[svlug] IPCHAINS/UDP REDIRECT
dfm at area.com
Wed Aug 29 02:06:01 PDT 2001
Garry Jackson wrote:
> I am currently runing redhat 7.1 as my firewall/router and have a
> server on the internal network that needs to be seen from the
> internet. The server runs on a udp port. Does anyone know of a udp
> port redirector for linux.
Yes. Under the 2.2 kernel, you would accomplish this by using the
"ipmasqadm" command with the "portfw" subcommand. This would twiddle
the masquerading functionality in the kernel to provide Destination
NAT; it always struck me as something of a kludge.
The 2.4 kernel's packet-mangling code, netfilter, introduces a new
interface, iptables, which renders the earlier ipchains obsolete. This
new interface has quite a few things going for it. For one thing, its
configuration syntax is considerably cleaner. For another, it
introduces stateful packet inspection, which is a huge win. Properly
used, it will let you create firewall rulesets that are at once
simpler and safer than their ipchains-based counterparts.
The netfilter distribution also contains modules for backward
compatibility with ipchains -- and the even older ipfwadm, for that
matter. Red Hat chose to ship 7.1 configured with the ipchains
interface active by default. In theory, you should be able to download
and compile ipmasqadm, and use it to set up port forwarding. If it
works, it's probably the simplest solution.
I never tried it, however, as I decided to just take the plunge and
reconfigure my system to use iptables instead. It was well worth it.
If you choose to go this route, here's what I'd recommend you do:
1. Visit http://netfilter.samba.org/.
2. Download, build, and install iptables 1.2.2, which fixes a serious
bug in the iptables connection-tracking code for FTP.
3. Read the "Linux 2.4 Packet Filtering HOWTO" and the "Linux 2.4 NAT
HOWTO". (You'll find section 4 of the latter, "Quick Translation
From 2.0 and 2.2 Kernels", of particular interest.
4. Devise a set of firewall rules suitable for your setup.
5. Disable the ipchains startup script.
6. Enable the iptables startup script, configuring it to load the
rules you devised in step 4, or enable a iptables-based
firewall-configuration script of your own devising.
If I'm being fuzzy regarding details, I'll have to plead the lateness
of the hour: bug me about it after I've slept, and I'll try to
More information about the svlug