Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ipchains and redirection

0 views
Skip to first unread message

Radar O'Reilly

unread,
Aug 21, 2000, 3:00:00 AM8/21/00
to

So I've got a powercenter 132 running YDL 1.2 (well, black lab, but close
enough).

This box is acting as a router for our DSL service as we switch over from the
T1, partly for testing, partly as a backup.

This box will sit outside our firewall.
I want to take all the packets from eth1 (outside world) and forward them to
the firewall. I want to take all the packets from eth0 and toss them to the
outside world unhindered.

I'm used to using ipchains to do masquerading. I'm not quite sure how to
forward to a specific location. I know how to filter _based_on_ the
destination, but not actually specify it. If I were worried about the outbound
packets, I could just specify the firewall as the gateway (and have), but that
doesn't really work inbound. I've got the kernel compiled for transparent
proxying, but I'm not sure how to use the redirection capabilities of ipchains.

The easiest thing to do, of course, would be to plug this thing directly into
the firewall, but the setup makes that pretty much impossible (there's another
router doing the same thing that's immovable)....


__________/| Nathan "Radar" Willard MC '00 | "A Sucking Chest Wound is
(_|__|_____\|________ PO Box 203927 | nature's way of telling
|_|_____________)- New Haven, CT 06520 | you to slow down."


** Sent via the linuxppc-user mail list. See http://lists.linuxppc.org/


Kyle Wheeler

unread,
Aug 21, 2000, 3:00:00 AM8/21/00
to

On Mon, 21 Aug 2000, Radar O'Reilly wrote:
> This box will sit outside our firewall.
> I want to take all the packets from eth1 (outside world) and forward them to
> the firewall. I want to take all the packets from eth0 and toss them to the
> outside world unhindered.

So, in other words, a firewall that doesn't filter? That's easy:
ipchains -A forward -i eth1 -s eth0 -j MASQ

With that magical command, things from eth1 get passed through to eth0.

But something tells me what you mean is, you want this to be a
non-filtering firewall, on a network, that directs all output, not to
eth0, but you want to change the destination IP addresses to all be the
firewall? Something like this:

+-----------+ +-----------+
|New Gateway| |Old Gateway|
+-----+-----+ +-----------+
| |
v v
+-----+-----+ +-----------+
|Filter Box |------>|Firewall |
+-----------+ +-----------+
|
[[[[[[[[[|]]]]]]]]]
[Internal Network ]
[[[[[[[[[|]]]]]]]]]

So that the computers on the inside never have to change gateways as you
change things over - and your firewall rules stay intact.

Unfortunately, and fortunately, no such beast exists (to my knowledge).
Set the Filter Box up to merely be a filter-less firewall/masquerade for
connections from the firewall - great, that's easy. Heck, you can even
forward specific ports on the Filter box over to the corresponding ports
on the firewall - with ipmasqadm (search for it using google.com) - with
commands like:
ipmasqadm portfw -a -P tcp -L $THISBOX 22 -R $FIREWALL 22

Now, you *could* use that to forward every single port from 1 to 65535 on
tcp, udp, icmp, and the other one (i forget the name) - with something
like shell script:

THISBOX=<filter-box-ip>
FIREWALL=<firewall-ip>
for PROTO in {tcp,udp}; do
PORT=0
while [$PORT -lt 65535]; do
ipmasqadm portfw -a -P $PROTO -L $THISBOX $PORT -R $FIREWALL $PORT
done
done

But.. that's an awfull lot of work, isn't it?

However... this filter box of yours wouldn't be on the INSIDE of the
firewall, would it??? If it is - forget it. There's some things about
hardware that software just can't make up for, and this is one of them.

I hope I answered your question somewhere in there,
~Kyle Wheeler

Radar O'Reilly

unread,
Aug 21, 2000, 3:00:00 AM8/21/00
to

On Mon, 21 Aug 2000, Kyle Wheeler wrote:

> So, in other words, a firewall that doesn't filter? That's easy:
> ipchains -A forward -i eth1 -s eth0 -j MASQ

> But something tells me what you mean is, you want this to be a


> non-filtering firewall, on a network, that directs all output, not to
> eth0, but you want to change the destination IP addresses to all be the
> firewall? Something like this:

I don't actually want to change all the destination IP addresses to be the
firewall, well, not really. =-)
I want all the packets to go to the firewall, and nowhere else, but to be
allowed through, if the firewall so chooses, to get to their destinations. We
do this now, as you observed, by plugging the router directly into the
firewall (and apparently playing some ARP games)

> Set the Filter Box up to merely be a filter-less firewall/masquerade for
> connections from the firewall - great, that's easy. Heck, you can even

I don't really want to masquerade, either. We're sitting on a Class C, and have
routable IPs. =)

> THISBOX=<filter-box-ip>
> FIREWALL=<firewall-ip>
> for PROTO in {tcp,udp}; do
> PORT=0
> while [$PORT -lt 65535]; do
> ipmasqadm portfw -a -P $PROTO -L $THISBOX $PORT -R $FIREWALL $PORT
> done
> done

Hrm. This might work.

> However... this filter box of yours wouldn't be on the INSIDE of the
> firewall, would it??? If it is - forget it. There's some things about

Nope. Basically, we're too cheap to get a router at the moment.
So I want something that relays everything from eth0 (or our subnet) out to the
world unmolested, and something that forwards everything from eth1 (or the
world) directly to the firewall unmolested. I suppose it would help me in
figuring this out if I actually knew what our "real" router is doing; it
predates me by quite a bit.

> I hope I answered your question somewhere in there,

Maybe? =)

We'll see tomorrow....

__________/| Nathan "Radar" Willard MC '00 | "A Sucking Chest Wound is
(_|__|_____\|________ PO Box 203927 | nature's way of telling
|_|_____________)- New Haven, CT 06520 | you to slow down."

0 new messages