ipmasqadm portfw

2002-02-12 Thread Elm Gysel 
Hello,

I'm using kernel 2.2.19 and I have a little question regarding portfw.
I've set up some rules to forward some ports to an other computer on the
network :

ipmasqadm portfw -a -P tcp -L localhost 8002 -R 192.168.1.10 8002
ipmasqadm portfw -a -P tcp -L 192.168.1.250 8002 -R 192.168.1.10 8002
ipmasqadm portfw -a -P tcp -L  8002 -R 192.168.1.10 8002

This works good as long as the request comes from the outer
network(internet). So it doesn't work when I try to connect on the server
who has this installed or when I try to connect from any other computer on
the network using :8002 .

What I was wondering about, when does portfw get the packet? All my ipchains
rules seem to be correct. I use masquerading also. I have attached my
ipchains rules.

Thanks for any responses :)

Elm

Chain input (policy DENY: 0 packets, 0 bytes):
 pkts bytes target prot opttosa tosx  ifname mark   outsize  
sourcedestination   ports
 181K   11M ACCEPT all  -- 0xFF 0x00  lo 
anywhere anywhere  n/a
0 0 DENY   all  l- 0xFF 0x00  !lo
127.0.0.0/8  anywhere  n/a
 970K  220M ACCEPT all  -- 0xFF 0x00  eth0   
localnet/24  anywhere  n/a
0 0 DENY   all  l- 0xFF 0x00  eth1   
localnet/24  anywhere  n/a
 290K  116M ACCEPT all  -- 0xFF 0x00  eth1   
anywheren/a
0 0 DENY   all  l- 0xFF 0x00  any
anywhere anywhere  n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
 pkts bytes target prot opttosa tosx  ifname mark   outsize  
sourcedestination   ports
80253 7420K MASQ   all  -- 0xFF 0x00  eth1   
localnet/24  anywhere  n/a
0 0 DENY   all  l- 0xFF 0x00  any
anywhere anywhere  n/a
Chain output (policy DENY: 0 packets, 0 bytes):
 pkts bytes target prot opttosa tosx  ifname mark   outsize  
sourcedestination   ports
 181K   11M ACCEPT all  -- 0xFF 0x00  lo 
anywhere anywhere  n/a
 976K  680M ACCEPT all  -- 0xFF 0x00  eth0   
anywhere localnet/24   n/a
0 0 ACCEPT!tcp  -- 0xFF 0x00  eth0   
anywhere BASE-ADDRESS.MCAST.NET/4  any ->   any
0 0 DENY   all  l- 0xFF 0x00  eth1   
anywhere localnet/24   n/a
 310K   43M ACCEPT all  -- 0xFF 0x00  eth1   
  anywhere  n/a
0 0 DENY   all  l- 0xFF 0x00  any
anywhere anywhere  n/a

Re: ipmasqadm portfw

2002-02-06 Thread Paul Hampson 
On Wed, Feb 06, 2002 at 09:53:01AM +0100, Elm Gysel wrote:
> I'm using kernel 2.2.14 and I have a problem with ipmasqadm portfw.

> >From what I understand from searching mailing lists and so on I don't have
> this aspect commpiled into my kernel.

> This is the .config file :
[snip]
Have you set
CONFIG_EXPERIMENTAL
?

> So I suppose I need to recompile this kernel?
Almost certainly...

> if so...
> Can I just compile a 2.4 version to upgrade from this 2.2 version?
> Is there any way not to break things apart if I compile this new kernel? Or
> is the best way to go just to keep the old .config at hand when configuring
> the new one?

Beware, kernel 2.4 uses iptables, not ipchains. So you may have
to upgrade some tools as well. I dunno if ipfwadm supports kernel 2.4,
to be honest.

However, if you're upgrading to 2.4, make sure you're at least on woody,
or have the potato-2.4 support packages by A. Bunk (I think that's the
guy :-) installed.

You can drop the old .config file into the new kernel source
directory, and run
make oldconfig
which will ask you any questions that it doesn't have answers
for already. In fact, make-kpkg does that anyway. :-)

Keep your old kernel around and configured in lilo, so you can
boot back when the new 2.4 kernel doesn't work. :-)

-- 
===
Paul "TBBle" Hampson, MCSE
4th year CompSci/Asian Studies student, ANU
The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

Of course Pacman didn't influence us as kids. If it did,
we'd be running around in darkened rooms, popping pills and
listening to repetitive music.

This email is licensed to the recipient for non-commercial
use, duplication and distribution.
===


pgp9hf9IWQ6T1.pgp
Description: PGP signature

ipmasqadm portfw

2002-02-06 Thread Elm Gysel 



(sorry for the wrong subject on previous 
post!)
 
Hi,
 
I'm using kernel 2.2.14 and I have a problem with 
ipmasqadm portfw.When I try to add a rule for forwarding a port I get 
the following error :ipmasqadm portfw -a -P tcp -L 212.69.202.112 8002 
-R 192.168.1.10 8002portfw: setsockopt failed: Invalid argumentwhen 
I try to get get a list I get :[EMAIL PROTECTED] 09:34:06 
/server/kernel/linux-2.2$ ipmasqadm portfw -lportfw: setsockopt failed: 
Invalid argumentCould not open "/proc/net/ip_masq/portfw"Could not open 
"/proc/net/ip_portfw"Check if you have enabled portforwardingFrom 
what I understand from searching mailing lists and so on I don't havethis 
aspect commpiled into my kernel.This is the .config file 
:## Networking 
options#CONFIG_PACKET=yCONFIG_NETLINK=yCONFIG_RTNETLINK=yCONFIG_NETLINK_DEV=yCONFIG_FIREWALL=yCONFIG_FILTER=yCONFIG_UNIX=yCONFIG_INET=y# 
CONFIG_IP_MULTICAST is not set# CONFIG_IP_ADVANCED_ROUTER is not set# 
CONFIG_IP_PNP is not 
setCONFIG_IP_FIREWALL=yCONFIG_IP_FIREWALL_NETLINK=yCONFIG_NETLINK_DEV=yCONFIG_IP_TRANSPARENT_PROXY=yCONFIG_IP_MASQUERADE=y## 
Protocol-specific masquerading support will be built as 
modules.#CONFIG_IP_MASQUERADE_ICMP=y## Protocol-specific 
masquerading support will be built as modules.## CONFIG_IP_ROUTER is not 
set# CONFIG_NET_IPIP is not set# CONFIG_NET_IPGRE is not set# 
CONFIG_IP_ALIAS is not setCONFIG_SYN_COOKIES=yI can't 
see the option CONFIG_IP_MASQUERADE_MOD so noCONFIG_IP_MASQUERADE_IPPORTFW 
aswell.So I suppose I need to recompile this kernel?if 
so...Can I just compile a 2.4 version to upgrade from this 2.2 
version?Is there any way not to break things apart if I compile this new 
kernel? Oris the best way to go just to keep the old .config at hand when 
configuringthe new 
one?Thx!khb

RE: ipmasqadm portfw

2002-01-14 Thread Jeremy L. Gaddis 
This can (and probably should) be set in /etc/network/options:

ip_forward=yes

to stay consistent across reboots.

j.

--
Jeremy L. Gaddis <[EMAIL PROTECTED]> 

-Original Message-
From: Raffael Ferenc [mailto:[EMAIL PROTECTED]
Sent: Monday, January 14, 2002 4:45 AM
To: Jeremy L. Gaddis
Subject: Re: ipmasqadm portfw


And sometimes it's necessary to
echo 1>/proc/sys/net/ip_forward

On Sun, Jan 13, 2002 at 09:22:12PM -0500, Jeremy L. Gaddis wrote:

> You need to say "Y"es to "Network Firewalls", "IP: firewalling",
> "IP: masquerading" and "IP: masquerading special modules support".
> 
> You also need to say "Y"es to "Prompt for development and/or
> incomplete code/drivers" if you haven't already.
> 
> j.
> 
> --
> Jeremy L. Gaddis <[EMAIL PROTECTED]>

Re: ipmasqadm portfw

2001-09-25 Thread Tim Moss 
On Tue, 25 Sep 2001 04:15:07 -0500
"will trillich" <[EMAIL PROTECTED]> wrote:

> i used to have this working like a champ, but now it folds its
> arms and laughs and evil laugh--
> 
> we're trying to establish port forwarding so that a box internal
> on our lan (192.168.1.2) can serve requests through the
> firewall, from 'out there'.
> 
>   # ipmasqadm portfw -a -P tcp -L [PUBLIC_IP] 7890 -R 192.168.1.2 80
> 
>   # ipmasqadm portfw -ln
>   prot localaddrrediraddr   lportrport pcnt  pref
>   TCP  [PUBLIC_IP]  192.168.1.2 7890 801010
> 

Have you allowed access to that port with ipchains? The packets will never
get to your ipmasqadm rule if ipchains is rejecting/denying them on input.
Something like this should work:

ipchains -A input -p TCP -d [PUBLIC_IP] --destination-port 7890 -j ACCEPT

RE: ipmasqadm portfw

2001-09-25 Thread NORMAND Jacques 
Pehaps I will tell non-senses but potato run a 2.2 kernel (2.2.17 in your
case). So the tool for that kind of tricks is ipchains, isn't it? ipmasqadm
is for kernel serie 2.0 no ?

hope it helps

jacques

-Message d'origine-
De : will trillich [mailto:[EMAIL PROTECTED]
Envoyé : mardi 25 septembre 2001 11:15
À : debian-user@lists.debian.org
Objet : ipmasqadm portfw


i used to have this working like a champ, but now it folds its
arms and laughs and evil laugh--

we're trying to establish port forwarding so that a box internal
on our lan (192.168.1.2) can serve requests through the
firewall, from 'out there'.

    # ipmasqadm portfw -a -P tcp -L [PUBLIC_IP] 7890 -R 192.168.1.2 80

    # ipmasqadm portfw -ln
prot localaddrrediraddr   lportrport pcnt  pref
TCP  [PUBLIC_IP]  192.168.1.2 7890 801010

well, it LOOKS like it's up, but--

# nmap [PUBLIC_IP] -p 7890

Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], 
www.insecure.org/nmap/)
No ports open for host server ([public_ip])
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds

which is bolstered by the fact that if i try to connect to
public port :7890 from outside (that is, from a public ip out on
the internet, trying to connect to port :7890 on my public ip
address) i get deafening silence (unable to connect to host).

is there another step i've forgotten? i'm on potato 2.2.17 and
this was working earlier...

--
DEBIAN NEWBIE TIP #48 from Will Trillich <[EMAIL PROTECTED]>
:
To peruse your CURRENT VIM SETTINGS (there's LOTS of them)
from within Vim, simply do
:options
You can change them there, on-the-fly, as well. Type
"ctrl-W ctrl-W" to switch "panes" or "ctrl-W q" to close one.
Try ":help" to learn more.

Also see http://newbieDoc.sourceForge.net/ ...


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]

ipmasqadm portfw

2001-09-25 Thread will trillich 
i used to have this working like a champ, but now it folds its
arms and laughs and evil laugh--

we're trying to establish port forwarding so that a box internal
on our lan (192.168.1.2) can serve requests through the
firewall, from 'out there'.

    # ipmasqadm portfw -a -P tcp -L [PUBLIC_IP] 7890 -R 192.168.1.2 80

    # ipmasqadm portfw -ln
prot localaddrrediraddr   lportrport pcnt  pref
TCP  [PUBLIC_IP]  192.168.1.2 7890 801010

well, it LOOKS like it's up, but--

# nmap [PUBLIC_IP] -p 7890

Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], 
www.insecure.org/nmap/)
No ports open for host server ([public_ip])
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds

which is bolstered by the fact that if i try to connect to
public port :7890 from outside (that is, from a public ip out on
the internet, trying to connect to port :7890 on my public ip
address) i get deafening silence (unable to connect to host).

is there another step i've forgotten? i'm on potato 2.2.17 and
this was working earlier...

-- 
DEBIAN NEWBIE TIP #48 from Will Trillich <[EMAIL PROTECTED]>
:
To peruse your CURRENT VIM SETTINGS (there's LOTS of them)
from within Vim, simply do
:options
You can change them there, on-the-fly, as well. Type
"ctrl-W ctrl-W" to switch "panes" or "ctrl-W q" to close one.
Try ":help" to learn more.

Also see http://newbieDoc.sourceForge.net/ ...

ipmasqadm portfw -a ... stopped working?

2001-09-09 Thread will trillich 
we're trying to establish port forwarding so that a box internal
on our lan (192.168.1.2) can serve requests through the
firewall, from 'out there'.

i haven't even done apt-get upgrade lately -- and now
ipmasqadm 'portfw' isn't working. (i may have missed a step, but
/usr/share/doc/ didn't help ring any bells...)

# ipmasqadm portfw -a -P tcp -L [PUBLIC_IP] 7890 -R 192.168.1.2 80

# ipmasqadm portfw -ln
prot localaddrrediraddr   lportrport pcnt  pref
TCP  [PUBLIC_IP]  192.168.1.2 7890 801010

well, it LOOKS like it's up, but--

# nmap [PUBLIC_IP] -p 7890

Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], 
www.insecure.org/nmap/)
No ports open for host server ([public_ip])
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds

which is bolstered by the fact that if i try to connect to
public port :7890 from outside i get deafening silence (unable
to connect to host).

is there another step i've forgotten? i'm on potato 2.2.17 and
this was working earlier...

"[PUBLIC_IP]" is, of course the client's actual ip address, if
you wondered... :)

-- 
DEBIAN NEWBIE TIP #73 from USM Bish <[EMAIL PROTECTED]>
:
Looking for a way to CAPTURE A TRANSCRIPT OF SOME COMMANDS?
Easy!  To catch anything from the screen when it scrolls by,
use "script":
script file-to-save-transcript-in.txt


exit <== don't forget this!
(It spawns another shell, and displays everything so you
can work -- but it also saves the output in the file at the
same time.) Then "pager file-*transcript*" to review it. Or
email it. Or edit it to include in a manual you're writing.

Also see http://newbieDoc.sourceForge.net/ ...

Re: ipmasqadm portfw and apache

2001-08-29 Thread Jason Majors 
On Wed, Aug 29, 2001 at 01:39:21PM -0700, Jason Majors scribbled...
> Does anybody have experience with multiple VirtualHost entries? Or know 
> the 
> correct format? 
> I'm doing: 
> NameVirtualHost domainone 
> NameVirtualHost domaintwo 
> NameVirtualHost domainthree 
>  
>  
> ... 
>  
>  
>  
> ... 
>  
>  
>  
> ... 
>  
>  
I got it working. I feel kinda dumb...for those who'd like to know how to do it:
NameVirtualHost 1.2.3.4 # MUST BE AN IP! (my mistake).
 # I had to put the specific one before a generic
...  # www to get the specific to come up.



... 



...

Re: ipmasqadm portfw and apache

2001-08-29 Thread Jason Majors 
Jason Majors wrote: 
>I'd like to forward all requests on port 80 thru my firewall, however, I 
>use
>VirtualHosts under apache.
>Is there a way to forward the port with the desired host name?
>Or can I do it based on the hostname desired? (eg forward a request to
>www.foo.com to port 81 and a request to www.bar.com to 82).
>
>Thanks,
>Jason
>
I think I figured it out...it's not the port issue. When I add a second
"NameVirtualHost foo" and "", I get the warning from
apache "[warn] NameVirtualHost tmr.whizzird.net:80 has no VirtualHosts",
so I'd guess that there's something in the order of the httpd.conf. When
this happens the special hosts entry I created goes back to the default
page for the server, but when there's only one VirtualHost, that hosts
entry goes to the VirtualHost.
I get the same warnings on the firewall, but virtual hosting works fine.

Does anybody have experience with multiple VirtualHost entries? Or know the
correct format?
I'm doing:
NameVirtualHost domainone
NameVirtualHost domaintwo
NameVirtualHost domainthree


...



...



...


Thanks,
Jason

Re: ipmasqadm portfw and apache

2001-08-29 Thread Jason Majors 
On Wed, Aug 29, 2001 at 11:51:48AM -0700, Tim Moss scribbled...
> Jason Majors wrote: 
> >I'd like to forward all requests on port 80 thru my firewall, however, I 
> >use
> >VirtualHosts under apache.
> >Is there a way to forward the port with the desired host name?
> >Or can I do it based on the hostname desired? (eg forward a request to
> >www.foo.com to port 81 and a request to www.bar.com to 82).
> >
> >Thanks,
> >Jason
> >
> >
> 
> Forwarding the port will not change the actual HTTP request which is  
> what the VirtualHosts depends on. I think it should be pretty  
> transparent (though I've never tried it). Are you having a problem doing  
> this or are you just asking in preparation of setting it up? 
> 
I already did it. When I forwarded to the internal box, all requests were
served by the default html/ directory, not the virtual host matching the
url I typed.

Re: ipmasqadm portfw and apache

2001-08-29 Thread Tim Moss 

Jason Majors wrote:

I'd like to forward all requests on port 80 thru my firewall, however, I use
VirtualHosts under apache.
Is there a way to forward the port with the desired host name?
Or can I do it based on the hostname desired? (eg forward a request to
www.foo.com to port 81 and a request to www.bar.com to 82).

Thanks,
Jason




Forwarding the port will not change the actual HTTP request which is 
what the VirtualHosts depends on. I think it should be pretty 
transparent (though I've never tried it). Are you having a problem doing 
this or are you just asking in preparation of setting it up?

ipmasqadm portfw and apache

2001-08-29 Thread Jason Majors 
I'd like to forward all requests on port 80 thru my firewall, however, I use
VirtualHosts under apache.
Is there a way to forward the port with the desired host name?
Or can I do it based on the hostname desired? (eg forward a request to
www.foo.com to port 81 and a request to www.bar.com to 82).

Thanks,
Jason

ipmasqadm portfw vs autofw vs rinetd ?

2001-01-25 Thread aphro 
hi

today i had a small problem trying to get portfw to forward connections
to another netowrk. what i wanted to do was send connections from port
X accross our T1s to a place on the other side of the country(all the
internal traffic is using non routable ips..) however it did not work ..
connection couldn't be made. directing a connection to an ip on the local
network worked fine.

i thought about using autofw but i could not find a way to specify
an IP address to listen on to forward, as there are other ips on
the machine forwarding the same port number to various internal
machines, i have to specify the ip.

the temporary solution was to use rinetd, which seemed to work fine..

but i'm curious if this is possible with portfw?

the command i was using:
/usr/sbin/ipmasqadm portfw -a -P tcp -L EXTERNAL_IP PORT -R INTERNAL_IP PORT

since it worked when i directed it to a local ip i figure my syntax is
fine ...but i dont understand what is different about portfw vs
rinetd (other then one bein kernel and the other bein userspace)
that lets rinetd work and portfw not..

any ideas ??

thanks!

nate

ipmasqadm portfw not working to Sun

1999-10-13 Thread Michael Laing 
I am running linux 2.2.12 w/potato netbase and glibc2.1 on my ipmasq'ing
slink machine.

Port forwarding works great to internal linux boxen.

I can't get it to work to my Sun (Solaris 7) tho... tcpdump shows the
packets going to the sun but nothing comes back. I am just setting up
this Sun so I can fool with anything... is it rejecting the connection
for some reason? I am not very familiar with Solaris...

redir works OK thru the ipmasq machine to the Sun, but this will be a
high volume connection and I want the efficiency and ease of management
provided by portfw!

Any pointers would be greatly appreciated!!

Michael Laing