Hi all, I have a little LAN with a SuSE 6.4 Server as gateway, within my LAN I have a NT box with IIS, I want to be able to access the the httpd on the NT box from the internet by specifying some port on my gateway. I have firewals-2.1-5 installed and all clients in my LAN have unlimited access to the internet and to the gateway. I tried configuring the redirection, but seems to me like this only works when the NT box has an public IP, but it has not not, an will never have. So is it possible to do it with the firewall or do I have to fiddle with ipchains ? Thanks & regards, Nagilum. -- ======================================================================== # _ __ _ __ http://home.htwm.de/akuehn/ \n icq://69646724 # # / |/ /__ ____ _(_) /_ ____ _ nagilum@chillout.org \n +01776461165 # # / / _ `/ _ `/ / / // / ' \ Amiga (68k/PPC): AOS/NetBSD/Linux # # /_/|_/\_,_/\_, /_/_/\_,_/_/_/_/ Mac (PPC): MacOS9 / Linux / MacOS-X # # /___/ x86: Linux/FreeBSD/OpenBSD/QNX/Win98SE # ========================================================================
Hi. I'm not sure, but i think this would not be possible if you use Masquerading on your Linux-Gateway. an easy - perhaps oversized - idea is the following: do a portforwarding with ssh ... i've tried it like this: |root@Q />ssh -l q -L 33:141.24.53.221:80 n405-4 |q@n405-4.fem.tu-ilmenau.de's password: |Last login: Tue Jan 30 14:05:05 2001 from n405-4.fem.tu-ilmenau.de |Have a lot of fun... now i forwardet the port 80 of 141.24.53.221 to port 33 on the 'gateway' |root@Q ~>telnet localhost 33 |Trying 127.0.0.1... |Connected to localhost. |Escape character is '^]'. |get |<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> |<HTML><HEAD> | ... perhaps this method will work as good in your case, as it does in mine ;) Q, apologizing for his terrible English -- ********************************************************************** * Daniel Zinn * * AIM: QN405 mailto:q@n-club.de * * ICQ2k: 79511325 talk: root@n405.fem.tu-ilmenau.de * **********************************************************************
At 09:46 PM 30/01/2001, you wrote:
Hi all, I have a little LAN with a SuSE 6.4 Server as gateway, within my LAN I have a NT box with IIS, I want to be able to access the the httpd on the NT box from the internet by specifying some port on my gateway. I have firewals-2.1-5 installed and all clients in my LAN have unlimited access to the internet and to the gateway. I tried configuring the redirection, but seems to me like this only works when the NT box has an public IP, but it has not not, an will never have. So is it possible to do it with the firewall or do I have to fiddle with ipchains ? Thanks & regards, Nagilum.
OK, This question has been asked and answered (usually by me) at least 6 times, so I decided it was time to put it in the FAQ *grin* http://www.susesecurity.com/faq/index.html#ipmasqadm What you need to do is "reverse" Masquerading. This can be accomplished with the IPMASQADM tool included on your SuSE CD. You will need to use this tool by hand, although it will happily co-exist along with Marc's IPFIREWALS package. (You will need to enable access to the port you want to forward in the firewall config of course) You can read the Author's FAQ at http://juanjox.kernelnotes.org/ipmasqadm-FAQ.txt NOTE: This requires that you have regular Masquerading working first! Cheers --- Nix - nix@susesecurity.com http://www.susesecurity.com
On Jan 30 at 11:46, my computer said Alexander K�hn said:
Hi all, I have a little LAN with a SuSE 6.4 Server as gateway, within my LAN I have a NT box with IIS, I want to be able to access the the httpd on the NT box from the internet by specifying some port on my gateway. I have firewals-2.1-5 installed and all clients in my LAN have unlimited access to the internet and to the gateway. I tried configuring the redirection, but seems to me like this only works when the NT box has an public IP, but it has not not, an will never have. So is it possible to do it with the firewall or do I have to fiddle with ipchains ? Thanks & regards, Nagilum.
One way to do this is to use squid as an HTTP `accellerator'. I set this up today (much to my suprise). Squid sits on the firewall and looks like a web server to the world on port 80. If you install it and search the config file for 'accel' in squid.conf you should get it more or less set up. There are a few gotchas though. The squid23 package that comes with SuSE 7 (yep, I know you said 6.4) has a security bug when used as an accellerator. It is impossible to stop it from being abused by the world to bypass porn-blocking proxies, while simultaneously allowing access to your `accellerated' host. You will need to get squid 2.4. (And if you compile from source, you may end up without dnsserver processes if you don't ./configure with --disable-internal-dns ) Another security gotcha is that your happy server will tell the world it's private ip address. When a url such as http://172.16.3.2/directory is requested, it may send a message like Location: http://172.16.3.2/directory/ -- which is a bit of a let-down (IIS 3 does this) (yep, that's what they were using). I have a sneaky suspicion that I would have been out of there by 2pm if I had used ipportfw ... if that network card had been working ... if I was smarter ... &:-) -- [1]+ Stopped fdformat /dev/hda
participants (4)
-
Alexander Kühn -
Andrew McGill -
daniel -
Nix