Yeah, I have been doing this for a long time already. But I'm no guru in
this field. I just follow the howtos.
If you're using 2.0.36 kernel, you have to download the redir program. But
if you're using 2.2.x kernel, you have to make use of ipmasqadm. Search it
at www.freshmeat.net. This program (ipmasqadm) compliments ipchains. You
will still have to do some ipchains rule to allow traffic for the port (eg.
port 80 which is http).
Like my setup, I have 3 internal webservers which sits at 192.168.10.x
subnet. And I've got 4 IP addressed on my linux, 3 of which are aliased,
eth0:0, eth0:1, and eth0:2.
Then I have this ipmasqadm command which fires up on boot. Imagine that I
have 203.20.20.1 to 203.20.20.4 legal ip addresses.
ipmasqadm portfw -f
ipmasqadm portfw -a -P tcp -L 203.20.20.2 80 -R 192.168.10.10 80
ipmasqadm portfw -a -P tcp -L 203.20.20.3 80 -R 192.168.10.11 80
ipmasqadm portfw -a -P tcp -L 203.20.20.4 80 -R 192.168.10.12 80
ipmasqadm portfw -a -P udp -L 203.20.20.2 80 -R 192.168.10.10 80
ipmasqadm portfw -a -P udp -L 203.20.20.3 80 -R 192.168.10.11 80
ipmasqadm portfw -a -P udp -L 203.20.20.4 80 -R 192.168.10.12 80
Another good thing with this is that, you can specify any unused high ports
like 8888. But make sure that your webserver is listening on port 8888.
Another thing to remember here is that the internal webserver should have a
default route set so that it knows where to reply.
I hope this helps.
> -----Original Message-----
> From: Rodney Dunham [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 06, 2000 4:11 AM
> To: [EMAIL PROTECTED]
> Subject: RH linux 6.1, IPCHAINS woes
>
>
> I'm trying (unsuccessfully, I might add) to do a particular thing with
> IPCHAINS that I've seen done with commercial software, and
> I've run out of
> ideas. I need someone really good at IPCHAINS to get me
> headed in the right
> direction.
>
> I want my firewall to take packets for another IP besides its
> own, pass them
> through, translating them in the process so it appears a
> particular machine
> on the inside is actually on the outside. The internal
> machine won't know
> it is also addressable by the public address, and people
> outside won't know
> it's real address is in a private network. The firewall
> needs to do all the
> work. All ports need to be so translated for this other IP.
> The firewall
> does standard NAT through its usual IP. Outside machines
> need to be able to
> initiate connections with this special internal machine, not
> just respond
> when it initiates them.
>
> Never mind the security aspect, at least at this stage, it's
> the translation
> and forwarding that I can't get to work. I can lock it down
> to specific
> services once the barebones connection works right.
>
> The commmercial FW-1 at work does this, but that's a
> different OS with a
> different firewall setup and a commercial GUI. I can't
> duplicate what it's
> doing since it's such a different setup, or rather I'm not
> sure I understand
> what it's really doing.
>
> Inside: Firewall:
> Outside:
> 192.168.1.x < converts transparently >
> public.ip.address.113
>
> 192.168.1.114, public.ip.address.114
>
> other hosts < standard NAT >
> public.ip.address.114 as per standard NAT
>
> Thanks!
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
