I have had several requests for the summery of NAT on Linux so I am posting
this to the list. Many thanks to Greg Haverkamp who was able to figure this
out in the first place and let me know.
David Lang
What I found that you can do if you have a finite list of connections you
are trying to make (I am connecting many web sites that are inside to the
outside) is as follows.
Using Linux kernel version 2.0.30 with FWTK 2
real ip address of f/w 200.200.200.1
addresses the web sites should appear as 200.200.200.2 to 200.200.200.200
real ip addresses of web sites 100.100.100.2 to 100.100.100.200 for 199 web
sites.
for each web site do the following:
setup the alias
ifconfig eth0:2 200.200.200.2
setup an input firewall filter (I created a file rc.fw that I run after
rc.inet1)
ipfwadm -I -a accept -r 10002 -S 0/0 -D 200.200.200.2 80
ipfwadm -I -a accept -r 11002 -S 0/0 -D 200.200.200.2 443
start up two copies of the plug-gw (from the TIS Firewall Toolkit)
/usr/local/etc/plug-gw -daemon 10002 plug-gw
/usr/local/etc/plug-gw -daemon 11002 plug-gw
The folowing two rules should appear ing the /usr/local/etc/netperm-table
plug-gw:port 10002 * -plug-to 100.100.100.2 -port 80
plug-gw:port 11002 * -plug-to 100.100.100.2 -port 443
what this does....
the ifconfig sets the alias so the firewall will listen to the port.
the input filters accept a incoming packet from anywhere addressed to
200.200.200.2 on port 80 and change it to arrive at port 10002. the plug-gw
then listenes at port 10002 and plugs anything it hears to 100.100.100.2
port 80 (standard http port). the other set does the same for the https ssl
connection.
to do this you need to have experimental options turned on, normal firewall
and forwarding options turned on, and the EXPERIMENTAL IP_TRANSPARENT_PROXY
must be turned on for the -r option to work in ipfwadm.
This is a very ugly way to do this but it does work.
let me know if you have any other questions.
David Lang
Follow-Ups:
|
|
