Richard Minutillo wrote:
I'm running an Eigerstein-based LRP with a (slightly) custom 2.2.19 kernel. I have several port forwarding rules set up and they all work well.Personally, I'd do this with a VPN rather than port-forwarding. You could also use SSH to do the port-forwarding if you don't need a permanent connection (if you need the link up all the time, the overhead of setting up a VPN will pay for itself vs babysitting the ssh link, or writing a script to do it for you).
I know this is probably a bad idea, but I'd like to forward port 3306 to a specific MASQ'd internal address, but only from a specific remote client IP address.
I know I can set up the port forwarding in general using a line like this in ipfilter.conf:
$IPMASQADM portfw -a -P tcp -L [ext address] 3306 -R [int server addr]
But that rule forwards everyone hunting for port 3306 to my internal server. I know that is not a good thing. So I suppose that the indirect way to restrict this particular rule to a specific remote client is to put in another rule which allows port 3306 but only from the given address, maybe something like this at the top of ipfilter.conf:
$IPCH -A $LIST -j ACCEPT -p 3306 -s [client addr] -d [ext addr] -l $*
I'm wondering, however, if there's a better way to do this? Any suggestions or comments would be welcome.
If you want to stick with standard, unencrypted, unauthenticated traffic, I think you're headed the right direction with stacking IPChains rules and port-forwarding. Note that someone could still spoof an allowed source IP and send bogus traffic that would get through the firewall...while bi-directional communication would be tricky (maybe impossible, but I can think of a few tactics to try, so I wouldn't rule it out), specific OS's and services have been known to crash when recieving specific mal-formed packets, so you'd potentially be open to a DOS attack at the least...
Personally, I'd bone up on FreeS/WAN or ssh.
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
