[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-ipchains
Subject: [Ipchains] RE: Port forwarding from internal - to internal
From: "Matt Hrynkow" <theguru1 () home ! com>
Date: 1999-06-30 12:41:20
[Download RAW message or body]
So here is what I have done. I have two NICs now on different rings,
167.169.1.x/24 and 167.16.143.x/24.
Can I do it with these? They both have physical path to each other, other
than the chains machine.
So here is a pic:
mach 1 --------------- mach 2 --------------- mach 3
(167.16.1.219) (167.16.1.30 - 167.16.143.12) (167.16.88.11)
But the catch it, that mach1 can get to mach 3 without the chains machine.
There are simply some routers in between.
Why is it, if the packets are rewritten such that they look like they are
coming from the chains machine, do replies to back to the client instead
then as Rolf said?
Where can I get REDIR?
---------------------------------------------------------------------
Subject: Re: Port forwarding from internal - to internal
>I need to know if its possible to forward ports to _internal_ host
>from
>_internal_ clients.
>
>RH 5.2 - Kernel 2.2.9 - IPCHAINS 1.3.9 - IPMASQADM 0.4.2 - TR0 and TR1
>(or
>TR0 and TR0:1)
>
>I'm simply trying, with two token ring cards, to forward a port from
>one
>machines to another on the same ring.
>
>I'm having trouble MASQing packets across the same subnet (167.16.1.x/24).
>When I put the IPCHAINS line in I have no idea what interface its going
>to.
>If I put in the following in chains:
>
> [root@linux01 /root]# ipchains -L
> Chain input (policy ACCEPT):
> Chain forward (policy DENY):
> target prot opt source destination
>ports
> MASQ tcp ------ 167.16.1.0/24 anywhere any
>->
>any
> MASQ tcp ------ anywhere 167.16.1.0/24 any
>->
>any
>I want telnet sessions pointed at machine 2 to be forwarded to machine
>3.
>
>Does ANYONE have any ideas? I have also explored using virtual interfaces
>(aliases) with no success.
>
>Thanks for any help anyone can give.
It doesn't work with masquerading because the server on the internal network
sees
the other internal IP, replies to it, but the client is expecting a reply
from
the Linux gateway. The solution as you tried is double masquerading, but
that
doesn't work as you tried it in ipchains because, when you send the SYN
packet
to establish the connection, it is mangled already in the _input_ section of
the IP code, not the forward section (in general, masquerading for output
from
imaginary IPs to real ones is in the forward code while demasq is in input).
This mangling causes it to bypass the forward section entirely.
I've posted a kernel patch today to linux-kernel and masq lists which allows
a single masq entry to code for bidirectional masquerading, and that works
very
well on our internal network here at Helix. As an added benefit, you don't
even
need to add MASQ lines to ipchains if you don't have them already.
The other option is to use a userspace program such as redir. That works
too,
although it may be slower?
_______________________________________________
Masq maillist - Masq@tiffany.indyramp.com
Admin requests can be handled at http://www.indyramp.com/masq-list/
or email to masq-request@indyramp.com
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
----------------------------------------------
To unsubscribe to this list, write an email to
ipchains-request@rustcorp.com with a body of
'unsubscribe'.
www.rustcorp.com - web site
ftp.rustcorp.com - ftp site
Mail Archives:
http://www.starshadow.com/pipermail/ipchains
http://www.progressive-comp.com/Lists/?l=linux-ipchains&r=1&w=2#linux-ipchains
----------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic