Re: Exposed Host
On 2002.01.06 00:34 njacobs@yahoo.com wrote:
> Hi Chad,
> I'm not sure I've completely understood your question,
> but I assume you want your firewall to do
> masquerading for some of the machines on your LAN,
> and not for others.
>
I already have masquerading working fine. My current setup is like this
Internet
|
eth0 = 1.2.3.4
eth0:1 = 1.2.3.5
Gateway
eth1 = 192.168.0.1
|
Internal Network
192.168.0.21
192.168.0.22
192.168.0.23
...
Also, a couple of ports on 1.2.3.4 are already being forwarded to
192.168.0.21 using ipmasqadm portfw
like ipmasqadm portf -P tcp -L 1.2.3.4 80 -R 192.168.0.21 80
Now, what I would like to do is forward ALL traffic from 1.2.3.5 to
192.168.0.22 with something like
ipmasqadm portf -P tcp -L 1.2.3.5 * -R 192.168.0.22 * which doesn't work.
I've looked into a few of the port forwarding tools in the IP Masquerading
howto but they all seem to only allow forwarding of individual ports and
not blanket forwarding of all ports.
Also, it isn't practical to connect to a hub on the public network and have
it use a 1.2.3.* address directly.
Chad
> The line in your firewall script that specifies
> masqerading will be something like:
> ipchains -A forward -s 192.168.1.0/24 -j MASQ
>
> This tells your Linux kernel to masquerade all
> your IP addresses in the range 192.168.1.xxx.
> This is one of the IP address ranges that is
> reserved for local use, i.e. not visible to
> the world outside your LAN. If one of your
> tenants has a public IP address it will not
> be in this range and will therefore not be
> masqueraded.
> In other words, if you system is set up in a
> normal way, you need do nothing to your
> masquerading. You still need to add lines
> to your script to forward packets from outside
> to your tenant's IP address, of course.
>
> I hope this helps.
> Nick
> --- Chad Morgan <chad@chadmorgan.com> wrote:
> > I have a box with a 2.2.17 kernel doing ip masquerading.
> > I've figured out
> > how to foward individual ports of the external address to
> > individual ports
> > on an internal address but how can I forward all traffic
> > on all ports from
> > the external address to one of the internal addresses?
> >
> > I know this isn't very secure, but I'm not very concerend
> > about security
> > becuase it isn't our responsibility in this case. We
> > manage a small office
> > building of executive suites and provide high speed
> > internet for our
> > tenants on the DSL line. One of our tenants would like a
> > public address. In
> > this case it is his responsibility to secure his system.
> > Could there be a risk to some of the other tenants by a
> > cracker getting
> > access to their systems through the host that as all
> > traffic forwarded to
> > it? But, I guess if there was they don't really
> > understand the different
> > between private and public ip addresses and should
> > consider themselves
> > exposed anyway and security is again there responsibility
> > since we haven't
> > made any guarantees about their security.
> >
> > Anyway, if this is possible using impasqadm or if someone
> > has a better
> > idea, I'd appreciate some advice.
> >
> > Thanks
> >
> > Chad Morgan
> >
> >
> > --
> > To UNSUBSCRIBE, email to
> > debian-firewall-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Send FREE video emails in Yahoo! Mail!
> http://promo.yahoo.com/videomail/
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
Reply to: