Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: re:linux firewall help

re:linux firewall help

From: Chris Trudeau <chris_at_ctrudeau.dyndns.org>
Date: Sun, 13 Aug 2000 14:08:05 -0400

>Ok, first off let me apologize for asking quite basic questions, but
>I have run out of on-line options to study.
>
> I'm currently tasked with configuring a Linux firewall (two network
>cards, one with a "live" IP address, and one with an RFC 1918
>address). The firewall will be configured to listen to two
>additional IP addresses and re-direct specific incoming ports to two
>servers hidden on the internal network. I have the multiple IP
>addresses setup on the firewall, and I have setup my home Linux
>firewall to do Masquerading so I think that is going to go well, but
>what I need help with is the redirection part. (FYI, I am using an
>old Pentium with Mandrake 7.1 installed, 2.2.16 kernel.)
>
> From reading the IPChains HOWTO file, it appears that the "-j
>REDIRECT" chain only redirects to a port on the FIREWALL, not to
>another system. If someone could show me how to redirect a
>connection to "real IP Address A, Port X" to the "hidden 10.0.0.1,
>Port X" I would be really happy! (If it helps, the ports are HTTP,
>HTTPS, PCAnywhere, and FTP, but all I really need is a boiler plate
>for the inbound redirection.)

Don't use IPCHAINS to forward the packets take a look at ipmasqadm

Something like ipmasqadm portfw -h

> As a side note, will the reply packet sent back out to the Internet
>come from the firewall, or is it possible to setup a "Static NAT"
>between the aliased IP address and the internal IP address of the
>server?

Depends on how much IP space you have outside the firewall...

If you have enough addresses to "Statically NAT" them, you'll have tp
arp from the firewall to next hop default router

arp -p IPADDRESS MAC ADDRESS -s

(thos switches may be only for Solaris)

Then run the ipmasqadm portfw command...

> If this is too complicated, can someone show me an example that
>takes and re-directs EVERYTHING through from address X to address Y
>(a simple, two-way static NAT)?

Hope the above helps... 

-- 
Chris Trudeau
chris_at_ctrudeau.dyndns.org
_______________________________________________
Firewall-wizards mailing list
Firewall-wizards_at_nfr.net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Received on Aug 15 2000
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]