LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 08-21-2002, 04:51 PM   #1
drtbmd
LQ Newbie
 
Registered: Aug 2002
Posts: 4

Rep: Reputation: 0
Question IP Forwarding inside my firewall


We have a large network with several vlans and thousands of workstations. One of our vlans has just our firewall and content filters. We need to redirect all of our outging http traffic to the content filters. Our cisco will redirect port 80 traffic to any box I choose. Our software vendor just phased out thie Linux version of the software and we need to go to Windows. With linux we just redirected the port 80 traffic to port 8002 and the software filtered it. Now I want to put a Linux box in between to port forward the traffic from port 80 to port 8002 on the windows box.
This is what I've done so far:
RedHat 7.3 with 2 nics, ip_forward=1. One nic is in our inside vlan, the other is in the firewall/content filter vlan (still inside the firewall). I used the following commands:

iptables -t nat -A PREROUTING -i eth1 -p tcp -d 172.30.5.88 --dport 80 -j DNAT --to 172.20.4.20:8002

iptables -A FORWARD -i eth1 -o eth0 -p tcp -d 172.20.4.20 --dport 8002 -j ACCEPT

eth1 is my inside nic 172.30.5.88 (in our main subnet)
eth0 is in the firewall/filtering vlan 172.20.4.10

What am I doing wrong? Can I even do this? Is there an easier way?

Thanks,

Tom
 
Old 08-22-2002, 07:54 AM   #2
Griffon26
Member
 
Registered: Sep 2001
Location: The Netherlands
Distribution: Gentoo, Debian, Mandrake, LFS
Posts: 182

Rep: Reputation: 30
The problem is that if a computer tries to contact a host with IP a.b.c.d on port 80, the reply will come back from 172.20.4.20.
It's not expecting replies from this host, so it won't work.

Don't know how to fix it though =]
 
Old 08-22-2002, 08:21 AM   #3
drtbmd
LQ Newbie
 
Registered: Aug 2002
Posts: 4

Original Poster
Rep: Reputation: 0
Hi,
Thanks for replying so quickly. If this can't work, can you please explain the difference between running redirect in ipchains on the same box (which is what we were doing and it worked) and using port forwarding to a different box with iptables? Anyone else have any ideas on how to get 6000 pc's proxied to a content filter without visiting each machine?

Thanks,

Tom
 
Old 08-22-2002, 10:41 AM   #4
Griffon26
Member
 
Registered: Sep 2001
Location: The Netherlands
Distribution: Gentoo, Debian, Mandrake, LFS
Posts: 182

Rep: Reputation: 30
The thing is that normally it works like this:

user -> forwarder -> server

- user contacts forwarder for a service that is actually running on server
- DNAT replaces the destination 'forwarder' with the real destination IP 'server' and sends the packet on
- the reply is sent with source 'server' and destination 'user'
- the forwarder replaces source 'server' with its own IP and sends it on
- user thinks it's talking to forwarder and is expecting source address 'forwarder' in the reply packet, so it all works out

The only way I can see it work in your case is if:
- the cisco rewrites port 80 traffic for any destination to have destination 'forwarder'
- the cisco rewrites the source address of reply packets to match the original destination (if this isn't the case, you can stop reading)
- the forwarder has these lines:
Code:
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 172.30.5.88 --dport 80 -j DNAT --to 172.20.4.20:8002
iptables -A FORWARD -i eth1 -o eth0 -p tcp -d 172.20.4.20 --dport 8002 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 172.30.5.88

Last edited by Griffon26; 08-22-2002 at 10:44 AM.
 
Old 08-22-2002, 12:08 PM   #5
drtbmd
LQ Newbie
 
Registered: Aug 2002
Posts: 4

Original Poster
Rep: Reputation: 0
I tried the code and packets are getting forwarded. But, they are not getting filtered by the right box. Near as I can tell, the packets get forwarded from the .88 box eth1 right back out to eth0 and back to the cisco where they find another rule in the access-list to match and go there normal way (I added an access-list for 1 machine to try this whole thing out). I know the content filter works because I can proxy my browser to it.

Thanks again,

Tom
 
Old 08-22-2002, 01:57 PM   #6
Griffon26
Member
 
Registered: Sep 2001
Location: The Netherlands
Distribution: Gentoo, Debian, Mandrake, LFS
Posts: 182

Rep: Reputation: 30
I thought your setup was like this:

Code:
network with clients
    |
    |
    |
  cisco
    |
    |
    |
eth1(172.30.5.88)

 forwarder

eth0(172.20.4.???)
    |
    |
    |
eth?(172.20.4.200)

  server
Am I mistaken?

It would be best if you have sniffers on both the forwarder and the server so you can see what is arriving where.

A good sniffer for linux is Ethereal, but you can use tcpdump if you do not want to install any new software. For windows I usually use Iris, but it's commercial. I don't know of any free sniffers for Windows.

Last edited by Griffon26; 08-22-2002 at 02:02 PM.
 
Old 08-22-2002, 02:53 PM   #7
drtbmd
LQ Newbie
 
Registered: Aug 2002
Posts: 4

Original Poster
Rep: Reputation: 0
You've got it pretty much correct. The subnet with eth0 and 172.20.4.20 and the firewall also attatches to the cisco as a separate vlan, fully routed. Our ATM to the internet also lives in the same cisco box (6509 with layer 3, ATM, 16 Gig-e ports (all vlans and all in production)). I really do appreciate all of your help. I'm not really getting what's going on here, but I'll see if I can get our guy with the sniffer to help me figure it out.

Thanks again,

Tom
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Simple Port Forwarding Firewall - not forwarding MadTurki Linux - Security 14 04-09-2006 01:08 PM
Firewall with ip forwarding axis Slackware 0 08-28-2003 09:47 PM
Forwarding PPTP through the firewall jsimpson98 Linux - Networking 0 07-08-2003 07:16 AM
firewall port forwarding manthram Linux - Networking 0 04-01-2002 08:08 PM
Playing Armada2 from inside firewall theFuzzyOne Linux - Networking 0 12-05-2001 10:50 AM


All times are GMT -5. The time now is 12:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration