Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: ipchains and port forwarding

Re: ipchains and port forwarding

From: Robert E. Martin <rmartin_at_fishburne.org>
Date: Tue, 04 Mar 2003 08:38:55 -0500

Martin A. Brown wrote:

>Robert,
>
>Can you use iptables? It'll be much easier with iptables:
>
> iptables -t nat -A PREROUTING -d 216.12.331.x -p tcp --dport 80 \
> -j DNAT --to-destination 192.168.0.10
> iptables -t filter -A FORWARD -d 192.168.0.10 -p tcp --dport 80 \
> -j ACCEPT
>
> for PORT in 25 110 ; do
> iptables -t nat -A PREROUTING -d 216.12.331.x -p tcp --dport $PORT \
> -j DNAT --to-destination 192.168.0.20
> iptables -t filter -A FORWARD -d 192.168.0.20 -p tcp --dport $PORT \
> -j ACCEPT
> done
>
>Do you still want to use ipchains? Do you have more than one IP? Do you
>want to do static NAT? iproute2 is your friend:
>
> ip route add nat 216.12.31.Y via 192.168.0.10
> ip rule add nat 216.12.31.Y from 192.168.0.10
>
> ip route add nat 216.12.31.Z via 192.168.0.20
> ip rule add nat 216.12.31.Z from 192.168.0.20
>
> # -- add some ipchains here
>
>I have some iproute2 help available here:
>
> http://linux-ip.net/html/
> http://linux-ip.net/html/nat-stateless.html
>
>Do you still want to use ipportfw? Ick. I can't help you much there.
>
>Ciao, good luck,
>
>-Martin
>
> : Hey guys!!
> : I have just installed a dsl line and need to rebuild a firewall. I have
> : decided to use ipchains and have a need to forward www and mail access
> : into the private side of the new firewall. I am familiar with ipportfw
> : and ipautofw commands. Is this all I need to do to get access to my web
> : and mail server?
> :
> : ex: isp addr 216.12.31.x
> : internal net : 192.168.0.x
> : web server: 192.168.0.10
> : mailserver: 192.168.0.20
> :
> : rules I've tried:
> : /sbin/ipmasqadm portfw -a -P tcp -L 192.168.0.1 80 -R 192.168.0.10 80 -p 100
> :
> : Thanks!!
> :
>
>
>
OK. That makes sense. I do have iproute2 working on the machine and I
can make sense of the documentation, however, will this technique work
across multiple segments? If I route through several subnets to get to
the physical web server box, will this still work or does the machine
need to be on the same physical subnet? I can go with iptables and it
does seem much easier . I have considered this to be the thing to do and
you know what they say, no guts, no glory! 

-- 
Robert E Martin
IT Manager
Fishburne Military School
rmartin_at_fishburne.org
540.946.7726
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Mar 04 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos