The below excerpt taken from
http://members.home.net/ipmasq/ipmasq-HOWTO-1.77-6.html#ss6.8
describes how to forward a port on a into a private internal ip
network from the internet. It covers the 2.0.x and 2.2.x kernels.
brian
6.8 IPPORTFW, IPMASQADM, IPAUTOFW, REDIR, UDPRED, and other Port Forwarding
tools
IPPORTFW, IPAUTOFW, REDIR, UDPRED, and other programs are generic TCP
and/or UDP port forwarding tools for Linux IP Masquerade. These tools
are typically used with or as a replacement for specific IP MASQ
modules like the current ones for FTP, Quake, etc. With port
forwarders, you can now re-direct data connections from the Internet
to an internal, privately addressed machine behind your IP MASQ
server. This forwarding ability includes network protocols such as
TELNET, WWW, SMTP, FTP (with a special patch - see below), ICQ, and
many others.
NOTE: If you are just looking to do port forwarding without IP
Masquerading, you will STILL NEED to enable IP Masquerading in both
the kernel AND in either your IPFWADM or IPCHAINS ruleset to then be
able to use Linux's port forwarding tools.
So why all the different choices? IPAUTOFW, REDIR, and UDPRED (all
URLs are in the [39]2.0.x-Requirements section) were the first tools
available to IP MASQ users to allow this functionality. Later, as
Linux IP Masquerade matured, these tools were eventually replaced by
IPPORTFW which is a more intelligent solution. Because of the
availablity of the newer tools, it is *HIGHLY DISCOURAGED* to use the
old tools such as IPAUTOFW and REDIR because they don't properly
notify the Linux kernel of their presence and can ultimately CRASH
your Linux server with extreme use.
Before jumping right into installing either the 2.0.x IPPORTFW or
2.2.x version of IPMASQADM with IPPORTFW support, network security can
be an issue with any port forwarder. The reason for this is because
these tools basically create a hole in the packet firewall for the
forwarded TCP/UDP ports. Though this doesn't pose any threat to your
Linux machine, it might be an issue to the internal machine that this
traffic is being forwarded to. No worries though, this is what Steven
Clarke (the author of IPPORTFW) had to say about that:
"Port Forwarding is only called within masquerading functions so it
fits inside the same IPFWADM/IPCHAINS rules. Masquerading is an extensi
on to
IP forwarding. Therefore, ipportfw only sees a packet if it fits
both the input and masquerading ipfwadm rule sets."
With this said, it's important to have a strong firewall ruleset.
Please see the [40]Strong-IPFWADM-Rulesets and
[41]Strong-IPCHAINS-Rulesets sections for more details on strong
rulesets.
So, to install IPPORTFW forwarding support for either a 2.0.x or 2.2.x
kernel, you need to re-compile the Linux kernel to support IPPORTFW.
* 2.0.x users will need to apply a simple kernel option patch (see
below)
* 2.2.x kernel users will already have the IPPORTFW kernel option
available via IPMASQADM
IPPORTFW on 2.0.x kernels
First, make sure you have the newest 2.0.x kernel uncompressed into
/usr/src/linux. If you haven't already done this, please see the
[42]Kernel-Compile section for full details. Next, download the
"ipportfw.c" program and the "subs-patch-x.gz" kernel patch from the
[43]2.0.x-Requirements section into the /usr/src/ directory.
NOTE: Please replace the "x" in the "subs-patch-x.gz" file name with
the most current version available on the site.
Now, copy the IPPORTFW patch (subs-patch-x.gz) into the Linux
directory
cp /usr/src/subs-patch-1.37.gz /usr/src/linux
Next, apply the kernel patch to create the IPPORTFW kernel option:
cd /usr/src/linux
zcat subs-patch-1.3x.gz | patch -p1
Next, if you plan on port forwarding FTP traffic to an internal
server, you will have to apply a NEW IP_MASQ_FTP module patch found in
the [44]2.0.x-Requirements section. More details regarding this are
later in this section.
Ok, time to compile the kernel as shown in the [45]Kernel-Compile
section. Be sure to say YES to the IPPORTFW option now available when
you configure the kernel. Once the compile is complete and you have
rebooted, return to this section.
Now with a newly compiled kernel, please compile and install the
actual "IPPORTFW" program
cd /usr/src
gcc ipportfw.c -o ipportfw
mv ipportfw /usr/local/sbin
Now, for this example, we are going to allow ALL WWW Internet traffic
(port 80) hitting your Internet TCP/IP address to then be forwarded to
the internal Masqueraded machine at IP address 192.168.0.10.
NOTE: Once you enable a port forwarder on port 80, that port can no
longer be used by the Linux IP Masquerade server. TO be more specific,
if you have a WWW server already running on the MASQ server and then
you port forward port 80 to an internal MASQed computer, ALL internet
users will see the WWW pages pages from the -INTERNAL- WWW server and
not the pages on your IP MASQ server. The only work around for this is
to port forward some other port, say 8080, to your internal MASQ
machine. Though this will work, all Internet users will have to append
:8080 to the URL to then contact the internal MASQed WWW server.
Anyway, to enable port forwarding, edit the /etc/rc.d/rc.firewall
ruleset. Add the follow lines but be sure to replace the word "$extip"
with your Internet IP address.
NOTE: If you use get a DYNAMIC TCP/IP address from your ISP (PPP,
ADSL, Cablemodems, etc.), you will NEED to make your
/etc/rc.d/rc.firewall ruleset more intelligent. To do this, please see
[46]TrinityOS - Section 10 for more details on strong rulesets and
Dynamic IP addresses.
/etc/rc.d/rc.firewall
--
#echo "Enabling IPPORTFW Redirection on the external LAN.."
#
/usr/local/sbin/ipportfw -C
/usr/local/sbin/ipportfw -A -t$extip/80 -R 192.168.0.10/80
--
That's it! Just re-run your /etc/rc.d/rc.firewall ruleset and test it
out!
If you get the error message "ipfwadm: setsockopt failed: Protocol not
available", you running your new kernel. Make sure that you moved the
new kernel over, re-run LILO, and then reboot again.
Port Forwarding FTP servers:
If you plan on port forwarding FTP to an internal machine, things get
more complicated. The reason for this is because the standard
IP_MASQ_FTP kernel module wasn't written for this. Fortunately, Fred
Viles wrote a modified IP_MASQ_FTP module to make things work. If you
are curious what EXACTLY is the issues, download the following archive
since Fred documents it quite well. Also understand that this patch is
somewhat experimental and should be treated as such. It should be also
noted that this patch is ONLY available for the 2.0.x kernels at this
time. Though some worked has already been done on a 2.2.x port, if you
are interested in helping complete this port, please email [47]Fred
Viles - fv@episupport.com directly.
So, to get the 2.0.x patch working, you need to:
* Apply the IPPORTFW kernel patch as shown earlier in this section
FIRST.
* Download the "msqsrv-patch-36" from Fred Viles's FTP server in the
[48]2.0.x-Requirements section and put it into /usr/src/linux.
* Patch the kernel with this new code by running "cat
msqsrv-patch-36 | patch -p1"
* Next, replace the original "ip_masq_ftp.c" kernel module with the
new one
+ mv /usr/src/linux/net/ipv4/ip_masq_ftp.c
/usr/src/linux/net/ipv4/ip_masq_ftp.c.orig
+ mv /usr/src/linux/ip_masq_ftp.c
/usr/src/linux/net/ipv4/ip_masq_ftp.c
* Lastly build and install the kernel with this new code in place.
Once this is complete, edit the /etc/rc.d/rc.firewall ruleset and add
the follow lines but be sure to replace the word "$extip" with your
Internet IP address.
NOTE: If you use get a DYNAMIC TCP/IP address from your ISP (PPP,
ADSL, Cablemodems, etc.), you will NEED to make your
/etc/rc.d/rc.firewall ruleset more intelligent. To do this, please see
[49]TrinityOS - Section 10 for more details on strong rulesets and
Dynamic IP addresses.
This example, like above, will allow ALL FTP Internet traffic (port
21) hitting your Internet TCP/IP address to then be forwarded to the
internal Masqueraded machine at IP address 192.168.0.10.
NOTE: Once you enable a port forwarder on port 21, that port can no
longer be used by the Linux IP Masquerade server. To be more specific,
if you have a FTP server already running on the MASQ server, a port
forward will now give all Internet users the FTP files from the
-INTERNAL- FTP server and not the files on your IP MASQ server.
/etc/rc.d/rc.firewall
--
#echo "Enabling IPPORTFW Redirection on the external LAN.."
#
/usr/local/sbin/ipportfw -C
/usr/local/sbin/ipportfw -A -t$extip/21 -R 192.168.0.10/21
--
That's it! Just re-run your /etc/rc.d/rc.firewall ruleset and test it
out!
If you get the error message "ipchains: setsockopt failed: Protocol
not available", you AREN'T running your new kernel. Make sure that you
moved the new kernel over, re-run LILO, and then reboot again. If you
are sure you are running your new kernel, run the command "ls
/proc/net" and make sure the "ip_portfw" file exists. If it doesn't,
you must have made an error when configuring your kernel. Try again.
IPMASQADM with IPPORTFW support on 2.2.x kernels
First, make sure you have the newest 2.2.x kernel uncompressed into
/usr/src/linux. If you haven't already done this, please see the
[50]Kernel-Compile section for full details. Next, download the
"ipmasqadm.c" program from the [51]2.2.x-Requirements section into the
/usr/src/ directory.
Next, you'll need to compile the 2.2.x kernel as shown in the
[52]Kernel-Compile section. Be sure to say YES to the IPPORTFW option
when you configure the kernel. Once the kernel compile is complete and
you have rebooted, return to this section.
Now, compile and install the IPMASQADM tool:
cd /usr/src
tar xzvf ipmasqadm-x.tgz
cd ipmasqadm-x
make
make install
Now, for this example, we are going to allow ALL WWW Internet traffic
(port 80) hitting your Internet TCP/IP address to then be forwarded to
the internal Masqueraded machine at IP address 192.168.0.10.
NOTE: At this time, it is beleived that this modified IP_MASQ_FTP
module for port forwarded FTP connections will NOT work for the 2.2.x
kernels. If you feel experimental, please try porting it to the 2.2.x
kernels and email Ambrose and David your results.
NOTE: Once you enable a port forwarder on port 80, that port can no
longer be used by the Linux IP Masquerade server. To be more specific,
if you have a WWW server already running on the MASQ server, a port
forward will now give all Internet users the WWW pages from the
-INTERNAL- WWW server and not the pages on your IP MASQ server.
Anyway, to enable port forwarding, edit the /etc/rc.d/rc.firewall
ruleset. Add the follow lines but be sure to replace the word "$extip"
with your Internet IP address.
NOTE: If you use get a DYNAMIC TCP/IP address from your ISP (PPP,
ADSL, Cablemodems, etc.), you will NEED to make your
/etc/rc.d/rc.firewall ruleset more intelligent. TO do this, please see
[53]TrinityOS - Section 10 for more details on strong rulesets and
Dynamic IP addresses. I'll give you a hint though: /etc/ppp/ip-up for
PPP users.
/etc/rc.d/rc.firewall
--
#echo "Enabling IPPORTFW Redirection on the external LAN.."
#
/usr/sbin/ipmasqadm portfw -f
/usr/sbin/ipmasqadm portfw -a -P tcp -L $extip 80 -R 192.168.0.10 80
--
That's it! Just re-run your /etc/rc.d/rc.firewall ruleset and test it
out!
If you get the error message "ipchains: setsockopt failed: Protocol
not available", you AREN'T running your new kernel. Make sure that you
moved the new kernel over, re-run LILO, and then reboot again. If you
are sure you are running your new kernel, run the command "ls
/proc/net/ip_masq" and make sure the "portfw" file exists. If it
doesn't, you must have made an error when configuring your kernel. Try
again.
On Tue, Sep 21, 1999 at 01:50:06PM -0700, McDow, Matt wrote:
> Seeking words of wisdom...
>
> I am currently running Linux Redhat 6.0 on my gateway/firewall through a
> cable modem with an assortment of PC's behind it. I am about to attempt what
> my be a great learning experience or take a few more years off my life span.
> I would like to setup a Game server inside my firewall allowing outside
> access to multiplayer games on my LAN (lots of fun!). I am using ipchains
> masquerade because I have only one IP address. I'm thinking there should be
> a way to point a port to a windows machine on my LAN acting as the game host
> or something like that. If this sounds ridiculous it's because I'm new to
> this. If it sounds like a brilliant idea, it's because a friend mentioned
> the possibility....you know who you are....
> Has anyone done this?
> Any words of wisdom to lead me down the right path?
-- Brian Lavender http://www.brie.com/brian/
This archive was generated by hypermail 2b29 : Fri Feb 11 2000 - 16:20:20 PST