Re: [Leaf-devel] ipchains redirect
Charles: Ah...I get it now, sure. Some vendors, I think LinkSys is one, call this "DMZ mode" where everything not explicitely directed somewhere is sent, by default, to a "DMZ host". Not sure if that host is masq'd or proxy-arp'd though, in those implementations. I wonder, though, what this would do as a last port-forward rule: ipmasqadm autofw -A -r tcp 1 65536 -h $DMZ_HOST Am not sure if autofw is parsed serially until a match is found, like ipchains does things. -Scott On Tue, 25 Sep 2001, Charles Steinkuehler wrote: > > > I haven't played with this much, but one of the things on the list of > stuff > > > to "play with one of these days" is using redirect to provide for an > > > 'internal server' machine, similar to the way the low-end firewall boxes > do. > > > I *think* this would work properly for everything from game servers to > VPN > > > access, although security in such a situation isn't the greatest > (although > > > it's not too bad if combined with port-forwarded DMZ rules). > > > > Not sure I follow: would you use redir instead of > > portfw rules? Or do you see it being used on the internal > > interface's input chain? > > No, the redirects go on the external interface input rules. > > The basic idea is to mimic the functionality of the firewall 'bricks' > available from Linksys, D-Link, Netgear, &c that provide for a single > internal "server" IP. Basically, any inbound packets that are not either > destined for local services or existing masqueraded connections, get > forwarded (redirected) to an internal system. I *think* this can be used > like a partial static-NAT, essentially splitting the single available IP > between several systems. > > The fundamental difference between doing this with a redirect and using > port-forwards, is the flexability of IPChains. I think the redirect rule > could send anything not dealt with by previous rules to a remote system > (even non-TCP/UDP traffic), providing a 'catch-all' port-forwarding I don't > think it's possible to implement with portfw. > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > > > ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] ipchains redirect
> > I haven't played with this much, but one of the things on the list of stuff > > to "play with one of these days" is using redirect to provide for an > > 'internal server' machine, similar to the way the low-end firewall boxes do. > > I *think* this would work properly for everything from game servers to VPN > > access, although security in such a situation isn't the greatest (although > > it's not too bad if combined with port-forwarded DMZ rules). > > Not sure I follow: would you use redir instead of > portfw rules? Or do you see it being used on the internal > interface's input chain? No, the redirects go on the external interface input rules. The basic idea is to mimic the functionality of the firewall 'bricks' available from Linksys, D-Link, Netgear, &c that provide for a single internal "server" IP. Basically, any inbound packets that are not either destined for local services or existing masqueraded connections, get forwarded (redirected) to an internal system. I *think* this can be used like a partial static-NAT, essentially splitting the single available IP between several systems. The fundamental difference between doing this with a redirect and using port-forwards, is the flexability of IPChains. I think the redirect rule could send anything not dealt with by previous rules to a remote system (even non-TCP/UDP traffic), providing a 'catch-all' port-forwarding I don't think it's possible to implement with portfw. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] ipchains redirect
David: Yeah, a transparent web-proxy or web-cache gets handled pretty nicely by this. If the proxy could http forward you could even redirect the packets to an external, remote proxy. That'd be useful for apps which used a LEAF router to gateway a wireless-LAN into wide-area access, where you want to restrict user access, requiring them to "login" on a remote https server before access is granted. So when a new DHCP lease is granted, you tie-in a hook to insert a REDIRECT rule for that IP-address. The proxy gets it, and passes it along. Time to read-up on LEAF proxies... -Scott On Mon, 24 Sep 2001, David Douthitt wrote: > "Scott C. Best" wrote: > > > Heyaz. Saw this on security-basics this AM. Never > > saw it mentioned on LRP/LEAF before; anyone ever try it? > > Alternatively, is "IP Transparent Proxy" enabled in any > > LEAF kernels? Seems terribly powerful to me. > > I've done this before, I think; it can be nice, especially for things > such as web cache. However, for a router with no hard disk it isn't all > that useful. > > The basic idea is that ALL web traffic going out is passed through the > proxy itself; helps if you want to add a web cache but don't want any > client reconfiguration to be needed. Its also good for proxies such as > JunkBuster or filtering proxies. > > > -- Forwarded message -- > > > > Date: Wed, 19 Sep 2001 20:19:19 +0200 (CEST) > > From: Bosko Radivojevic <[EMAIL PROTECTED]> > > To: Daniel Chojecki <[EMAIL PROTECTED]> > > Cc: [EMAIL PROTECTED] > > Subject: Re: ipchains, ipmasqadm > > > > On Tue, 18 Sep 2001, Daniel Chojecki wrote: > > > > > Is it posible to redirect all traffic comming for 0.0/0 80 to local > > > squid proxy using ipchains and ipmasqadm. > > > > Using ipchains - yes. I'm not sure for ipmasqadm (I've never used it) > > > > I'm using those lines for that. Of course, you have to enable 'IP > > Transparent Proxy' in your kernel. > > > > ipchains -A input -p TCP -d YOUR_IP/32 www -j ACCEPT (in case you have > > your own web server) > > ipchains -A input -p TCP -d 0/0 www -j REDIRECT 8080 > > ___ > Leaf-devel mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-devel > ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] ipchains redirect
I haven't played with this much, but one of the things on the list of stuff to "play with one of these days" is using redirect to provide for an 'internal server' machine, similar to the way the low-end firewall boxes do. I *think* this would work properly for everything from game servers to VPN access, although security in such a situation isn't the greatest (although it's not too bad if combined with port-forwarded DMZ rules). Charles > Heyaz. Saw this on security-basics this AM. Never > saw it mentioned on LRP/LEAF before; anyone ever try it? > Alternatively, is "IP Transparent Proxy" enabled in any > LEAF kernels? Seems terribly powerful to me. > TIA! > > -Scott > > -- Forwarded message -- > > Date: Wed, 19 Sep 2001 20:19:19 +0200 (CEST) > From: Bosko Radivojevic <[EMAIL PROTECTED]> > To: Daniel Chojecki <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: ipchains, ipmasqadm > > On Tue, 18 Sep 2001, Daniel Chojecki wrote: > > > Is it posible to redirect all traffic comming for 0.0/0 80 to local > > squid proxy using ipchains and ipmasqadm. > > Using ipchains - yes. I'm not sure for ipmasqadm (I've never used it) > > I'm using those lines for that. Of course, you have to enable 'IP > Transparent Proxy' in your kernel. > > ipchains -A input -p TCP -d YOUR_IP/32 www -j ACCEPT (in case you have > your own web server) > ipchains -A input -p TCP -d 0/0 www -j REDIRECT 8080 > > > Conf: > > 2.2.19 > > ipchains > > It works for me: 2.2.18 & ipchains 1.3.9, 17-Mar-1999 > > Greetings ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] ipchains redirect
"Scott C. Best" wrote: > Heyaz. Saw this on security-basics this AM. Never > saw it mentioned on LRP/LEAF before; anyone ever try it? > Alternatively, is "IP Transparent Proxy" enabled in any > LEAF kernels? Seems terribly powerful to me. I've done this before, I think; it can be nice, especially for things such as web cache. However, for a router with no hard disk it isn't all that useful. The basic idea is that ALL web traffic going out is passed through the proxy itself; helps if you want to add a web cache but don't want any client reconfiguration to be needed. Its also good for proxies such as JunkBuster or filtering proxies. > -- Forwarded message -- > > Date: Wed, 19 Sep 2001 20:19:19 +0200 (CEST) > From: Bosko Radivojevic <[EMAIL PROTECTED]> > To: Daniel Chojecki <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: ipchains, ipmasqadm > > On Tue, 18 Sep 2001, Daniel Chojecki wrote: > > > Is it posible to redirect all traffic comming for 0.0/0 80 to local > > squid proxy using ipchains and ipmasqadm. > > Using ipchains - yes. I'm not sure for ipmasqadm (I've never used it) > > I'm using those lines for that. Of course, you have to enable 'IP > Transparent Proxy' in your kernel. > > ipchains -A input -p TCP -d YOUR_IP/32 www -j ACCEPT (in case you have > your own web server) > ipchains -A input -p TCP -d 0/0 www -j REDIRECT 8080 ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
