On Tue, Mar 04, 2003 at 04:42:49PM -0800, Chuck Dutrow wrote: > > Anyone using port forwarding successfully with one real address at the router and > int addresses for mail server, DNS server and RADIUS? Have a howto? > > Help me out I am in a bind, not sure what the simplest solution is. > > Chuck
Hi Chuck - I use iptables running on a an RH 7.2 system to do this. I have one 7.2 box acting as the router, and I pass specific services thru to other boxes on my LAN. All while all systems on my LAN have total access to the internet, but outside access is strongly controlled. Here is an iptables script to do a basic version of this. email and http service only. Simply repeat and apply the lines that forward the email and http service to your DNS and RADIUS services. its very simple. You might want to start with a default rule of "drop" for all the chains. Its very simple which makes it a good starting example. There are some very sophisticated and complex iptables scripts (some generated by firewalling tools) which are superb setups for iptables. This one may be a good learning tool. Reading through it now I see that a lot of the understanding of how this all works requires some background reading on the iptables utility. ######################################################################### modprobe ipt_MASQUERADE iptables -F; iptables -t nat -F; iptables -t mangle -F; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward iptables -A INPUT -i eth0 -p TCP --dport 25 -j ACCEPT iptables -A INPUT -i eth0 -p TCP --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.0.6:80 iptables -t nat -A PREROUTING -p tcp --dport 25 -i eth0 -j DNAT --to 192.168.0.8:80 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT iptables -A INPUT -p UDP --sport 67 --dport 68 -j DROP iptables -A INPUT -j LOG --log-prefix "New not syn:" iptables -P INPUT DROP #only if the first two are succesful iptables -A FORWARD -i eth0 -o eth0 -j LOG --log-prefix "external try to route:" iptables -A FORWARD -i eth0 -o eth0 -j REJECT ################################################################# Same script with some comments: ######################################################################### # this script is for a vanilla RH 7.2 # Add the neccesary kernel module(s) for iptables. # modprobe will add the module if it isn't present. modprobe ipt_MASQUERADE # Flush out the current iptables filter table rules. iptables -F; iptables -t nat -F; iptables -t mangle -F; # In the NAT table. Append to the POSTROUTING chain, a rule that on output to interface eth0 # performs an action to ? map the source ip address of the outgoing # packet to be the ip address of the interface it is going out on, eg - # make it look like it originated on eth0. This allows multiple # machines behind one IP address to all use the same IP address. # Turn on NAT'ing iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Why is echoing a "1" to this file the only way to turn # on ip forwarding ? Shouldn't there be a program you can # invoke to turn it on ? No real objection I guess, but where is # the man page for "echo 1 > /proc/sys/net/ipv4/ip_forward" # turn on ip forwarding. (yes, this is an obscure control.) echo 1 > /proc/sys/net/ipv4/ip_forward # Ok the basic setup is done - now the real work of the script: # 1. accept email (port 25) and http (port 80) traffic. # 2. route that traffic to their respective boxes http->fred # and email->tom. # IN the filter table (the default) Append a rule to the INPUT chain that says # accept incoming packets from interface eth0 which are coming into connect to port # 25 for SMTP access. iptables -A INPUT -i eth0 -p TCP --dport 25 -j ACCEPT iptables -A INPUT -i eth0 -p TCP --dport 80 -j ACCEPT ## Change destination addresses of web traffic to box "fred". iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.0.6:80 ## Change destination addresses of email traffic to box "tom". iptables -t nat -A PREROUTING -p tcp --dport 25 -i eth0 -j DNAT --to 192.168.0.8:80 # Well that was the real work - now tidy up the housework: # 1. allow packet which are part of an existing connection to pass # 2. allow all new connections but not from interface eth0. # This means that a LAN originated connections are allowed, but anything # coming in off the Internet (eth0 is the internet connection), is # not allowed to create a new connection. This would put a stop to # attempts to login or otherwise connect to any service from outside # your LAN. If you want outsiders to be able to connect in and # authenticate through your RADIUS service, you must reformulate this # to explicitly allow that new connection or drop this part of the # rules. # IN the filter table (the default) Append a rule to the INPUT chain that says # accept incoming packets which are part of an already established connection iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # IN the filter table (the default) Append a rule to the INPUT chain that says # accept incoming packets that are starting new connections from any interface EXCEPT eth0. iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT # Drop all UDP traffic on these ports (BOOT service requests coming in off the # cable segment) iptables -A INPUT -p UDP --sport 67 --dport 68 -j DROP # Log allattempts to connect from the outside iptables -A INPUT -j LOG --log-prefix "New not syn:" iptables -P INPUT DROP #only if the first two are succesful iptables -A FORWARD -i eth0 -o eth0 -j LOG --log-prefix "external try to route:" iptables -A FORWARD -i eth0 -o eth0 -j REJECT -- Jeff Kinz, Open-PC, Emergent Research, Hudson, MA. [EMAIL PROTECTED] copyright 2003. Use is restricted. Any use is an acceptance of the offer at http://www.kinz.org/policy.html. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
