[svlug] IPCHAINS/UDP REDIRECT

Dan Martinez dfm at area.com
Wed Aug 29 02:06:01 PDT 2001

Previous message: [svlug] IPCHAINS/UDP REDIRECT
Next message: [svlug] Same as it ever was...
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Garry Jackson wrote:

> I am currently runing redhat 7.1 as my firewall/router and have a
> server on the internal network that needs to be seen from the
> internet. The server runs on a udp port. Does anyone know of a udp
> port redirector for linux.

Yes. Under the 2.2 kernel, you would accomplish this by using the
"ipmasqadm" command with the "portfw" subcommand. This would twiddle
the masquerading functionality in the kernel to provide Destination
NAT; it always struck me as something of a kludge.

The 2.4 kernel's packet-mangling code, netfilter, introduces a new
interface, iptables, which renders the earlier ipchains obsolete. This
new interface has quite a few things going for it. For one thing, its
configuration syntax is considerably cleaner. For another, it
introduces stateful packet inspection, which is a huge win. Properly
used, it will let you create firewall rulesets that are at once
simpler and safer than their ipchains-based counterparts.

The netfilter distribution also contains modules for backward
compatibility with ipchains -- and the even older ipfwadm, for that
matter. Red Hat chose to ship 7.1 configured with the ipchains
interface active by default. In theory, you should be able to download
and compile ipmasqadm, and use it to set up port forwarding. If it
works, it's probably the simplest solution.

I never tried it, however, as I decided to just take the plunge and
reconfigure my system to use iptables instead. It was well worth it.
If you choose to go this route, here's what I'd recommend you do:

1. Visit http://netfilter.samba.org/.

2. Download, build, and install iptables 1.2.2, which fixes a serious
   bug in the iptables connection-tracking code for FTP.

3. Read the "Linux 2.4 Packet Filtering HOWTO" and the "Linux 2.4 NAT
   HOWTO". (You'll find section 4 of the latter, "Quick Translation
   From 2.0 and 2.2 Kernels", of particular interest.

4. Devise a set of firewall rules suitable for your setup.

5. Disable the ipchains startup script.

6. Enable the iptables startup script, configuring it to load the
   rules you devised in step 4, or enable a iptables-based
   firewall-configuration script of your own devising.

If I'm being fuzzy regarding details, I'll have to plead the lateness
of the hour: bug me about it after I've slept, and I'll try to
clarify.

Dan

Previous message: [svlug] IPCHAINS/UDP REDIRECT
Next message: [svlug] Same as it ever was...
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the svlug mailing list