I have never figured out how to convince IP Masquerading to not masquerade
some traffic.
The thought that just occurred to me would be to add another IP address to
the firewall's inside adapter, and then tell ipchains to only jump to
masquerading for the original address.
Then you would add port forwarding from the new address to the server
outside the firewall.
So, if you numbered things like this:
bender: 200.200.200.1
fry: eth0: 200.200.200.2
eth1: 192.168.1.1
homer: 192.168.1.10
you would need to do something like this on fry:
ifconfig eth1:1 192.168.1.2 up
ipchains -a input -s 192.168.1.2 -d 200.200.200.1 -j ACCEPT
ipmasqadm portfw -a -p TCP -L 192.168.1.2 $tcp_port -R 200.200.200.1
$tcp_port
I haven't tested this configuration, can't be responsible if your server
sprouts demons or daffodils, etc...
But it is my best guess and sounds good. I think the separate IP address is
the key to keeping MASQ off that traffic.
If you try this, please let the list know if it works, as it could be
generally useful.
Paul Bort
Systems Engineer (and guesser)
TMW Systems, Inc.
-----Original Message-----
From: Tom Hudak [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 29, 2000 8:58 PM
To: [EMAIL PROTECTED]
Subject: Firewalls and other joyous things..
I've been working on this firewall setup for hours now and may be a bit off
in
my logic.
Server A (bender), is located outside the firewall, Server B (fry), is the
firewall, and Server C (homer) is the backup tape server.
tcp port range is 11080-11084
udp port range is 850-854 (all of which are open)
fry masqerades the internal network out to the internet, while blocking
external traffic yada yada yada.
I have tried "ipmasqadm portfw" combinations like forwarding the tcp and udp
port ranges directly from bender to homer as well as using fry as a
intermediate, like forwarding bender to fry and then fry to homer with
configs
like this:
ipmasqadm portfw -a -P tcp -L bender $tcp_ports -R homer $tcp_ports
^-- assume $tcp_ports is another line in the rc.firewall for each port.
and
ipmasqadm portfw -a -P tcp -L bender $tcp_ports -R fry $tcp_ports
ipmasqadm portfw -a -P tcp -L fry $tcp_ports -R homer $tcp_ports
which do not work, I have also tried setting up a chain called www-home w/
the
command:
ipchains -A www-home -p tcp --dport 11080:11084 -s bender -d homer -j ACCEPT
ipchains -A www-home -p udp --dport 850:854 -s bender -d homer -j ACCEPT
which ALSO does not work. I do not know if a return port forward for bender
to
homer is required over port 10080 for amandad and cannot find much more
information regarding the situtation of amanda through a firewall other than
what is mentioned on the faq-o-matic. I never fail to get this error,
ERROR: bender: [host fry.sistina.com: port 63309 not secure]
with the port changing every time between 61000 and approx. 65000 which I
know
is reserved for masquerading. What exactly needs to be forwarded? what ports
need to be opened other than the ports I've reserved? What is causing fry to
masquerade amanda's packets back to the tape server instead of following the
specified ports and routes? Any answers or feedback would be much
appreciated
as this seems to be my final step in setting up this backup scheme.
Thanks ahead of time,
--
Thomas J. Hudak
Jr. Systems Administrator
Sistina Software Inc.
Phone: 612.379.3951 Fax: 612.379.3952
