[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: masqurading



On Sun, 11 Nov 2001, Adi flenner wrote:

> Hi
>
> I have build a NAT machine on linux with 2 ethernet cards and IP Masqurading
> I am forwarding all trafic from my virtual network 192.168.1.0/255 to
> the real ip and it works great !
>
> The problem is, I need to open some special ports on the NAT
> for Microsoft online games
>
>
>      The following TCP ports must be open:
>
>           80
>
>           443
>
>           6667
>
>           28800-29000

What do you mean by "open"?

I suppose you have a machine A in the internal network with IP
192.168.1.30 whose port 80 you want available to outsiders.

The problem is, of course, that nobody from the outside can connect to
those ports (directly). They can only connect to ports of of your external
network interface (say: 20.40.60.80).

What you want is to have requests to port 80 of 20.40.60.80 forwarded to
192.168.1.30 's port 80.

If you want to have port 80 of more than one machine avilable from the
outside, then you have a problem (unless your ISP can give you another IP
address. In that case you can make an alias of the external interface).

>
> I have used the ip masquradin HOWTO and working with the rc.firewall
> script that is writen there :
>
> /sbin/modprobe ip_masq_ftp
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "1" > /proc/sys/net/ipv4/ip_always_defrag
> /sbin/ipchains -M -S 7200 10 160
> /sbin/ipchains -P forward DENY
> /sbin/ipchains -A forward -i eth0 -s 192.168.1.0/24 -j MASQ
>
> How do I configure my script to open ports ?

Any reason you use ipchains and not iptables?

(note for others: stateful filtering is not that critical here, since NAT
is already stateful)

Generally iptables handles port forwarding in a more sane way. See 'dnat'
(destination NAT) in the IPTABLES HOWTO.

But if you choose to use ipchains, you'll have to use ipmasqadm

Also, you should add some rules to protect your computer from the
internet.  The INPUT and OUTPUT chains should filter traffic more
aggressivly. You should best rely on the interface rather than soure (or
destination)  address to protect agains spoofing.

I also don't like 'rc.firewall': a firewall script should allow the
sysadmin to easily "stop" firewalling, and revert back to some "safe"
configuration: you'll need to do it on several occasions, and when you'll
need it, you won't have time to read the ipchains manual, and to give the
exact squence of two or three commands required.

-- 
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir


=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il