The february issue, if I recall, of sysadmin mag. had an article about
using ip route and policy routing also.
Thanks,
Ron DuFresne
On Thu, 6 Jul 2000, Wes Chalfant wrote:
> You can do this with RedHat 6.1, but you don't use ipchains.
>
> First, you need to configure the kernel with "advanced routing"
> support. The advanced routing code is included in the standard
> source, but it isn't normally selected in the standard redhat
> configurations. You'll need to install the kernel sources (if you
> haven't already), turn on the "advanced routing" and "policy routing"
> features and build/install a new kernel. If you haven't reconfigured
> a kernel before,
> http://www.redhat.com/mirrors/LDP/HOWTO/Kernel-HOWTO.html may help.
>
> The utility that you use to configure the advanced routing is called
> "ip". It's in the iproute package; the iproute package is included in
> RedHat 6.1/6.2 releases (iproute-2.2.4-2.i386.rpm). iproute is not
> normally installed; you'll probably have to install it.
>
> Two ip commands are needed -- one to set up the inbound packet
> forwarding/translation and one to set up the outbound translation.
> The commands would look like:
>
> ip route add nat <external-IP-address> via <internal-IP-address>
> ip rule add prio 320 from <internal-IP-address> nat
> <external-IP-address>
>
> You don't need to do anything to cause <external-IP-address> to be
> advertised -- it will be put in the ARP table automatically by the ip
> route command. You can still set up and use IP masquerading as normal
> for other internal hosts. Note that the external-IP-address will
> route only to the specific internal host and it must be different than
> the "default" external address of the firewall (like you had in your
> example addresses in your original message).
>
> See /usr/doc/iproute-2.2.4 (after you've installed the iproute
> package) for what documentation exists. ip-cref.ps in that directory
> contains information about the "nat" options to "ip route" and "ip
> rule".
>
> > Date: Wed, 5 Jul 2000 15:10:52 -0500
> > From: "Rodney Dunham" <[EMAIL PROTECTED]>
> > Subject: RH linux 6.1, IPCHAINS woes
> >
> > I'm trying (unsuccessfully, I might add) to do a particular thing with
> > IPCHAINS that I've seen done with commercial software, and I've run out of
> > ideas. I need someone really good at IPCHAINS to get me headed in the right
> > direction.
> >
> > I want my firewall to take packets for another IP besides its own, pass them
> > through, translating them in the process so it appears a particular machine
> > on the inside is actually on the outside. The internal machine won't know
> > it is also addressable by the public address, and people outside won't know
> > it's real address is in a private network. The firewall needs to do all the
> > work. All ports need to be so translated for this other IP. The firewall
> > does standard NAT through its usual IP. Outside machines need to be able to
> > initiate connections with this special internal machine, not just respond
> > when it initiates them.
> >
> > Never mind the security aspect, at least at this stage, it's the translation
> > and forwarding that I can't get to work. I can lock it down to specific
> > services once the barebones connection works right.
> >
> > The commmercial FW-1 at work does this, but that's a different OS with a
> > different firewall setup and a commercial GUI. I can't duplicate what it's
> > doing since it's such a different setup, or rather I'm not sure I understand
> > what it's really doing.
>
> (editted somewhat:)
> > Firewall external interface address public.ip.address.114
> > Internal host whose address is to be translated: 192.168.1.x
> >
> > Inside: Firewall: Outside:
> > 192.168.1.x < converts transparently > public.ip.address.113
> > other hosts < standard NAT > public.ip.address.114
>
> --
> Wes Chalfant Peabody Systems [EMAIL PROTECTED]
> (714) 639-8643 FAX (714)
> 639-2817
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
