[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ipchains and REDIRECT



Hi all, 

Ever since moving to the 2.2 kernels and switching to ipchains, I have
not been able to get redirection working right, and I'm hoping someone
can spot what I am doing wrong...

I have a gateway computer called sith, and two computers sitting
behind it named rankor and fig. The ppp0 line is [207.158.172.XXX],
and my goal is to expose the cvs server running on rankor to the world
through port forwarding. (rankor == 192.168.2.2)

sith's firewall rules script looks like this:

#!/bin/sh
export IPCHAINS=/sbin/ipchains
if [ -x $IPCHAINS ]; then
  # Flush current ruleset and apply our default policies
  $IPCHAINS -F input
  $IPCHAINS -F output
  $IPCHAINS -F forward
        
  # We start out promiscuous... probably should fix this
  $IPCHAINS -P output ACCEP
  $IPCHAINS -P input ACCEPT
  $IPCHAINS -P forward REJECT

  # Setup masquerade - all traffic from 192.168.2.0 gets masq-forwarded.
  $IPCHAINS -A forward -p all -s 192.168.2.0/24 -j MASQ

  # Stop those evil hackers from seeing telnet passwords
  $IPCHAINS -A input -p tcp -d 207.158.172.XXX/32 telnet -j REJECT

  # I don't use NFS, you can be damned well sure I don't use this!
  $IPCHAINS -A input -p tcp -d 207.158.172.XXX/32 portmapper -j REJECT
  $IPCHAINS -A input -p udp -d 207.158.172.XXX/32 portmapper -j REJECT
  $IPCHAINS -A input -p tcp -d 207.158.172.XXX/32 nntp -j REJECT

# Punch port 2401 to Rankor's cvs pserver...
# $IPCHAINS -A input -b -p tcp -s 207.158.172.XXX/32 2401 -d
# 192.168.2.2/32 2401 -j REDIRECT
# $IPCHAINS -A input -b -p udp -s 207.158.172.XXX/32 2401 -d
# 192.168.2.2/32 2401 -j REDIRECT

  $IPCHAINS -A input -p tcp -s 0.0.0.0/0 2401 -d 192.168.2.2/32 2401 -j REDIRECT
  $IPCHAINS -A input -p udp -s 0.0.0.0/0 2401 -d 192.168.2.2/32 2401 -j REDIRECT
fi

I've tried both the commented out version, and the "live" redirectcs,
and neither seems to work.  When I run a program on sith's 2401 port,
it actually gets the hit (so it is falling through to the default
input rule).

Here is the networking portions my kernel (2.2.12) .config file, in case I missed something
there...

CONFIG_PACKET=y
CONFIG_NETLINK=y
CONFIG_RTNETLINK=y
CONFIG_NETLINK_DEV=y
CONFIG_FIREWALL=y
CONFIG_FILTER=y
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_RTNETLINK=y
CONFIG_NETLINK=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_FIREWALL=y
CONFIG_IP_FIREWALL_NETLINK=y
CONFIG_NETLINK_DEV=y
CONFIG_IP_ALWAYS_DEFRAG=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_TRANSPARENT_PROXY=y
CONFIG_IP_MASQUERADE=y
CONFIG_IP_MASQUERADE_ICMP=y
CONFIG_IP_MASQUERADE_MOD=y
CONFIG_IP_MASQUERADE_IPAUTOFW=m
CONFIG_IP_MASQUERADE_IPPORTFW=m
CONFIG_IP_MASQUERADE_MFW=m
CONFIG_IP_ROUTER=y
CONFIG_NET_IPIP=m
CONFIG_SYN_COOKIES=y
CONFIG_SKB_LARGE=y
CONFIG_IPV6=m
CONFIG_IPX=m
CONFIG_IPX_INTERN=y
CONFIG_SPX=m
CONFIG_ATALK=m


Thanks in advance for any help and/or pointers on firewalling better.
I searched the archive before posting, but for some reason the cgi_bin
script isn't working right and I can't access the articles which look
like they are related...so apologies if this is just another boring
rehash. =)

Thanks,

-Jonathan
-- 
jjlupa@jamdata.net
GPG public key available from http://www.jamdata.net/~jjlupa/gpg.asc

Attachment: pgpz11c2mJLnW.pgp
Description: PGP signature


Reply to: