -h 192.168.1.12
     ipautofw

    -A (add)
    -r tcp 6112 6112 (using PROTOCOL forward ports LOW to HIGH)
    -h 192.168.1.12 (Host to receive forwarded packets)
    I have also used redir. Which is extremely easy to set up on any linux machine. I don't think it requires any special kernel mods.

    Also consider checking out the Linux Router Project. You can download a 1440Kb disk image that contains a complete Linux system already setup with everything you need sans redir. If you compile redir and copy it to the disk, you can mount the disk and back up the root.lrp with redir included. LRP will save you alot of time in building out your own NAT router. Its a really cool tool!

    Chase

    --
    -==-
  2. Kernel PortFW by Iriantuu · · Score: 2

    The 2.2.x Linux Kernel series has a networking option called "PORTFW" (in Networking, just below the masquerading drivers, I believe). That, coupled with the ipmasqadm utility, allows you to redirect ports to other machines from the kernel level.

    PORTFW needs to be compiled into your kernel, and may still be listed as experimental (it does work, though). With that done, just grab ipmasqadm (probably comes with RH 6.0) and use:
    "ipmasqadm portfw --help" for usage.

    Cheers,
    -Irian