Re: ipportfw & NT

[Mike Schmitz]

On Tue, Mar 23, 1999 at 08:48:41PM -0600, Steve Fuller wrote:
> I am using ipportfw on my machine and am forwarding a number of ports from 
> the outside to internal NT based hosts and am not having any particular 
> problems. This is working for web, email and Winframe/Terminal Server for me. 
> Some more information on your configuration would probably help.
> 
> -----Original Message-----
> From: Mike Schmitz [mailto:[EMAIL PROTECTED] Behalf Of Mike Schmitz
> Sent: Tuesday, March 23, 1999 8:31 PM
> To: debian-firewall@lists.debian.org
> Subject: ipportfw & NT
> 
> 
> 
> I have ipportfw working now with a debian box behind the firewall, and
> can get to the web pages on it from outside.  I have an NT box that has 
> multiple IP's that works fine on the outside, but I have not been able
> to get the ports to forward to it when it is behind the firewall.  Is
> there something special I need to do for NT?


#! /bin/sh
ifconfig lo 127.0.0.1
route add -net 127.0.0.0

IPADDR=<Removed>
NETMASK=<Removed>
NETWORK=<Removed>
BROADCAST=<Removed>
GATEWAY=<Removed>
ifconfig eth0 ${IPADDR} netmask ${NETMASK} broadcast ${BROADCAST}
route add -net ${NETWORK} 
[ "${GATEWAY}" ] && route add default gw ${GATEWAY} metric 1

ifconfig eth0:0 <Removed> netmask <Removed>
ifconfig eth0:1 <Removed> netmask <Removed>
ifconfig eth0:2 <Removed> netmask <Removed>
ifconfig eth0:3 <Removed> netmask <Removed>
ifconfig eth0:4 <Removed> netmask <Removed>
ifconfig eth0:5 <Removed> netmask <Removed>
ifconfig eth0:6 <Removed> netmask <Removed>
ifconfig eth0:7 <Removed> netmask <Removed>
ifconfig eth0:8 <Removed> netmask <Removed>
ifconfig eth0:9 <Removed> netmask <Removed>
ifconfig eth0:10 <Removed> netmask <Removed>
ifconfig eth0:11 <Removed> netmask <Removed>
ifconfig eth0:12 <Removed> netmask <Removed>

route add -net <Removed> netmask <Removed>

ifconfig eth1 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.100.255
route add -net 192.168.100.0 dev eth1
ipfwadm -F -p deny
ipfwadm -F -a m -S 192.168.100.0/24 -D 0.0.0.0/0
echo 1 > /proc/sys/net/ipv4/ip_forward


#! /bin/sh
#
# This file was automatically customized by debmake on Thu, 29 Jan 1998 
16:20:37 -0800
#
# Written by Miquel van Smoorenburg <[EMAIL PROTECTED]>.
# Modified for Debian GNU/Linux by Ian Murdock <[EMAIL PROTECTED]>.
# Modified for Debian by Christoph Lameter <[EMAIL PROTECTED]>

PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAEMON=/usr/sbin/ipportfw
# The following value is extracted by debstd to figure out how to generate
# the postinst script. Edit the field to change the way the script is
# registered through update-rc.d (see the manpage for update-rc.d!)
FLAGS="defaults 50"

test -f $DAEMON || exit 0

portfwrules () {
        #REPLACE WITH YOUR RULES
        echo -n
        ipportfw -A -t <removed>/80 -R 192.168.100.209/80
        ipportfw -A -t <removed>/21 -R 192.168.100.209/21
        ipportfw -A -t <removed>/80 -R 192.168.100.210/80
        ipportfw -A -t <removed>/21 -R 192.168.100.210/21
        ipportfw -A -t <removed>/80 -R 192.168.100.211/80
        ipportfw -A -t <removed>/21 -R 192.168.100.211/21
        ipportfw -A -t <removed>/80 -R 192.168.100.212/80
        ipportfw -A -t <removed>/21 -R 192.168.100.212/21
        ipportfw -A -t <removed>/80 -R 192.168.100.213/80
        ipportfw -A -t <removed>/21 -R 192.168.100.213/21
        ipportfw -A -t <removed>/80 -R 192.168.100.214/80
        ipportfw -A -t <removed>/21 -R 192.168.100.214/21
        ipportfw -A -t <removed>/80 -R 192.168.100.215/80
        ipportfw -A -t <removed>/21 -R 192.168.100.215/23
        ipportfw -A -t <removed>/80 -R 192.168.100.216/80
        ipportfw -A -t <removed>/21 -R 192.168.100.216/21
        ipportfw -A -t <removed>/80 -R 192.168.100.217/80
        ipportfw -A -t <removed>/21 -R 192.168.100.217/21
        ipportfw -A -t <removed>/80 -R 192.168.100.218/80
        ipportfw -A -t <removed>/21 -R 192.168.100.218/21
        ipportfw -A -t <removed>/80 -R 192.168.100.219/80
        ipportfw -A -t <removed>/21 -R 192.168.100.219/21
        ipportfw -A -t <removed>/80 -R 192.168.100.220/80
        ipportfw -A -t <removed>/21 -R 192.168.100.220/21
        ipportfw -A -t <removed>/80 -R 192.168.100.221/80
        ipportfw -A -t <removed>/21 -R 192.168.100.221/21
}

case "$1" in
start)
        portfwrules
        ;;
stop)
        ipportfw -C
        ;;
restart|force-reload)
        ipportfw -C
        portfwrules
        ;;
*)
        echo "Usage: /etc/init.d/ipportfw {start|stop|restart|force-reload}"
        exit 1
        ;;
esac

exit 0


Configuration on the other side (NT) I do not know.  I don't work with
that part.  I do know, though, that it works fine without the firewall,
and my firewall works fine, with the same ruleset, with a debian machine
behind it.

-- 
  Mike Schmitz     [EMAIL PROTECTED]    http://www.bend-or.com/~mschmitz
  Don't blame me - I voted libertarian!    http://www.lp.org/
  Use Debian Linux - the free Gnu/Linux    http://www.debian.org/
                                  -----------        
         "If encryption is outlawed, only outlaws will have encryption"