You can do this with RedHat 6.1, but you don't use ipchains.
First, you need to configure the kernel with "advanced routing"
support. The advanced routing code is included in the standard
source, but it isn't normally selected in the standard redhat
configurations. You'll need to install the kernel sources (if you
haven't already), turn on the "advanced routing" and "policy routing"
features and build/install a new kernel. If you haven't reconfigured
a kernel before,
http://www.redhat.com/mirrors/LDP/HOWTO/Kernel-HOWTO.html may help.
The utility that you use to configure the advanced routing is called
"ip". It's in the iproute package; the iproute package is included in
RedHat 6.1/6.2 releases (iproute-2.2.4-2.i386.rpm). iproute is not
normally installed; you'll probably have to install it.
Two ip commands are needed -- one to set up the inbound packet
forwarding/translation and one to set up the outbound translation.
The commands would look like:
ip route add nat <external-IP-address> via <internal-IP-address>
ip rule add prio 320 from <internal-IP-address> nat
<external-IP-address>
You don't need to do anything to cause <external-IP-address> to be
advertised -- it will be put in the ARP table automatically by the ip
route command. You can still set up and use IP masquerading as normal
for other internal hosts. Note that the external-IP-address will
route only to the specific internal host and it must be different than
the "default" external address of the firewall (like you had in your
example addresses in your original message).
See /usr/doc/iproute-2.2.4 (after you've installed the iproute
package) for what documentation exists. ip-cref.ps in that directory
contains information about the "nat" options to "ip route" and "ip
rule".
> Date: Wed, 5 Jul 2000 15:10:52 -0500
> From: "Rodney Dunham" <[EMAIL PROTECTED]>
> Subject: RH linux 6.1, IPCHAINS woes
>
> I'm trying (unsuccessfully, I might add) to do a particular thing with
> IPCHAINS that I've seen done with commercial software, and I've run out of
> ideas. I need someone really good at IPCHAINS to get me headed in the right
> direction.
>
> I want my firewall to take packets for another IP besides its own, pass them
> through, translating them in the process so it appears a particular machine
> on the inside is actually on the outside. The internal machine won't know
> it is also addressable by the public address, and people outside won't know
> it's real address is in a private network. The firewall needs to do all the
> work. All ports need to be so translated for this other IP. The firewall
> does standard NAT through its usual IP. Outside machines need to be able to
> initiate connections with this special internal machine, not just respond
> when it initiates them.
>
> Never mind the security aspect, at least at this stage, it's the translation
> and forwarding that I can't get to work. I can lock it down to specific
> services once the barebones connection works right.
>
> The commmercial FW-1 at work does this, but that's a different OS with a
> different firewall setup and a commercial GUI. I can't duplicate what it's
> doing since it's such a different setup, or rather I'm not sure I understand
> what it's really doing.
(editted somewhat:)
> Firewall external interface address public.ip.address.114
> Internal host whose address is to be translated: 192.168.1.x
>
> Inside: Firewall: Outside:
> 192.168.1.x < converts transparently > public.ip.address.113
> other hosts < standard NAT > public.ip.address.114
--
Wes Chalfant Peabody Systems [EMAIL PROTECTED]
(714) 639-8643 FAX (714)
639-2817
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
