Re: ipchains and REDIRECT

To: jjlupa@jamdata.net, "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: Re: ipchains and REDIRECT
From: Chris Schleifer <chris@analogweb.com>
Date: Sat, 20 Nov 1999 01:53:58 +0000
Message-id: <[🔎] 3835FF36.8C13B34B@analogweb.com>
References: <[🔎] 19991119180149.A275@Rankor.JJLNet>

Hi,
I just had to do the same thing as you and had no problems. I am using a
2.2 kernel w/ ipchains and had to forward port 80.

The IP Masquerade HOWTO was really helpful to me
(http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html). Chapter 6
explains exactly how to do port forwarding with 2.2 kernels
(http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO-6.html#ss6.8).

To summarize what the howto says about port forwarding, it looks like
the commands to setup port forwarding have changed from 2.0 to 2.2 which
is probably your problem. You don't want to use the REDIRECT rule for
ipchains anymore, but a new tool called ipmasqadm to set up port
forwarding.

It looks like the command you would need is something like:
/usr/sbin/ipmasqadm portfw -a -P tcp -L 207.158.172.XXX 2401 -R
192.168.2.2 2401

I am just going off what I read just now in the howto and I really
haven't looked at the details of your message so this may not be the
only thing you need to do. I would definitely check out the howto for
yourself as it's a pretty good one.

Chris Schleifer

P.S. This uses IPPORTFW which I have compiled into the kernel and you
have as a module, this may make a difference.



Jonathan Lupa wrote:
> 
> Hi all,
> 
> Ever since moving to the 2.2 kernels and switching to ipchains, I have
> not been able to get redirection working right, and I'm hoping someone
> can spot what I am doing wrong..
> 
> I have a gateway computer called sith, and two computers sitting
> behind it named rankor and fig. The ppp0 line is [207.158.172.XXX],
> and my goal is to expose the cvs server running on rankor to the world
> through port forwarding. (rankor == 192.168.2.2)
> 
> sith's firewall rules script looks like this:
> 
> #!/bin/sh
> export IPCHAINS=/sbin/ipchains
> if [ -x $IPCHAINS ]; then
>   # Flush current ruleset and apply our default policies
>   $IPCHAINS -F input
>   $IPCHAINS -F output
>   $IPCHAINS -F forward
> 
>   # We start out promiscuous... probably should fix this
>   $IPCHAINS -P output ACCEP
>   $IPCHAINS -P input ACCEPT
>   $IPCHAINS -P forward REJECT
> 
>   # Setup masquerade - all traffic from 192.168.2.0 gets masq-forwarded.
>   $IPCHAINS -A forward -p all -s 192.168.2.0/24 -j MASQ
> 
>   # Stop those evil hackers from seeing telnet passwords
>   $IPCHAINS -A input -p tcp -d 207.158.172.XXX/32 telnet -j REJECT
> 
>   # I don't use NFS, you can be damned well sure I don't use this!
>   $IPCHAINS -A input -p tcp -d 207.158.172.XXX/32 portmapper -j REJECT
>   $IPCHAINS -A input -p udp -d 207.158.172.XXX/32 portmapper -j REJECT
>   $IPCHAINS -A input -p tcp -d 207.158.172.XXX/32 nntp -j REJECT
> 
> # Punch port 2401 to Rankor's cvs pserver...
> # $IPCHAINS -A input -b -p tcp -s 207.158.172.XXX/32 2401 -d
> # 192.168.2.2/32 2401 -j REDIRECT
> # $IPCHAINS -A input -b -p udp -s 207.158.172.XXX/32 2401 -d
> # 192.168.2.2/32 2401 -j REDIRECT
> 
>   $IPCHAINS -A input -p tcp -s 0.0.0.0/0 2401 -d 192.168.2.2/32 2401 -j REDIRECT
>   $IPCHAINS -A input -p udp -s 0.0.0.0/0 2401 -d 192.168.2.2/32 2401 -j REDIRECT
> fi
> 
> I've tried both the commented out version, and the "live" redirectcs,
> and neither seems to work.  When I run a program on sith's 2401 port,
> it actually gets the hit (so it is falling through to the default
> input rule).
> 
> Here is the networking portions my kernel (2.2.12) .config file, in case I missed something
> there...
> 
> CONFIG_PACKET=y
> CONFIG_NETLINK=y
> CONFIG_RTNETLINK=y
> CONFIG_NETLINK_DEV=y
> CONFIG_FIREWALL=y
> CONFIG_FILTER=y
> CONFIG_UNIX=y
> CONFIG_INET=y
> CONFIG_IP_ADVANCED_ROUTER=y
> CONFIG_RTNETLINK=y
> CONFIG_NETLINK=y
> CONFIG_IP_MULTIPLE_TABLES=y
> CONFIG_IP_ROUTE_MULTIPATH=y
> CONFIG_IP_ROUTE_VERBOSE=y
> CONFIG_IP_ROUTE_NAT=y
> CONFIG_IP_FIREWALL=y
> CONFIG_IP_FIREWALL_NETLINK=y
> CONFIG_NETLINK_DEV=y
> CONFIG_IP_ALWAYS_DEFRAG=y
> CONFIG_IP_ROUTE_FWMARK=y
> CONFIG_IP_TRANSPARENT_PROXY=y
> CONFIG_IP_MASQUERADE=y
> CONFIG_IP_MASQUERADE_ICMP=y
> CONFIG_IP_MASQUERADE_MOD=y
> CONFIG_IP_MASQUERADE_IPAUTOFW=m
> CONFIG_IP_MASQUERADE_IPPORTFW=m
> CONFIG_IP_MASQUERADE_MFW=m
> CONFIG_IP_ROUTER=y
> CONFIG_NET_IPIP=m
> CONFIG_SYN_COOKIES=y
> CONFIG_SKB_LARGE=y
> CONFIG_IPV6=m
> CONFIG_IPX=m
> CONFIG_IPX_INTERN=y
> CONFIG_SPX=m
> CONFIG_ATALK=m
> 
> Thanks in advance for any help and/or pointers on firewalling better.
> I searched the archive before posting, but for some reason the cgi_bin
> script isn't working right and I can't access the articles which look
> like they are related...so apologies if this is just another boring
> rehash. =)
> 
> Thanks,
> 
> -Jonathan
> --
> jjlupa@jamdata.net
> GPG public key available from http://www.jamdata.net/~jjlupa/gpg.asc
> 
>   ------------------------------------------------------------------------
>    Part 1.2Type: application/pgp-signature

Reply to:

Follow-Ups:
- Re: ipchains and REDIRECT
  - From: Chris Schleifer <chris@analogweb.com>

References:
- ipchains and REDIRECT
  - From: Jonathan Lupa <jjlupa@jamdata.net>

Prev by Date: Re: WDM troubles
Next by Date: Re: X-Windows keyboard control
Previous by thread: ipchains and REDIRECT
Next by thread: Re: ipchains and REDIRECT
Index(es):
- Date
- Thread