Re: Redirecting ports & DHCP Question

To: Matthew Kopishke <matt@kopishke.org>
Cc: debian-firewall@lists.debian.org
Subject: Re: Redirecting ports & DHCP Question
From: Jonathan Matthews <jaycee.removeifnotspam@jaycee.uklinux.net>
Date: Fri, 6 Jun 2003 16:08:55 +0000
Message-id: <[🔎] 20030606160855.GA24882@bigdaddy>
In-reply-to: <[🔎] AD374CEC-9831-11D7-95DC-0003938BA5DE@kopishke.org>
References: <[🔎] AD374CEC-9831-11D7-95DC-0003938BA5DE@kopishke.org>

On Fri, Jun 06, 2003 at 11:15:15AM -0400, Matthew Kopishke wrote:
> Hello folks.
> 
> I have set up a bridging firewall using iptables (2.4.19) and have a 
> quick couple of questions.

I should say up front that I'm not experienced with bridging, and am 
coming to this with "I set up my cable line f/w"-type knowledge ... :-)

> Before I ask my questions I just feel the need to say that the bridging 
> and firewalling code (in this case I mean when the two are used 
> together) has matured quite nicely.  I set up a firewall a year or two 
> ago using 2.2.X/ipchains with brcfg, which at the time seemed a bit 
> like black magic. :)

I felt the same, about 2 years ago - isn't conntrack nice!

> Anyway, the first question is I have a Squid Proxy server running on 
> port 13001 doing some caching/filtering.  I was wondering, if it's 
> possible to just have my firewall redirect port 80 to port 13001?  It 
> seems posable, but browsing the man page I didn't find anything that 
> jumped out at me (well there was some NAT stuff, but this isn't a NAT).

Not NAT?  Sure it is!

Taking what you've said, to get your firewall to redirect port 80 *on 
the firewall* to port 13001 *on the firewall* you just use the REDIRECT 
target.

I don't think that this is what you mean, though.  You want all internal 
traffic *going* to port 80 on *any* machine to have to pass through port 
13001, don't you?

Well, first set up your proxy to work transparently.  Then take a look 
at http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html#toc6.2 - 
it should be the third example in that section that helps you out.  I've 
got anther, slightly more expansive HOWTO on my machine at work which 
seems to have disappeared from the net at the moment which would help 
you out here.  If these few lines and links don't help then nudge me on 
Monday, and I'll take a look at the license on the document to see if I 
can mirror it here for you.

> The other question is one that I'm just having trouble tracking down 
> ports on.  We get our IPs via DHCP from a server outside our network 
> and there for out side the firewall.  I can't seem to be able to open 
> up the holes I need to let the DHCP request/responses flow through.  
> What I have done is open up port 67 & 68 to 0/0, I think that's the 
> first part of the equation, but I'm not sure what the second is.  I'm 
> going to keep wading through the DHCP documentation, but if some who 
> has been there and done that would be so kind...

Sorry - no help here.  I get my IP from the cable modem DHCP server, and 
having conntrack let everything ESTABLISHED,RELATED through both ways 
(and only letting internal clients set up NEW connections...) works 
fine.  I don't special-case it - perhaps conntrack is your friend here?

> Thanks,
> 
> Matt

HTH,
  jc

Reply to:

References:
- Redirecting ports & DHCP Question
  - From: Matthew Kopishke <matt@kopishke.org>

Prev by Date: Redirecting ports & DHCP Question
Next by Date: Re: Redirecting ports & DHCP Question
Previous by thread: Redirecting ports & DHCP Question
Next by thread: Re: Redirecting ports & DHCP Question
Index(es):
- Date
- Thread