From: "W.D.McKinney" <deem@wdm.com> Date: Sun, 31 Dec 2000 11:30:55 -0900 Message-ID: <NEBBKNMAELGHIHMNKLMBIEDJCAAA.deem@wdm.com> Subject: RE: [SLE] ipmasqadm portfw question I use the following with success: # ipmasqadm autofw -A -r tcp 80 80 -h 192.168.xxx.xxx -----Original Message----- From: chris@scooby.lineone.net [mailto:chris@scooby.lineone.net]On Behalf Of Chris Reeves Sent: Sunday, December 31, 2000 8:18 AM To: acagle@subimo.com; SuSE Mailing List Subject: Re: [SLE] ipmasqadm portfw question <p>anthony cagle wrote:
I am trying to get port forwarding working on a 6.4 SMP system without success. This system has been configured for several months to do IP Masquerading between a cable modem and a small internal network. FTP, ICQ and all of the rest of the services available have worked with no problem.
Recently, I wanted to move the web server which is currently on the IP Masquerading box to another machine on the internal network. I read all
the
documentation I could find, including the PORTFW mini howto and the howto's and package docs on ipchains, firewalls and ipmasqadm. It looked very simple. But for some reason I cannot get it to work. I'm beginning to wonder if perhaps the default 6.4 SMP config kernel doesn't really support the PORTFW function or perhaps there's something else obvious I'm missing.
I've included examples of my configuration, config files and output below. Thanks, Anthony
Cable Modem to Internet | |---------------| eth1 |www.subimo.com | IP assigned by cable compay DHCP | | old web server resided here (port 80) eth0 |192.168.1.1 | |---------------| | | ---------------------- internal network | | |-------------| eth0 | 192.168.1.2 | | new web | | server (80) | |-------------|
I've used Ethereal to capture all the packet traffic off eth0 (192.168.1.1) on the firewall machine, and no packets are being sent to the other machine(192.168.1.2) when I try to connect from a computer outside the firewall. Inside the firewall, the server is working (ie, http://192.168.1.1 gets a page sent back).
Here are the commands I'm using to configure the machine for portfw:
#! /bin/sh ipchains --flush ipchains -I forward -p tcp -s 192.168.1.2/32 80 -j MASQ ipchains -P forward DENY ipchains -A forward -s 192.168.1.0/24 -j MASQ ipmasqadm portfw -f ipmasqadm portfw -a -P tcp -L subimo.myip.org 80 -R 192.168.1.2 80
Here's the response I get from: ipchains -L Chain input (policy ACCEPT): Chain forward (policy DENY): target prot opt source destination ports MASQ tcp ------ 192.168.1.2 anywhere http -> any MASQ all ------ 192.168.1.0/24 anywhere n/a
Here's the response I get from: ipmasqadm portfw -l Chain output (policy ACCEPT): prot localaddr rediraddr lport rport pcnt
This is how I initially tried to do this, but I gave up (perhaps too quickly - I'll investigate again later). What I did was install and configure rinetd - it's incredibly simple to do. In fact I did it in about 3 minutes, just before going out (since I need to access an internal web server from the place I was going to)... pref
TCP subimo.myip.org 192.168.1.2 http http 10 10
and finally, here's the response I get from: lsmod Module Size Used by ip_masq_portfw 3012 1 (autoclean)