OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Port forwarding techniques
From: Josh Thompson (joshXCORPS.NET)
Date: Wed Oct 25 2000 - 07:24:59 CDT

seems you are already most of the way there.

if you have installed the ipmasqadm tools, then you have all that you need.

try 'ipmasqadm portfw'.

if you wanted to allow an http request from the firewall (x.x.x.x external /
1.1.1.1 internal) to an internal apache web server (1.1.1.2) then you would
type 'ipmasqadm portfw -a -P tcp -L 1.1.1.1 80 -R 1.1.1.2 80' on the
firewall.

hope this helps.

=====================
Josh Thompson
X-Corps Security
http://www.xcorps.net

-----Original Message-----
From: Focus on Linux Mailing List
[mailto:FOCUS-LINUXSECURITYFOCUS.COM]On Behalf Of Don Felgar
Sent: Tuesday, October 24, 2000 8:56 PM
To: FOCUS-LINUXSECURITYFOCUS.COM
Subject: Port forwarding techniques

Does anyone have a recommendation or any comments about how to forward ports
from a firewall to an internal machine?

If anyone's interested here's what I've come up with so far. First I tried
ip_masq_mfw with ipmasqadm. For those unfamiliar with this, ip_masq_mfw is
a module that allows you to select and mark IP connections with an ipchains
rule, and then with a separate rule you can reroute these connections to
another host and/or port. I say connections because typically (as I
understand it) you mark just the SYN connection packet, and the rest of the
connection follows naturally, though I'm not sure how. This seems to work
fine, and can provide rudimentary load balancing. you set can set two or
more handlers for connections with different priorities (eg 50% to one
server, 50% to another).

The other choice I know of is rinetd, which is simpler and I think lower
bandwidth.

Any advice appreciated.