[TCLUG] Re: [TCLUG:19384] IPCHAINS/ipmasqadm

Sat Jul 1 00:17:31 CDT 2000

On Fri, Jun 30, 2000 at 10:29:29PM -0500, Yaron wrote:
> Oh, I've finally moved my firewall/NAT to a seperate box than my
> desktop. My network looks like this now:
> 
>                                   | [mail 192.168.0.1]
>  206.147.x.x   192.168.0.100      | [www 192.168.0.10]
> -DSL--[Firewall]------[Switch]----| [workstation a 192.168.0.20]
>                                   | [workstation b 192.168.0.21]
> 
> Now, the NAT thinggie is port-forwarding stuff over to the internal
> network. For example, www.yaron.org is DNSed as 206.147.x.x. The firewall
> forwards port 80 to the internal 192.168.0.10.
> 
> This all works fine, except from th internal network. The firewall does
> NOT redirect stuff coming in from the internal net.

This is a shortcoming in the firewall code, but not necessarily a bug.
I didn't figure this one out myself the first time around, and it
isn't well documented.  Basically, the ipchains and ipmasqadm tools
don't allow for two-way portforwarding.  Your packets simply get lost.
So, what you'll need to do is set up an ipchains rule to redirect
traffic destined for your Internet resolved address for the web server
to a local port on the firewall.  Then use a proxy to forward traffic
from that local port to the web server.  That is, if you still do not
want to maintain a private DNS for your Intranet.

> I've got a couple of workarounds - /etc/hosts or hosts.txt files on the
> workstations, or setting up an alternate DNS for the internal network, but 
> I'd like to have the firewall do it's thing.

Sorry, it simply won't.  There may be other ways to get around this,
but the 2.2 ipchains and ipmasqadm won't do it other than the way I
described above.

> I'm using ipchains 1.3.9 and ipmasqadm 0.4.2, on kernel 2.2.16. IPCHAINS
> is ACCEPTing the packets from the internal net, but then they vanish. 

Yep.  That'll happen.

> Here's the IPCHAINS rule:
> ACCEPT     tcp  ----l-  anywhere             beldaren.yaron.org    any -> www
> 
> And ipmasqadm:
> TCP  beldaren.yaron.org   dragon.yaron.org          www      www     3 10

I'd go with either the redirect-to-local+proxy route as deployed for
transparent proxying with squid.  You can use the proxy daemon for
just about any protocol.  You could probably also set up an ssh tunnel
from the local firewall port to the Intranet-based web server.

-- 
  Chad "^chewie, gunnarr" Walstrom <chewie at wookimus.net>
              http://wookimus.net/chewie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 233 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20000701/f9f60861/attachment.pgp
-------------- next part --------------
---------------------------------------------------------------------
To unsubscribe, e-mail: tclug-list-unsubscribe at mn-linux.org
For additional commands, e-mail: tclug-list-help at mn-linux.org