Re: Exposed Host

To: debian-firewall@lists.debian.org
Subject: Re: Exposed Host
From: Chad Morgan <chad@chadmorgan.com>
Date: Wed, 9 Jan 2002 14:57:31 -0800
Message-id: <[🔎] 20020109145731.B21953@chadmbl.enhancetheweb.com>
In-reply-to: <[🔎] 20020108103856.E11678@chadmbl.enhancetheweb.com>; from chad@chadmorgan.com on Tue, Jan 08, 2002 at 10:38:56 -0800
References: <[🔎] 20020104172436.A3923@chadmbl.enhancetheweb.com> <[🔎] 20020106083406.86945.qmail@web12108.mail.yahoo.com> <20020108103654.C11678@chadmbl.enhancetheweb.com> <[🔎] 20020108103856.E11678@chadmbl.enhancetheweb.com>

I just wanted to thank everyone that offered assistance. I upgraded to a
2.4 kernel and iptables and got it working with just one problem.

When I upgraded the kernel, I forgot that my old one had the NIC drivers
built in and the kernel-image I installed with apt-get would require that
modules to be loaded on boot in order for the computer to boot with network
access. Since I was doing it remotley I had to drive 2 hours (round-trip)
just to add a line to /etc/modules but other than that there were no
problems.

Thanks again
Chad

On 2002.01.08 10:38 Chad Morgan wrote:
> On 2002.01.06 00:34 njacobs@yahoo.com wrote:
> > Hi Chad,
> > I'm not sure I've completely understood your question,
> > but I assume you want your firewall to do
> > masquerading for some of the machines on your LAN, 
> > and not for others.
> > 
> 
> I already have masquerading working fine. My current setup is like this
> 
>     Internet
> 	|
>     eth0 = 1.2.3.4
>     eth0:1 = 1.2.3.5
>     Gateway
>     eth1 = 192.168.0.1
>         |
>    Internal Network
>    192.168.0.21
>    192.168.0.22
>    192.168.0.23
>    ...
> 
> Also, a couple of ports on 1.2.3.4 are already being forwarded to
> 192.168.0.21 using ipmasqadm portfw
> like ipmasqadm portf -P tcp -L 1.2.3.4 80 -R 192.168.0.21 80
> 
> Now, what I would like to do is forward ALL traffic from 1.2.3.5 to
> 192.168.0.22 with something like
> ipmasqadm portf -P tcp -L 1.2.3.5 * -R 192.168.0.22 * which doesn't work.
> I've looked into a few of the port forwarding tools in the IP
> Masquerading
> howto but they all seem to only allow forwarding of individual ports and
> not blanket forwarding of all ports.
> 
> Also, it isn't practical to connect to a hub on the public network and
> have
> it use a 1.2.3.* address directly.
> 
> Chad
> 
> 
> > The line in your firewall script that specifies
> > masqerading will be something like:
> > ipchains -A forward -s 192.168.1.0/24 -j MASQ
> > 
> > This tells your Linux kernel to masquerade all
> > your IP addresses in the range 192.168.1.xxx.
> > This is one of the IP address ranges that is
> > reserved for local use, i.e. not visible to
> > the world outside your LAN. If one of your
> > tenants has a public IP address it will not
> > be in this range and will therefore not be
> > masqueraded.
> > In other words, if you system is set up in a
> > normal way, you need do nothing to your
> > masquerading. You still need to add lines
> > to your script to forward packets from outside
> > to your tenant's IP address, of course. 
> > 
> > I hope this helps.
> > Nick
> > --- Chad Morgan <chad@chadmorgan.com> wrote:
> > > I have a box with a 2.2.17 kernel doing ip masquerading.
> > > I've figured out
> > > how to foward individual ports of the external address to
> > > individual ports
> > > on an internal address but how can I forward all traffic
> > > on all ports from
> > > the external address to one of the internal addresses?
> > > 
> > > I know this isn't very secure, but I'm not very concerend
> > > about security
> > > becuase it isn't our responsibility in this case. We
> > > manage a small office
> > > building of executive suites and provide high speed
> > > internet for our
> > > tenants on the DSL line. One of our tenants would like a
> > > public address. In
> > > this case it is his responsibility to secure his system.
> > > Could there be a risk to some of the other tenants by a
> > > cracker getting
> > > access to their systems through the host that as all
> > > traffic forwarded to
> > > it? But, I guess if there was they don't really
> > > understand the different
> > > between private and public ip addresses and should
> > > consider themselves
> > > exposed anyway and security is again there responsibility
> > > since we haven't
> > > made any guarantees about their security.
> > > 
> > > Anyway, if this is possible using impasqadm or if someone
> > > has a better
> > > idea, I'd appreciate some advice.
> > > 
> > > Thanks
> > > 
> > > Chad Morgan
> > > 
> > > 
> > > -- 
> > > To UNSUBSCRIBE, email to
> > > debian-firewall-request@lists.debian.org
> > > with a subject of "unsubscribe". Trouble? Contact
> > > listmaster@lists.debian.org
> > > 
> > 
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Send FREE video emails in Yahoo! Mail!
> > http://promo.yahoo.com/videomail/
> > 
> > 
> > -- 
> > To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
> > 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>

Reply to:

References:
- Exposed Host
  - From: Chad Morgan <chad@chadmorgan.com>
- Re: Exposed Host
  - From: <njacobs@yahoo.com>
- Re: Exposed Host
  - From: Chad Morgan <chad@chadmorgan.com>

Prev by Date: Re: Is ipmasq worth it?
Next by Date: configuration of debian firewall / NAT
Previous by thread: Re: Exposed Host
Next by thread: Re: Exposed Host
Index(es):
- Date
- Thread