Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
Re: [suse-security] Transparent proxy ...
  • From: Sven Schultheiß <schultheiss@xxxxxxxxxxxxxxxxxxx>
  • Date: Sat, 10 Feb 2001 20:22:50 +0100
  • Message-id: <3A85950A.DD781050@xxxxxxxxxxxxxxxxxxx>


Chris Drauch schrieb:
>
> tschweikle@xxxxxxxxxx schrieb:
> >
> > > So I need to redirect to a port on another machine! This is not
> > > possible directly with ipchains, isnt' it?
> > > Redirecting to another port on the same machine is not the problem.
> >
> > AFAIK ipchains can not redirect to an other port on an other machine. But
> > there is other software you can use to have the expected effects: rinetd.
> > Its on CD, works seamless, only point of critic in my opinion: you'll have
> > to specify IP-addresses in the config-file. DNS-Names are not resolved.
>
> Another option (at least for 2.2 kernels) should be:
>
> ipmasqadm portfw - Port-forwarding
> This module is able to forward to-firewall packets to
> internal hosts, based on address and port specification.
>

This wont work because portfw just can forward a port from one machine
to another. So the traffic that you want to forward must have your host
as destination. (eg having a Webserver in the DMZ with a private IP and
do portforwarding from the Firewall with real IP to the Webserver)
For a transparent proxy, you will have to redirect traffic that is
normally routet through your Gateway. I guess this isn't called
portforwarding.
It's a combination between Packet filtering and policy based Routing:
Mark your http packets on your Internet Gateway(with ipchains -m) and
insert a routing rule (with iproute 2) wich routes this packets through
your machine with the transparent proxy. On your machine with the
transparent proxy, you can redirect the traffic via ipchains.
AFAIK, there is a section about this in the Advanced Routing Howto.


> see: http://www.monmouth.demon.co.uk/ipsubs/portforwarding.html
>
> f.ex: ipmasqadm portfw -a -P tcp -L your.ext.ip smtp -R your.smtp.host smtp
>
> You still need ipchains to reverse masquerade:
> ipchains -I forward -p tcp -s your.smtp.host smtp -j MASQ
>

Sven

< Previous Next >
Follow Ups