Re: [Lug-Nuts] Game server through my Linux gateway

From: Brian E. Lavender (brian@brie.com)
Date: Tue Sep 21 1999 - 19:49:35 PDT


The below excerpt taken from
http://members.home.net/ipmasq/ipmasq-HOWTO-1.77-6.html#ss6.8
describes how to forward a port on a into a private internal ip
network from the internet. It covers the 2.0.x and 2.2.x kernels.

brian

6.8 IPPORTFW, IPMASQADM, IPAUTOFW, REDIR, UDPRED, and other Port Forwarding
tools

   IPPORTFW, IPAUTOFW, REDIR, UDPRED, and other programs are generic TCP
   and/or UDP port forwarding tools for Linux IP Masquerade. These tools
   are typically used with or as a replacement for specific IP MASQ
   modules like the current ones for FTP, Quake, etc. With port
   forwarders, you can now re-direct data connections from the Internet
   to an internal, privately addressed machine behind your IP MASQ
   server. This forwarding ability includes network protocols such as
   TELNET, WWW, SMTP, FTP (with a special patch - see below), ICQ, and
   many others.
   
   NOTE: If you are just looking to do port forwarding without IP
   Masquerading, you will STILL NEED to enable IP Masquerading in both
   the kernel AND in either your IPFWADM or IPCHAINS ruleset to then be
   able to use Linux's port forwarding tools.
   
   So why all the different choices? IPAUTOFW, REDIR, and UDPRED (all
   URLs are in the [39]2.0.x-Requirements section) were the first tools
   available to IP MASQ users to allow this functionality. Later, as
   Linux IP Masquerade matured, these tools were eventually replaced by
   IPPORTFW which is a more intelligent solution. Because of the
   availablity of the newer tools, it is *HIGHLY DISCOURAGED* to use the
   old tools such as IPAUTOFW and REDIR because they don't properly
   notify the Linux kernel of their presence and can ultimately CRASH
   your Linux server with extreme use.
   
   Before jumping right into installing either the 2.0.x IPPORTFW or
   2.2.x version of IPMASQADM with IPPORTFW support, network security can
   be an issue with any port forwarder. The reason for this is because
   these tools basically create a hole in the packet firewall for the
   forwarded TCP/UDP ports. Though this doesn't pose any threat to your
   Linux machine, it might be an issue to the internal machine that this
   traffic is being forwarded to. No worries though, this is what Steven
   Clarke (the author of IPPORTFW) had to say about that:
   
        "Port Forwarding is only called within masquerading functions so it
        fits inside the same IPFWADM/IPCHAINS rules. Masquerading is an extensi
on to
        IP forwarding. Therefore, ipportfw only sees a packet if it fits
        both the input and masquerading ipfwadm rule sets."

   With this said, it's important to have a strong firewall ruleset.
   Please see the [40]Strong-IPFWADM-Rulesets and
   [41]Strong-IPCHAINS-Rulesets sections for more details on strong
   rulesets.
   
   So, to install IPPORTFW forwarding support for either a 2.0.x or 2.2.x
   kernel, you need to re-compile the Linux kernel to support IPPORTFW.
     * 2.0.x users will need to apply a simple kernel option patch (see
       below)
     * 2.2.x kernel users will already have the IPPORTFW kernel option
       available via IPMASQADM
       
  IPPORTFW on 2.0.x kernels
  
   First, make sure you have the newest 2.0.x kernel uncompressed into
   /usr/src/linux. If you haven't already done this, please see the
   [42]Kernel-Compile section for full details. Next, download the
   "ipportfw.c" program and the "subs-patch-x.gz" kernel patch from the
   [43]2.0.x-Requirements section into the /usr/src/ directory.
   
   NOTE: Please replace the "x" in the "subs-patch-x.gz" file name with
   the most current version available on the site.
   
   Now, copy the IPPORTFW patch (subs-patch-x.gz) into the Linux
   directory
   
        cp /usr/src/subs-patch-1.37.gz /usr/src/linux

   Next, apply the kernel patch to create the IPPORTFW kernel option:
   
        cd /usr/src/linux
        zcat subs-patch-1.3x.gz | patch -p1

   Next, if you plan on port forwarding FTP traffic to an internal
   server, you will have to apply a NEW IP_MASQ_FTP module patch found in
   the [44]2.0.x-Requirements section. More details regarding this are
   later in this section.
   
   Ok, time to compile the kernel as shown in the [45]Kernel-Compile
   section. Be sure to say YES to the IPPORTFW option now available when
   you configure the kernel. Once the compile is complete and you have
   rebooted, return to this section.
   
   Now with a newly compiled kernel, please compile and install the
   actual "IPPORTFW" program
   
        cd /usr/src
        gcc ipportfw.c -o ipportfw
        mv ipportfw /usr/local/sbin

   Now, for this example, we are going to allow ALL WWW Internet traffic
   (port 80) hitting your Internet TCP/IP address to then be forwarded to
   the internal Masqueraded machine at IP address 192.168.0.10.
   
   NOTE: Once you enable a port forwarder on port 80, that port can no
   longer be used by the Linux IP Masquerade server. TO be more specific,
   if you have a WWW server already running on the MASQ server and then
   you port forward port 80 to an internal MASQed computer, ALL internet
   users will see the WWW pages pages from the -INTERNAL- WWW server and
   not the pages on your IP MASQ server. The only work around for this is
   to port forward some other port, say 8080, to your internal MASQ
   machine. Though this will work, all Internet users will have to append
   :8080 to the URL to then contact the internal MASQed WWW server.
   
   Anyway, to enable port forwarding, edit the /etc/rc.d/rc.firewall
   ruleset. Add the follow lines but be sure to replace the word "$extip"
   with your Internet IP address.
   
   NOTE: If you use get a DYNAMIC TCP/IP address from your ISP (PPP,
   ADSL, Cablemodems, etc.), you will NEED to make your
   /etc/rc.d/rc.firewall ruleset more intelligent. To do this, please see
   [46]TrinityOS - Section 10 for more details on strong rulesets and
   Dynamic IP addresses.
   
        /etc/rc.d/rc.firewall
        --

        #echo "Enabling IPPORTFW Redirection on the external LAN.."
        #
        /usr/local/sbin/ipportfw -C
        /usr/local/sbin/ipportfw -A -t$extip/80 -R 192.168.0.10/80

        --

   That's it! Just re-run your /etc/rc.d/rc.firewall ruleset and test it
   out!
   
   If you get the error message "ipfwadm: setsockopt failed: Protocol not
   available", you running your new kernel. Make sure that you moved the
   new kernel over, re-run LILO, and then reboot again.
   
   Port Forwarding FTP servers:
   
   If you plan on port forwarding FTP to an internal machine, things get
   more complicated. The reason for this is because the standard
   IP_MASQ_FTP kernel module wasn't written for this. Fortunately, Fred
   Viles wrote a modified IP_MASQ_FTP module to make things work. If you
   are curious what EXACTLY is the issues, download the following archive
   since Fred documents it quite well. Also understand that this patch is
   somewhat experimental and should be treated as such. It should be also
   noted that this patch is ONLY available for the 2.0.x kernels at this
   time. Though some worked has already been done on a 2.2.x port, if you
   are interested in helping complete this port, please email [47]Fred
   Viles - fv@episupport.com directly.
   
   So, to get the 2.0.x patch working, you need to:
   
     * Apply the IPPORTFW kernel patch as shown earlier in this section
       FIRST.
     * Download the "msqsrv-patch-36" from Fred Viles's FTP server in the
       [48]2.0.x-Requirements section and put it into /usr/src/linux.
     * Patch the kernel with this new code by running "cat
       msqsrv-patch-36 | patch -p1"
     * Next, replace the original "ip_masq_ftp.c" kernel module with the
       new one
          + mv /usr/src/linux/net/ipv4/ip_masq_ftp.c
            /usr/src/linux/net/ipv4/ip_masq_ftp.c.orig
          + mv /usr/src/linux/ip_masq_ftp.c
            /usr/src/linux/net/ipv4/ip_masq_ftp.c
     * Lastly build and install the kernel with this new code in place.
       
   Once this is complete, edit the /etc/rc.d/rc.firewall ruleset and add
   the follow lines but be sure to replace the word "$extip" with your
   Internet IP address.
   
   NOTE: If you use get a DYNAMIC TCP/IP address from your ISP (PPP,
   ADSL, Cablemodems, etc.), you will NEED to make your
   /etc/rc.d/rc.firewall ruleset more intelligent. To do this, please see
   [49]TrinityOS - Section 10 for more details on strong rulesets and
   Dynamic IP addresses.
   
   This example, like above, will allow ALL FTP Internet traffic (port
   21) hitting your Internet TCP/IP address to then be forwarded to the
   internal Masqueraded machine at IP address 192.168.0.10.
   
   NOTE: Once you enable a port forwarder on port 21, that port can no
   longer be used by the Linux IP Masquerade server. To be more specific,
   if you have a FTP server already running on the MASQ server, a port
   forward will now give all Internet users the FTP files from the
   -INTERNAL- FTP server and not the files on your IP MASQ server.
   
        /etc/rc.d/rc.firewall
        --

        #echo "Enabling IPPORTFW Redirection on the external LAN.."
        #
        /usr/local/sbin/ipportfw -C
        /usr/local/sbin/ipportfw -A -t$extip/21 -R 192.168.0.10/21

        --

   That's it! Just re-run your /etc/rc.d/rc.firewall ruleset and test it
   out!
   
   If you get the error message "ipchains: setsockopt failed: Protocol
   not available", you AREN'T running your new kernel. Make sure that you
   moved the new kernel over, re-run LILO, and then reboot again. If you
   are sure you are running your new kernel, run the command "ls
   /proc/net" and make sure the "ip_portfw" file exists. If it doesn't,
   you must have made an error when configuring your kernel. Try again.
   
  IPMASQADM with IPPORTFW support on 2.2.x kernels
  
   First, make sure you have the newest 2.2.x kernel uncompressed into
   /usr/src/linux. If you haven't already done this, please see the
   [50]Kernel-Compile section for full details. Next, download the
   "ipmasqadm.c" program from the [51]2.2.x-Requirements section into the
   /usr/src/ directory.
   
   Next, you'll need to compile the 2.2.x kernel as shown in the
   [52]Kernel-Compile section. Be sure to say YES to the IPPORTFW option
   when you configure the kernel. Once the kernel compile is complete and
   you have rebooted, return to this section.
   
   Now, compile and install the IPMASQADM tool:
   
        cd /usr/src
        tar xzvf ipmasqadm-x.tgz
        cd ipmasqadm-x
        make
        make install

   Now, for this example, we are going to allow ALL WWW Internet traffic
   (port 80) hitting your Internet TCP/IP address to then be forwarded to
   the internal Masqueraded machine at IP address 192.168.0.10.
   
   NOTE: At this time, it is beleived that this modified IP_MASQ_FTP
   module for port forwarded FTP connections will NOT work for the 2.2.x
   kernels. If you feel experimental, please try porting it to the 2.2.x
   kernels and email Ambrose and David your results.
   
   NOTE: Once you enable a port forwarder on port 80, that port can no
   longer be used by the Linux IP Masquerade server. To be more specific,
   if you have a WWW server already running on the MASQ server, a port
   forward will now give all Internet users the WWW pages from the
   -INTERNAL- WWW server and not the pages on your IP MASQ server.
   
   Anyway, to enable port forwarding, edit the /etc/rc.d/rc.firewall
   ruleset. Add the follow lines but be sure to replace the word "$extip"
   with your Internet IP address.
   
   NOTE: If you use get a DYNAMIC TCP/IP address from your ISP (PPP,
   ADSL, Cablemodems, etc.), you will NEED to make your
   /etc/rc.d/rc.firewall ruleset more intelligent. TO do this, please see
   [53]TrinityOS - Section 10 for more details on strong rulesets and
   Dynamic IP addresses. I'll give you a hint though: /etc/ppp/ip-up for
   PPP users.
   
        /etc/rc.d/rc.firewall
        --

        #echo "Enabling IPPORTFW Redirection on the external LAN.."
        #
        /usr/sbin/ipmasqadm portfw -f
        /usr/sbin/ipmasqadm portfw -a -P tcp -L $extip 80 -R 192.168.0.10 80

        --

   That's it! Just re-run your /etc/rc.d/rc.firewall ruleset and test it
   out!
   
   If you get the error message "ipchains: setsockopt failed: Protocol
   not available", you AREN'T running your new kernel. Make sure that you
   moved the new kernel over, re-run LILO, and then reboot again. If you
   are sure you are running your new kernel, run the command "ls
   /proc/net/ip_masq" and make sure the "portfw" file exists. If it
   doesn't, you must have made an error when configuring your kernel. Try
   again.
   
On Tue, Sep 21, 1999 at 01:50:06PM -0700, McDow, Matt wrote:
> Seeking words of wisdom...
>
> I am currently running Linux Redhat 6.0 on my gateway/firewall through a
> cable modem with an assortment of PC's behind it. I am about to attempt what
> my be a great learning experience or take a few more years off my life span.
> I would like to setup a Game server inside my firewall allowing outside
> access to multiplayer games on my LAN (lots of fun!). I am using ipchains
> masquerade because I have only one IP address. I'm thinking there should be
> a way to point a port to a windows machine on my LAN acting as the game host
> or something like that. If this sounds ridiculous it's because I'm new to
> this. If it sounds like a brilliant idea, it's because a friend mentioned
> the possibility....you know who you are....
> Has anyone done this?
> Any words of wisdom to lead me down the right path?

-- 
Brian Lavender
http://www.brie.com/brian/



This archive was generated by hypermail 2b29 : Fri Feb 25 2000 - 14:29:07 PST