Re: ipchains and REDIRECT
Well now I'm confused I just looked a little more into this and it looks
like you should be able to use the REDIRECT rule as long as you said yes
to transparent proxy in the kernel config (according to the kernel help
and man ipchains).
Anyway I guess the best suggestion I can give after all is to take a
look at the IP Masquerading and Ipchains HOWTOs.
Chris Schleifer
Chris Schleifer wrote:
>
> Hi,
> I just had to do the same thing as you and had no problems. I am using a
> 2.2 kernel w/ ipchains and had to forward port 80.
>
> The IP Masquerade HOWTO was really helpful to me
> (http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html). Chapter 6
> explains exactly how to do port forwarding with 2.2 kernels
> (http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO-6.html#ss6.8).
>
> To summarize what the howto says about port forwarding, it looks like
> the commands to setup port forwarding have changed from 2.0 to 2.2 which
> is probably your problem. You don't want to use the REDIRECT rule for
> ipchains anymore, but a new tool called ipmasqadm to set up port
> forwarding.
>
> It looks like the command you would need is something like:
> /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.158.172.XXX 2401 -R
> 192.168.2.2 2401
>
> I am just going off what I read just now in the howto and I really
> haven't looked at the details of your message so this may not be the
> only thing you need to do. I would definitely check out the howto for
> yourself as it's a pretty good one.
>
> Chris Schleifer
>
> P.S. This uses IPPORTFW which I have compiled into the kernel and you
> have as a module, this may make a difference.
>
> Jonathan Lupa wrote:
> >
> > Hi all,
> >
> > Ever since moving to the 2.2 kernels and switching to ipchains, I have
> > not been able to get redirection working right, and I'm hoping someone
> > can spot what I am doing wrong..
> >
> > I have a gateway computer called sith, and two computers sitting
> > behind it named rankor and fig. The ppp0 line is [207.158.172.XXX],
> > and my goal is to expose the cvs server running on rankor to the world
> > through port forwarding. (rankor == 192.168.2.2)
> >
> > sith's firewall rules script looks like this:
> >
> > #!/bin/sh
> > export IPCHAINS=/sbin/ipchains
> > if [ -x $IPCHAINS ]; then
> > # Flush current ruleset and apply our default policies
> > $IPCHAINS -F input
> > $IPCHAINS -F output
> > $IPCHAINS -F forward
> >
> > # We start out promiscuous... probably should fix this
> > $IPCHAINS -P output ACCEP
> > $IPCHAINS -P input ACCEPT
> > $IPCHAINS -P forward REJECT
> >
> > # Setup masquerade - all traffic from 192.168.2.0 gets masq-forwarded.
> > $IPCHAINS -A forward -p all -s 192.168.2.0/24 -j MASQ
> >
> > # Stop those evil hackers from seeing telnet passwords
> > $IPCHAINS -A input -p tcp -d 207.158.172.XXX/32 telnet -j REJECT
> >
> > # I don't use NFS, you can be damned well sure I don't use this!
> > $IPCHAINS -A input -p tcp -d 207.158.172.XXX/32 portmapper -j REJECT
> > $IPCHAINS -A input -p udp -d 207.158.172.XXX/32 portmapper -j REJECT
> > $IPCHAINS -A input -p tcp -d 207.158.172.XXX/32 nntp -j REJECT
> >
> > # Punch port 2401 to Rankor's cvs pserver...
> > # $IPCHAINS -A input -b -p tcp -s 207.158.172.XXX/32 2401 -d
> > # 192.168.2.2/32 2401 -j REDIRECT
> > # $IPCHAINS -A input -b -p udp -s 207.158.172.XXX/32 2401 -d
> > # 192.168.2.2/32 2401 -j REDIRECT
> >
> > $IPCHAINS -A input -p tcp -s 0.0.0.0/0 2401 -d 192.168.2.2/32 2401 -j REDIRECT
> > $IPCHAINS -A input -p udp -s 0.0.0.0/0 2401 -d 192.168.2.2/32 2401 -j REDIRECT
> > fi
> >
> > I've tried both the commented out version, and the "live" redirectcs,
> > and neither seems to work. When I run a program on sith's 2401 port,
> > it actually gets the hit (so it is falling through to the default
> > input rule).
> >
> > Here is the networking portions my kernel (2.2.12) .config file, in case I missed something
> > there...
> >
> > CONFIG_PACKET=y
> > CONFIG_NETLINK=y
> > CONFIG_RTNETLINK=y
> > CONFIG_NETLINK_DEV=y
> > CONFIG_FIREWALL=y
> > CONFIG_FILTER=y
> > CONFIG_UNIX=y
> > CONFIG_INET=y
> > CONFIG_IP_ADVANCED_ROUTER=y
> > CONFIG_RTNETLINK=y
> > CONFIG_NETLINK=y
> > CONFIG_IP_MULTIPLE_TABLES=y
> > CONFIG_IP_ROUTE_MULTIPATH=y
> > CONFIG_IP_ROUTE_VERBOSE=y
> > CONFIG_IP_ROUTE_NAT=y
> > CONFIG_IP_FIREWALL=y
> > CONFIG_IP_FIREWALL_NETLINK=y
> > CONFIG_NETLINK_DEV=y
> > CONFIG_IP_ALWAYS_DEFRAG=y
> > CONFIG_IP_ROUTE_FWMARK=y
> > CONFIG_IP_TRANSPARENT_PROXY=y
> > CONFIG_IP_MASQUERADE=y
> > CONFIG_IP_MASQUERADE_ICMP=y
> > CONFIG_IP_MASQUERADE_MOD=y
> > CONFIG_IP_MASQUERADE_IPAUTOFW=m
> > CONFIG_IP_MASQUERADE_IPPORTFW=m
> > CONFIG_IP_MASQUERADE_MFW=m
> > CONFIG_IP_ROUTER=y
> > CONFIG_NET_IPIP=m
> > CONFIG_SYN_COOKIES=y
> > CONFIG_SKB_LARGE=y
> > CONFIG_IPV6=m
> > CONFIG_IPX=m
> > CONFIG_IPX_INTERN=y
> > CONFIG_SPX=m
> > CONFIG_ATALK=m
> >
> > Thanks in advance for any help and/or pointers on firewalling better.
> > I searched the archive before posting, but for some reason the cgi_bin
> > script isn't working right and I can't access the articles which look
> > like they are related...so apologies if this is just another boring
> > rehash. =)
> >
> > Thanks,
> >
> > -Jonathan
> > --
> > jjlupa@jamdata.net
> > GPG public key available from http://www.jamdata.net/~jjlupa/gpg.asc
> >
> > ------------------------------------------------------------------------
> > Part 1.2Type: application/pgp-signature
>
> --
> Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
Reply to: