Hi all, Ever since moving to the 2.2 kernels and switching to ipchains, I have not been able to get redirection working right, and I'm hoping someone can spot what I am doing wrong...
I have a gateway computer called sith, and two computers sitting
behind it named rankor and fig. The ppp0 line is [207.158.172.XXX],
and my goal is to expose the cvs server running on rankor to the world
through port forwarding. (rankor == 192.168.2.2)
sith's firewall rules script looks like this:
#!/bin/sh
export IPCHAINS=/sbin/ipchains
if [ -x $IPCHAINS ]; then
# Flush current ruleset and apply our default policies
$IPCHAINS -F input
$IPCHAINS -F output
$IPCHAINS -F forward
# We start out promiscuous... probably should fix this
$IPCHAINS -P output ACCEP
$IPCHAINS -P input ACCEPT
$IPCHAINS -P forward REJECT
# Setup masquerade - all traffic from 192.168.2.0 gets masq-forwarded.
$IPCHAINS -A forward -p all -s 192.168.2.0/24 -j MASQ
# Stop those evil hackers from seeing telnet passwords
$IPCHAINS -A input -p tcp -d 207.158.172.XXX/32 telnet -j REJECT
# I don't use NFS, you can be damned well sure I don't use this!
$IPCHAINS -A input -p tcp -d 207.158.172.XXX/32 portmapper -j REJECT
$IPCHAINS -A input -p udp -d 207.158.172.XXX/32 portmapper -j REJECT
$IPCHAINS -A input -p tcp -d 207.158.172.XXX/32 nntp -j REJECT
# Punch port 2401 to Rankor's cvs pserver...
# $IPCHAINS -A input -b -p tcp -s 207.158.172.XXX/32 2401 -d
# 192.168.2.2/32 2401 -j REDIRECT
# $IPCHAINS -A input -b -p udp -s 207.158.172.XXX/32 2401 -d
# 192.168.2.2/32 2401 -j REDIRECT
$IPCHAINS -A input -p tcp -s 0.0.0.0/0 2401 -d 192.168.2.2/32 2401 -j REDIRECT
$IPCHAINS -A input -p udp -s 0.0.0.0/0 2401 -d 192.168.2.2/32 2401 -j REDIRECT
fi
I've tried both the commented out version, and the "live" redirectcs,
and neither seems to work. When I run a program on sith's 2401 port,
it actually gets the hit (so it is falling through to the default
input rule).
Here is the networking portions my kernel (2.2.12) .config file, in case I
missed something
there...
CONFIG_PACKET=y
CONFIG_NETLINK=y
CONFIG_RTNETLINK=y
CONFIG_NETLINK_DEV=y
CONFIG_FIREWALL=y
CONFIG_FILTER=y
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_RTNETLINK=y
CONFIG_NETLINK=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_FIREWALL=y
CONFIG_IP_FIREWALL_NETLINK=y
CONFIG_NETLINK_DEV=y
CONFIG_IP_ALWAYS_DEFRAG=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_TRANSPARENT_PROXY=y
CONFIG_IP_MASQUERADE=y
CONFIG_IP_MASQUERADE_ICMP=y
CONFIG_IP_MASQUERADE_MOD=y
CONFIG_IP_MASQUERADE_IPAUTOFW=m
CONFIG_IP_MASQUERADE_IPPORTFW=m
CONFIG_IP_MASQUERADE_MFW=m
CONFIG_IP_ROUTER=y
CONFIG_NET_IPIP=m
CONFIG_SYN_COOKIES=y
CONFIG_SKB_LARGE=y
CONFIG_IPV6=m
CONFIG_IPX=m
CONFIG_IPX_INTERN=y
CONFIG_SPX=m
CONFIG_ATALK=m
Thanks in advance for any help and/or pointers on firewalling better.
I searched the archive before posting, but for some reason the cgi_bin
script isn't working right and I can't access the articles which look
like they are related...so apologies if this is just another boring
rehash. =)
Thanks,
-Jonathan
--
[EMAIL PROTECTED]
GPG public key available from http://www.jamdata.net/~jjlupa/gpg.asc
pgplztAe7Gefa.pgp
Description: PGP signature
