Slashdot Mirror
Red Hat and Broken IPMasquerading
"I use the following:
/sbin/ipchains -P forward DENY and then
/sbin/ipchains -A forward -s 192.168.32.0/24 -d 0.0.0.0/0 -j MASQ
IP forwarding is enabled in /proc/sys/net/ipv4/ip_forward
The kernel and modules have been rebuilt with all the relevant options set.
The netstat output of 192.168.1.12 shows a SYN_RECV connection from the remote address. Also, netstat -M on masquerading Linux box shows a correct entry for the translation. Nevertheless, the conversation is never completed and the session just hangs. I've also tried adding several ipchains, in particular:
ipchains -I forward -p tcp -s 192.168.32.20/32 23 -j MASQ
-- with no luck.
Is this just a fluke in RedHat? has anyone else ever successfully get ipmasqadm and portfw working with Red Hat? "
I had the same experience as you. Masquerading worked great. But no matter what I did, I couldn't get port forwarding to work. I recompiled, recompiled, and recompiled...to no avail. I tried using portfw, but no luck. I eventually gave up, since it wasn't all that important to me anyways. There are a number of forwarding utils that other people have written though. One such util is called redir...you should be able to find it on freshmeat.
This site was also very helpful for getting masquerading to work with misbehaving programs.
Good luck!
This is what I use in /etc/rc.d/init.d, called "firewall". Don't forget to chmod u+x it.
/proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv4/ip_dynaddr
I've got it set to come up right after "network" is brought up. This leaves a micro-smidgon of time where the network is unfirewalled, but lets me make sure I have my DHCP address set right. If you're all static, you can (and should) put it up before "network".
Basically, it assumes your external is DHCP (as is the case with my cablemodem), and is eth0.
Internal is set as eth1, 192.168.0.0/24. Change these as necessary.
There are some example forwarders near the end of the script.
BTW, any hints on strengthening this would be greast!
Enjoy!
mindslip
#!/bin/sh
#
#
# FORTRESS
# Masquerade and Firewall loading script
#
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
export PATH
#
# Turn on IP Forwarding
#
echo "1" >
#
# Turn on DHCP dynamic variable
#
echo "1" >
#
# Find out our cablemodem's address
#
DHCPIP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.
*://'`"
#
# Load some generic masquerading modules
#
/sbin/depmod -a
/sbin/modprobe ip_masq_portfw
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_mfw
/sbin/modprobe ip_masq_user
#
#
# Set the firewall rules
#
# Incoming: Flush and set default policy of "deny all"
#
ipmasqadm mfw -F
ipchains -F input
ipchains -P input DENY
#
# Internal network: Going anywhere is ok
#
ipchains -A input -j ACCEPT -i eth1 -s 192.168.0.0/24 -d 0.0.0.0/0
#
# Remote int., claiming to be a local machine, IP spoofs, etc: deny/log
#
ipchains -A input -j DENY -i eth0 -s 192.168.0.0/24 -d 0.0.0.0/0 -l
#
# Remote interface, any source, going to cablemodem's nic, permit
#
ipchains -A input -j ACCEPT -i eth0 -s 0.0.0.0/0 -d $DHCPIP
#
# Loopback (127.0.0.1/localhost): permit
#
ipchains -A input -j ACCEPT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0
#
# Catch-all, denying everything else and logging
#
ipchains -A input -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
#
#
# Outgoing: flush and set default policy of "deny all"
#
ipchains -F output
ipchains -P output DENY
#
# Internal network: anything local is ok
#
ipchains -A output -j ACCEPT -i eth1 -s 0.0.0.0/0 -d 192.168.0.0/24
#
# Outgoing to local net on cablemodem's nic, stuffed routing, etc, deny/log
#
ipchains -A output -j DENY -i eth0 -s 0.0.0.0/0 -d 192.168.0.0/24 -l
#
# Outgoing from local net on cablemodem's nic, stuffed masquerading, etc, deny/l
og
#
ipchains -A output -j DENY -i eth0 -s 192.168.0.0/24 -d 0.0.0.0/0 -l
#
# Anything else outgoing on cablemodem's nic is valid
#
ipchains -A output -j ACCEPT -i eth0 -s $DHCPIP -d 0.0.0.0/0
#
# Loopback/localhost outbound is valid
#
ipchains -A output -j ACCEPT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0
#
# Anything else is denied and logged
#
ipchains -A output -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
#
#
# Forwarding: Flush and set default policy of deny
#
ipchains -F forward
ipchains -P forward DENY
#
# Masquerade from local net on local nic to anywhere
#
ipchains -A forward -j MASQ -i eth0 -s 192.168.0.0/24 -d 0.0.0.0/0
#
#
# Catch-all deny and log
#
ipchains -A forward -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
#
#
# Specific application examples...
#
# Forward web stuff on 80 to another computer
#
#ipmasqadm portfw -a -P tcp -L $DHCPIP 80 -R 192.168.0.100 80
#
# Forward talk to another computer
#
ipmasqadm portfw -a -P udp -L $DHCPIP 517 -R 192.168.0.100 517
ipmasqadm portfw -a -P udp -L $DHCPIP 518 -R 192.168.0.100 518
#
# Forward FTP to a machine
#
#ipmasqadm portfw -a -P tcp -L $DHCPIP 21 -R 192.168.0.100 21
#
# Forward Telnet to a machine
#
#ipmasqadm portfw -a -P tcp -L $DHCPIP 23 -R 192.168.0.100 26
#
I have a RH 6 based firewall using port forwarding (forwarding port 80 for some stuff).
I used:
/sbin/ipchains -I forward -p tcp -s server_ip/32 80 -j MASQ
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s localnet/24 -J MASQ
ipmasqadm portfw -a -P tcp -L external_ip 80 -R internal_ip 80
replace server_ip, localnet, external_ip and internal_ip as appropriate. Also change 80 to whatever port you are using.
You would obviously want some other rules to improve security, but that should get you started.
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.