|
02-04-2004, 10:45 AM
|
#1 (permalink) |
|
Poo-tee-weet?
Location: The Woodlands, TX
|
packet forwarding with linux
ok so ive got a system running redhat 9 its got 2 nics and i want to be able to have it forward packets to my normal windows box, but i also want to use the linux box for my dc hub and a webhost... I have a friend who can help me with the webhost and the dchub... but he doesnt know how to do the packet forwarding...
any help would be appreciated... and i dont want the linux box to act like a firewall
__________________
-=JStrider=- ~Clatto Verata Nicto |
|
|
02-04-2004, 11:15 AM
|
#2 (permalink) |
|
paranoid
Location: The Netherlands
|
Well packet forwarding in itself is a minimum firewall, as it usually shields the identity and type of machine(s) behind it.
My setup sounds like yours (only I don't use dcc or a httpserver). You should take a look at iptables. It is capable of what you ask and a lot more. I believe most distro's install it automatically. Iptables needs to be compiled into the kernel, so you might have some work there. Next, it needs a rule set which is probably very simple for your setup As an idea my firewall script (run at startup) is somewhat like this: Code:
#!/bin/sh # Turn on IP forwarding in the kernel echo "1" > /proc/sys/net/ipv4/ip_forward echo "************ STARTING ipTABLES config ***************" #create variables to contain network devices #private LAN: PRIVATE_IF=eth0 #Public Internet: PUBLIC_IF=ppp0 #LAN address space: PRIVATE_NET=10.0.0.0/16 #Flush and re-fill ip-tables ruleset: /sbin/iptables -F /sbin/iptables -F -t nat /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT ACCEPT #some bastard I don't like was on this IP: /sbin/iptables --append PREROUTING -t nat -s 217.155.0.0/16 -j DROP #enable LAN-to-Internet traffic (masqueraded) /sbin/iptables -t filter -A FORWARD -i $PRIVATE_IF -o $PUBLIC_IF -s $PRIVATE_NET -d ! $PRIVATE_NET -j ACCEPT /sbin/iptables -t filter -A FORWARD -i $PUBLIC_IF -o $PRIVATE_IF -s ! $PRIVATE_NET -d $PRIVATE_NET -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o $PUBLIC_IF -d ! $PRIVATE_NET -s $PRIVATE_NET -j MASQUERADE echo "iptables enabled" ####### Outside-to-LAN access: ########## #Dungeon Siege /sbin/iptables -t nat -A PREROUTING -p tcp --destination-port 6073 -i $PUBLIC_IF -j DNAT --to-destination 10.0.0.3:6073 /sbin/iptables -t nat -A PREROUTING -p tcp --destination-port 2302 -i $PUBLIC_IF -j DNAT --to-destination 10.0.0.3:2302 /sbin/iptables -t nat -A PREROUTING -p tcp --destination-port 2300 -i $PUBLIC_IF -j DNAT --to-destination 10.0.0.3:2300 /sbin/iptables -t nat -A PREROUTING -p udp --destination-port 6073 -i $PUBLIC_IF -j DNAT --to-destination 10.0.0.3:6073 /sbin/iptables -t nat -A PREROUTING -p udp --destination-port 2302 -i $PUBLIC_IF -j DNAT --to-destination 10.0.0.3:2302 /sbin/iptables -t nat -A PREROUTING -p udp --destination-port 2300 -i $PUBLIC_IF -j DNAT --to-destination 10.0.0.3:2300 The second section (I use mainly for games) allows outsiders to access your internal LAN by addressing the gateway on certain ports. I hope this helps. Disclaimer: The above rules don't originate from any howto's I've seen before and may or may not be completely 'right'. They do work fine however in my current setup. 2nd note: If you want all traffice except dc and http forwarded to your internal machine, you would probably replace the second section by more general rules. (hint: port-ranges are allowed if setup right in newer kernels)
__________________
"Do not kill. Do not rape. Do not steal. These are principles which every man of every faith can embrace. " - Murphy MacManus (Boondock Saints) Last edited by Silvy; 02-05-2004 at 01:51 AM.. |
|
|
|
02-04-2004, 03:51 PM
|
#3 (permalink) |
|
Poo-tee-weet?
Location: The Woodlands, TX
|
so if i use that how can i change it to let everything through?...
and where would i put that... and set it up to run at startup... im very n00b when it comes to linux so im gonna need like step by step instructions...
__________________
-=JStrider=- ~Clatto Verata Nicto |
|
|
|
02-05-2004, 01:48 AM
|
#4 (permalink) |
|
paranoid
Location: The Netherlands
|
First of all:
- I'm assuming you got RedHat successfully connected to the internet and your back-end PC, if not, set that up first. (post a new thread if you need help with that.) - The first step below can mess up your system pretty good, so be careful! - READ! When using my example script verify that you know what each line does, if unsure: ask! When compiling the kernel, read the associated help files! I may forget a step or make a mistake. Convince yourself that you know what is going to happen before you do it. - I am also assuming you're working from the command line and not within X. Red Hat has some GUI tools for firewalling/forwarding but I've never used them so I can't help you with that. I think they are pretty well documented however so you could give them a try. (if you do: disregard the rest of this post as it assumes you do all by hand.) - Some rules in the above post got commented, I will edit to remove the #'s. - Because the first step is tricky and perhaps not even necessary as RedHat may have done it for you, you could skip it, and get back to it if you can't get forwarding to work. Ok, here goes: Well first of all you will need to recompile the kernel most likely. I hope your friend can help you with that as it is a tricky process. There are some tutorials to be found on the web, but even then things can go pretty wrong. When recompiling the kernel you will need to select IP forwarding/masquerading(NAT) to be compiled in. Read through the subchoices to determine what specific functionality applies to you. Note: The options you need to select in the kernel configuration depends highly on your system and preferences. Make sure you compile everything your system needs into the kernel (hardware support, filesystem support etc) or your system will not boot! The first time you do this it will take a lot of time to read through all the options' help files so be prepared for that.(1-2 hours?) If you've got that covered (by recompiling/installing or if Red Hat has it pre-installed) You will need to create the script I posted above. Read through it carefully! (remember: lines starting with a hash (#) are comments) Make sure the PRIVATE_IF and PUBLIC_IF are defined correctly. If you use adsl/cable your PUBLIC_IF is likely ppp0 (check with ifconfig) Also change PRIVATE_NET to the address space you use for your LAN. ( I use 10.0.0.1 for my gateway, and 10.0.0.X for my LAN) Replace 10.0.0.0 with your general address space. the /16 allows for all IP's between 10.0.0.0 and 10.0.255.255 to be recognized as private IP's so you can probably leave the /16 (or better: /8) for your setup. You might want to remove the line: "#Some bastard".... and the line following. I just left it there as an example. I've yet to use multiple-port forwarding from Outside-To-LAN so I will need to look that up, but you will need something like this: Code:
/sbin/iptables -t nat -A PREROUTING -p tcp --destination-port [0..79] -i $PUBLIC_IF -j DNAT --to-destination 10.0.0.3 /sbin/iptables -t nat -A PREROUTING -p tcp --destination-port [81..442] -i $PUBLIC_IF -j DNAT --to-destination 10.0.0.3 /sbin/iptables -t nat -A PREROUTING -p tcp --destination-port [444..65535] -i $PUBLIC_IF -j DNAT --to-destination 10.0.0.3 (You will notice that these three rules forward all ports to your windows machine except ports 80 (http) and 443 (https). This allows traffic to those ports te be handled by processes on the gateway. The rules need to be edited to allow the dchub to run on the gateway, but I don't know which ports that uses.) Note: Why do you want all traffic to be forwarded to your back-end? Why not let Red Hat block any odd windows vulnerabilities by blocking traffic? All traffic initiated from within your LAN is allowed to go outside, so you can browse/download anyway. Personally I would only forward outside-to-inside the necessary ports for gaming/file-sharing/IM's and such. That is why I put those "Dungeon Siege" lines in there, so outside gamers could connect to my server behind the firewall. If, however you don't want to be bothered by looking up all the necessary ports and defining rules for them, then something like the above rules should do the trick - save the script to disk (preferably to /etc/rc.d/init.d/my_fw_script) - execute as root: Code:
chmod +x /path/to/filename/name_of_script /path/to/filename/name_of_script (replace /path/to/filename/name_of_script with the path and name you saved the script as) Now you should have ip forwarding so you can access the internet from your back-end machine. If it works so far you can make it run at boot (as the last boot-step): execute as root: Code:
ln -s /path/to/filename/name_of_script /etc/rc.d/rc5.d/K99my_fw_script Note: IIRC the default runlevel for RedHat is 5. If not, change "rc5.d" to "rcX.d" replacing X with the correct runlevel. I hope I've covered everything, if not feel free to ask (or if someone wants to add, please do!)
__________________
"Do not kill. Do not rape. Do not steal. These are principles which every man of every faith can embrace. " - Murphy MacManus (Boondock Saints) |
|
|
|
02-07-2004, 02:50 PM
|
#5 (permalink) |
|
Poo-tee-weet?
Location: The Woodlands, TX
|
so yah couldnt even get the computers to talk to each other... and had to reinstall cause i couldnt remember the root password and whatnot....
then i got a dchub working... but i didnt really care for it... so iwanted to try to run the windows one under wine but couldnt get that to work... i think the comp is too old and crappy to run the gui... and im tired of fucking with it...
__________________
-=JStrider=- ~Clatto Verata Nicto |
|
|
|
02-07-2004, 03:08 PM
|
#6 (permalink) |
|
paranoid
Location: The Netherlands
|
What are the specs of that computer?
Linux can be tough to setup for non-desktop uses. Don't give up too soon however as there are many howto's and stuff to help you along. If you want to try again (especially the 'talk to eachother' part) feel free to post again!
__________________
"Do not kill. Do not rape. Do not steal. These are principles which every man of every faith can embrace. " - Murphy MacManus (Boondock Saints) |
|
|
|
02-07-2004, 03:20 PM
|
#7 (permalink) |
|
Human
Administrator
Location: Chicago
|
I got this working once 2 years ago. I entirely forget how though (although I don't *think* it was as hard as what seems to be described here.
Either way, I just wanted to point out that if you connect a Windows box to the internet through a Linux box that forwards the connection, you will likely have a lot of trouble with online gameplay and such. That's something I didn't know and didn't think of the time that I did this.
__________________
Le temps détruit tout "Musicians are the carriers and communicators of spirit in the most immediate sense." - Kurt Elling |
|
|
|
02-07-2004, 03:45 PM
|
#8 (permalink) | |
|
paranoid
Location: The Netherlands
|
Quote:
My setup allows all traffic that originates from my backend / LAN to pass right through, and all replies are automagically returned to my PC. But connections from outside are initially denied. If you run a game/ftp/web/dcc/kazaa/whatever server on your backend it will receive no traffic as the connections are attempted from outside. That is why I have the 'dungeon siege' section in my config (see my first post) which opens the ports dungeon siege servers use. So that allows me to run a dungeon siege server (which I no longer have, but that's beside the point) behind my firewall. So any server that uses static ports like most games, webservers and such are easily forwarded by expanding that section for the right ports. FTP is different in that it allocates dynamic ports. Some work has been done to allow ftp transfers through a firewall, but that does not seem to always work. I need to set my ftp-client to "passive mode" or it will fail. The same goes for MS netmeeting. In short you'll have no problems with: - Game clients (play on other servers) - Browsing / telnet You'll have small problems with: - Game servers (setting up your own behind a firewall) - web servers / dchub's - IM clients (ICQ, Trillian, MSN, etc) - most FTP clients You'll have large problems with: - Netmeeting - FTP clients that don't support "passive transfers" like old versions of Internet Explorer However, these problems are all prevented if you just forward 'everything' through the firewall like JStrider was planning to do.
__________________
"Do not kill. Do not rape. Do not steal. These are principles which every man of every faith can embrace. " - Murphy MacManus (Boondock Saints) |
|
|
|
|
02-07-2004, 04:16 PM
|
#11 (permalink) | |
|
paranoid
Location: The Netherlands
|
Quote:
__________________
"Do not kill. Do not rape. Do not steal. These are principles which every man of every faith can embrace. " - Murphy MacManus (Boondock Saints) |
|
|
|
| Tags |
| forwarding, linux, packet |
|
|
