LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-29-2002, 07:52 PM   #1
Sonicsone
LQ Newbie
 
Registered: Nov 2002
Distribution: RedHat
Posts: 12

Rep: Reputation: 0
Angry IPChains/IPMasqadm Port Forwarding


Hello,

I am having trouble with port forwarding and have been fighting it for a week. I am about ready to throw the box out the window...

I have an old 486 running as my firewall with kernel 2.2.16 (RH 6.2) with all appropriate modules (ipmasqadm, etc). I use IPChains for the firewall script. My firewall has two network cards, one external and one internal, pretty standard stuff. I have re-compiled the kernel with everything needed for masquerading/firewalling support.

I am trying to simply telnet to my firewall and have it forward to an internal linux box with RH 7.3 on it. This is just a test as I am trying to set up a game server, which needs certain ports forwarded to it.

Here is my test firewall script:

# /etc/rc.d/rc.firewall
# Invoked from /etc/sysconfig/network-scripts/pump-done, or
# from /etc/dhcpc/dhcpcd-eth0.exe, or
# from /etc/sysconfig/network-scripts/ifdhcpc-done.

echo "Starting firewalling... "

# ----------------------------------------------------------------------------
# Some definitions for easy maintenance.
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

EXTERNAL_INTERFACE="eth0"
LOOPBACK_INTERFACE="lo"
LOCAL_INTERFACE_1="eth1"

IPADDR="my.ip.address"
LOCALNET_1="192.168.2.0/24"

ANYWHERE="any/0"

DHCP_SERVER="any/0"
NAMESERVER_1="any/0"
NAMESERVER_2="any/0"

SMTP_SERVER="mail.example.com"
POP_SERVER="mail.example.com"
NEWS_SERVER="netnews.example.com"

LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"

# ----------------------------------------------------------------------------

# The IP address, $IPADDR, is defined by dhcpc

if [ -f /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE ]; then
. /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE
elif [ -f /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info ]; then
. /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info
elif [ -f /etc/dhcpc/pump.info ]; then
. /etc/dhcpc/pump.info
else
echo "rc.firewall: dhcp is not configured."
ipchains -F
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A input -i $LOCAL_INTERFACE_1 -j ACCEPT
ipchains -A output -i $LOCAL_INTERFACE_1 -j ACCEPT
exit 1
fi

DHCP_SERVER=$DHCPSIADDR

# ----------------------------------------------------------------------------

NFS_PORT="2049"
NFS SOCKS_PORT="1080"
OPENWINDOWS_PORT="2000"
XWINDOW_PORTS="6000:6063"
SSH_LOCAL_PORTS="1022:65535"
SSH_REMOTE_PORTS="513:65535"
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections

# Remove all existing rules belonging to this filter
ipchains -F

# Set the default policy of the filter to deny.
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward DENY

# set masquerade timeout to 10 hours for tcp connections
ipchains -M -S 36000 0 0


# ----------------------------------------------------------------------------

# Enable IP Forwarding, if it isn't already
echo 1 > /proc/sys/net/ipv4/ip_forward

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Enable always defragging Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag

# Enable Loose UDP
echo 1 > /proc/sys/net/ipv4/ip_masq_udp_dloose

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done

for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done

# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done

# These modules are necessary to masquerade their respective services.
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudioports=554,7070,7071,6970,6971
/sbin/modprobe ip_masq_irc

# ----------------------------------------------------------------------------
# LOOPBACK

# Unlimited traffic on the loopback interface.

ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

# ----------------------------------------------------------------------------
# Unlimited traffic within the local network.

# All internal machines have access to the fireall machine.

ipchains -A input -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT
ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT

# ----------------------------------------------------------------------------
# Masquerade internal traffic.

# All internal traffic is masqueraded externally.
ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ

# ----------------------------------------------------------------------------

# TELNET server (23)
# ------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 23 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 23 \
--destination-port $UNPRIVPORTS -j ACCEPT


# TELNET client (23)
# ------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 23 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 23 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

ipmasqadm portfw -f
ipmasqadm portfw -a -P TCP -L $IPADDR 23 -R 192.168.2.2 23

echo "done"

exit 0

----------------------------------------------------------------------------------

It looks kind of funny because I just pasted it from notepad, but that is the jist of it. It is also simply a test script I am using to try and figure this out.

When I run the firewall script, I get the correct output from "ipmasqadm portfw -l", and everything looks great. But, when I try to telnet to my external machine, it just times out.

Can anybody tell me what the heck I am doing wrong (besides needing to switch to iptables)? I would very much appreciate any help you can offer....

Thanks,

Jim
 
Old 11-29-2002, 10:19 PM   #2
KevinJ
Member
 
Registered: Feb 2001
Location: Colorado Springs, CO
Distribution: Redhat v8.0 (soon to be Fedora? or maybe I will just go back to Slackware)
Posts: 857

Rep: Reputation: 30
well.. I am not a firewall expert... but one suggestion I might make... create a new firewall script that contains only the lines you need for IPMASQ and Port Forwarding telnet.

Once you get that working... add the port forwarding lines to you regular script. Keep It Simple, Stupid.

Here is what I do to forward port 5121:

#!/bin/sh

insmod ip_tables
echo " Enabling SNAT (MASQUERADE) on eth0 ... "
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

echo " Enabling IPFORWARDING ... "
echo "1" > /proc/sys/net/ipv4/ip_forward

echo " Enabling ports for NWN server ... "
iptables -t nat -A PREROUTING -p udp --dport 5121 -i eth0 -j DNAT --to 192.168.0.26

iptables -I FORWARD -i eth0 -o eth1 -p udp --dport 5121 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


This is not my full firewall script, just a test one that I used to get my NWN server online. After I got it working, I put those lines in my full script.

Good Luck,

K.
 
Old 11-30-2002, 11:58 AM   #3
Sonicsone
LQ Newbie
 
Registered: Nov 2002
Distribution: RedHat
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by KevinJ
well.. I am not a firewall expert... but one suggestion I might make... create a new firewall script that contains only the lines you need for IPMASQ and Port Forwarding telnet.

Once you get that working... add the port forwarding lines to you regular script. Keep It Simple, Stupid.

Thanks for the reply. I pretty much have done that with the script shown above... My regular firewall is about 10 times that length

I think I have figured out that it is a problem with my ip_masq_portfw.o module. Even though I re-compiled my kernel, it doesn't seem to want to work. If I do an '/sbin/lsmod', it is not shown as installed. If I go to /lib/modules, the module is there, but when I try and install it 'insmod ip_masq_portfw.o', I get an error "couldn't find the kernel version the module was compiled for"....

I am about ready to re-build this box with a newer version. The problem is that I only have 1300 megs of hard-drive space on this old clunker...

Jim
 
Old 12-01-2002, 10:40 AM   #4
KevinJ
Member
 
Registered: Feb 2001
Location: Colorado Springs, CO
Distribution: Redhat v8.0 (soon to be Fedora? or maybe I will just go back to Slackware)
Posts: 857

Rep: Reputation: 30
It may be a typo ... but it should be "insmod ip_masq_portfw" without the ".o"

if the modules directory for the kernel version you are booted to has the module present, then its certainly compiled for that version. Have you checked the config file from your kernel compile to see if you included modular support for this?

Do you still have the default kernel on your system that you can boot to as a test?

-K.
 
Old 12-01-2002, 10:58 PM   #5
Sonicsone
LQ Newbie
 
Registered: Nov 2002
Distribution: RedHat
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by KevinJ
It may be a typo ... but it should be "insmod ip_masq_portfw" without the ".o"

if the modules directory for the kernel version you are booted to has the module present, then its certainly compiled for that version. Have you checked the config file from your kernel compile to see if you included modular support for this?

Do you still have the default kernel on your system that you can boot to as a test?

-K.
Well, I have re-compiled my kernel about six times now to no avail. I also realized that if I compile the kernel with "portfw" included in the kernel (not modular), it won't show up as a module. So, I don't think that is the problem either. I am completely stumped. My kernel is now updated to version 2.2.23 (newest for RH 6.2") and I completely re-built my firewall box from scratch.

I guess I am hoping a firewall expert will be able to tell me if my script is even right....

Thanks again,

Jim

Last edited by Sonicsone; 12-01-2002 at 11:08 PM.
 
Old 12-02-2002, 08:13 AM   #6
moses
Senior Member
 
Registered: Sep 2002
Location: Arizona, US, Earth
Distribution: Slackware, (Non-Linux: Solaris 7,8,9; OSX; BeOS)
Posts: 1,152

Rep: Reputation: 49
Try:
insmod -f ip_masq_portfw.o (with the .o, insmod requires the actual
filename, whereas modprobe gets that from depmod). This will attempt to
force loading of the module without checking the kernel version, but if there
are unresolved symbols, it won't work anyway.
man insmod
Check out your kernel setup, do you have CONFIG_MODVERSIONS set
to "Y"? You should.
 
Old 12-02-2002, 08:15 AM   #7
moses
Senior Member
 
Registered: Sep 2002
Location: Arizona, US, Earth
Distribution: Slackware, (Non-Linux: Solaris 7,8,9; OSX; BeOS)
Posts: 1,152

Rep: Reputation: 49
Just a silly question, but have you checked to be sure your telnet service
isn't turned off?
I mean via (x)inetd.conf

Last edited by moses; 12-02-2002 at 08:17 AM.
 
Old 12-02-2002, 08:20 AM   #8
moses
Senior Member
 
Registered: Sep 2002
Location: Arizona, US, Earth
Distribution: Slackware, (Non-Linux: Solaris 7,8,9; OSX; BeOS)
Posts: 1,152

Rep: Reputation: 49
Quote:
# TELNET server (23)
# ------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 23 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 23 \
--destination-port $UNPRIVPORTS -j ACCEPT


# TELNET client (23)
# ------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 23 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 23 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------
This looks to me like you're only allowing telnets from outside your
local net, is this what you intend?
 
Old 12-03-2002, 01:18 PM   #9
Sonicsone
LQ Newbie
 
Registered: Nov 2002
Distribution: RedHat
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by moses
This looks to me like you're only allowing telnets from outside your
local net, is this what you intend?
Actually that script lets me in from the outside, and another section of the scripts allows unlimited traffic within my local network.

I actually got it working. I think I may have been okay all along......

I telnetted from work to home yesterday, and I ended up landing at the computer I forwarded to (not expecting that at all)..... I think that when I was testing from home, it wouldn't work because it was forwarding outside traffic only. So, I think I might have had it right the very first time I tried it... In my defense, I even vpn'd into work from home and tried a telnet while logged in at work, but that didn't seem to make a difference.

But, my kernel is now completely up to date, I can compile kernels like nobody's business, all the rust is shaken off, I know my firewall like the back of my hand and am now having fun with port forwarding. Now, to get my CounterStrike server up and running (it is running, just need to test and populate)....

Linux can be a very trying experience at times, but I love it when it all comes together...

Thanks for your replies,

Jim
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 07:35 PM
ipchains forwarding rules scheidel21 Linux - Networking 0 01-20-2004 07:37 AM
IPChains + port forwarding + redhat 7.2 purduephotog Linux - Networking 2 04-22-2002 04:38 PM
ipchains port forwarding Ratclaws Linux - Security 2 12-04-2001 03:59 AM
Ipchains port forwarding localy yogee Linux - Networking 7 07-16-2001 11:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration