Re: Port forwarding - Aaarghh!!

To: Marcin Owsiany <porridge@lo4.ids.bielsko.pl>
Cc: debian-firewall@lists.debian.org, recipient list not shown: ;
Subject: Re: Port forwarding - Aaarghh!!
From: ^chewie <chewie@nerp.net>
Date: Wed, 30 Jun 1999 15:34:09 -0500 (CDT)
Message-id: <[🔎] Pine.LNX.4.10.9906301501070.25313-100000@chef.nerp.net>
In-reply-to: <[🔎] 19990630215141.A2272@lo4.ivlo>

On Wed, 30 Jun 1999, Marcin Owsiany wrote:

> My ipchains rules are now almost empty, there is _NO_ DENY or
> REJECT in the chains. Port forwarding from local host to remote
> still does not work! (of course everything is OK if you connect by
> port 8888 from a host diffirent than the firewall)
> 
> So my question is:  has anyone succeeded in such setup before? Or
> is it just impossible under Linux?

Hello, Marcin.  Not sure if I replied to this dilema of yours yet or
not, however, it looks to me that you're using ipmasqadm in the wrong
way.  "ipmasqadm portfw" is most often used to allow connections from
outside of your firewall to a server inside.  In fact, I use it for
that very reason here at work.  When people send us email, they send
to mail.ltiflex.com.  However, they are actually sending the mail to
my firewall server on port 25.  "Ipmasqadm portfw" then forwards it to
the server behind the firewall.

I know that trying to connect to the external interface port from
inside the firewall does not work.  To test this, try telneting to the
external interface port.  It simply doesn't answer.  However, when I
telnet out to a remote server and back in to the external interface,
it forwards the port correctly.  Strange, but that's how it works.

It looks like what you're trying to do is redirect outgoing web
traffic to a web proxy server.  What you may need to do is an ipchains
rule that redirects outgoing traffice destined to port 80 of the
external network to a local port.  Then, try to use the program called
"transproxy" to forward traffic from that local port to the proxy
server. I haven't implemented it's use here yet, but I'm going
to look into it.  (I can't play around w/the firewall rules on the
server during business hours, so I can't help work out the problem or
test some of my theories. *shrug*)

Where ipmasqadm and ipmasquerading lacks, perhaps the NAT project
would fit the bill.  Do a search on google for "ipnatadm".

^chewie

http://nerp.net/~chewie  <<--- Check it out!  I'm selling my truck!

Reply to:

References:
- Port forwarding - Aaarghh!!
  - From: Marcin Owsiany <porridge@lo4.ids.bielsko.pl>

Prev by Date: Port forwarding - Aaarghh!!
Next by Date: port redirection
Previous by thread: Port forwarding - Aaarghh!!
Next by thread: port redirection
Index(es):
- Date
- Thread