Red Hat and Broken IPMasquerading

The-Pheon asks "Ok. I've read the FAQs, scoured the Linux newsgroups searching for information about ipmasqadm and I still can't get simple port forwarding to work on RedHat6. Any suggestions are greatly appreciated. The scenario: Standard Red Hat 6.0, Kernel 2.2.12, and ipchains-1.3.8. External is ip_aliased with a legal dns addresses, Internal is a single reserved address and network, IP masquerading is configured and working for intenal -> external connections. This seems like it should be simple. To forward a simple telnet I use: /sbin/modprobe ip_masq_portfw; /usr/sbin/ipmasqadm portfw -a -P tcp -L x.x.x.x 23 -R 192.168.1.12 23 The result: A telnet sessions to x.x.x.x (from a completely outside source) just hangs. Closer investigation shows that port forward is working -- sort of." More details are available if you hit the link.

"I use the following:

/sbin/ipchains -P forward DENY and then

/sbin/ipchains -A forward -s 192.168.32.0/24 -d 0.0.0.0/0 -j MASQ

IP forwarding is enabled in /proc/sys/net/ipv4/ip_forward

The kernel and modules have been rebuilt with all the relevant options set.

The netstat output of 192.168.1.12 shows a SYN_RECV connection from the remote address. Also, netstat -M on masquerading Linux box shows a correct entry for the translation. Nevertheless, the conversation is never completed and the session just hangs. I've also tried adding several ipchains, in particular:

ipchains -I forward -p tcp -s 192.168.32.20/32 23 -j MASQ

-- with no luck.

Is this just a fluke in RedHat? has anyone else ever successfully get ipmasqadm and portfw working with Red Hat? "

Routes

[J4]

you do have the masquerading box set as the default gateway on the "masqueradee", right?
What's the output of route -n?

port forwarding

[blahtree]

When up I setup my network, I decided to upgrade to the 2.2 kernel because the firewall code had been re-written. Unfortunately, I found that this meant that there was a short supply of documentation.

I had the same experience as you. Masquerading worked great. But no matter what I did, I couldn't get port forwarding to work. I recompiled, recompiled, and recompiled...to no avail. I tried using portfw, but no luck. I eventually gave up, since it wasn't all that important to me anyways. There are a number of forwarding utils that other people have written though. One such util is called redir...you should be able to find it on freshmeat.

This site [tsmservices.com] was also very helpful for getting masquerading to work with misbehaving programs.

Good luck!

Things to check

[rips]

Check that the default policy for your input and output firewalls are ACCEPT, this isn't a good thing to keep but while establishing what the problem is it will eliminate one possibility.

Check that your default route is to the network you want the masqueraded machines to have access to (or at least there is a routing entry to such a network through the correct interface)

Check your ipchains rules with /sbin/ipchains -L and verify they exist. I havn't looked to see what IP chains will do if you run it without kernel support. I presume it bombs out but check this anyhow.

I've run ip masquerading on Slackware 3.2.0, RedHat 5.2, 6.0 and 6.1 with no drama's so it will likely be something small.

No, the AC should do this:

[marcus]

Read the posting, then make suggestions.

Turn on IP forwarding

[MattMann]

Is IP Forwarding on?

easiest way is probably /usr/sbin/netcfg
last foldertab, forwarding checkbox,
then I think you need to restart networking.

the hard way is to look inside of
/etc/sysconfig/network
and make sure it has
FORWARD_IPV4=yes

Alternatives to consider

[kbahey]

OK, this is not a direct answer to your problem, but looking at the bigger picture, you may be better off with a standalone firewall box between your private LAN and the outside world.

The following solutions center on a single floppy drive Linux implementation on a 486 machine.

I would take a look at the ShareTheNet [sharethenet.com] which is a commercial package I have set up for clients, very stable and very fast (it is Linux on one floppy - costs 70$).

Also you can look at other free alternatives like Freesco and Ballantain [bizli.com].

All of them have mailing lists and/or web forums for support.

I am sure that there are many others, but these are the ones I tried. Ballantain had a problem with my modem, Freesco was very Alpha at the time, so I chose ShareTheNet (STN).

--

Re:Turn on IP forwarding

[MattMann]

jeez, what a moron (me).
I scoured your posting and only afterward
did I see that your forwarding *is* on.

however, here's another suggestion:
from your "fake" 192.168. ip address, it
occurs to me to mention that the Network
Address Translation/masquerading needs to
take place on the "internet" network
adapter, not on the private network side.

Uhhhhhhhh, its the ip forwarding thing and....

[LWolenczak]

you need to switch your ip chains, have deny in the middle, and the forward above it and masq can be at the bottom, it dosent realy matter

Re:Turn on IP forwarding

[MattMann]

clearer version:

from your "fake" 192.168. ip address, it occurs to me to mention that the Network Address Translation/masquerading needs to take place on the "internet" network adapter, not on the private network side.

Notice that the other suggestors are including a "-i ethX" argument. You should have one too, referring to the "external internet" network adapter.

Hey, any editors want to delete my previous and just use this one?

Simple firewall script to try...

[mindslip]

This is what I use in /etc/rc.d/init.d, called "firewall". Don't forget to chmod u+x it.

I've got it set to come up right after "network" is brought up. This leaves a micro-smidgon of time where the network is unfirewalled, but lets me make sure I have my DHCP address set right. If you're all static, you can (and should) put it up before "network".

Basically, it assumes your external is DHCP (as is the case with my cablemodem), and is eth0.

Internal is set as eth1, 192.168.0.0/24. Change these as necessary.

There are some example forwarders near the end of the script.

BTW, any hints on strengthening this would be greast!

Enjoy!

mindslip [mailto]


#!/bin/sh
#
#
# FORTRESS
# Masquerade and Firewall loading script
#
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
export PATH
#
# Turn on IP Forwarding
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Turn on DHCP dynamic variable
#
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
# Find out our cablemodem's address
#
DHCPIP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.
*://'`"
#
# Load some generic masquerading modules
#
/sbin/depmod -a
/sbin/modprobe ip_masq_portfw
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_mfw
/sbin/modprobe ip_masq_user
#
#
# Set the firewall rules
#
# Incoming: Flush and set default policy of "deny all"
#
ipmasqadm mfw -F
ipchains -F input
ipchains -P input DENY
#
# Internal network: Going anywhere is ok
#
ipchains -A input -j ACCEPT -i eth1 -s 192.168.0.0/24 -d 0.0.0.0/0
#
# Remote int., claiming to be a local machine, IP spoofs, etc: deny/log
#
ipchains -A input -j DENY -i eth0 -s 192.168.0.0/24 -d 0.0.0.0/0 -l
#
# Remote interface, any source, going to cablemodem's nic, permit
#
ipchains -A input -j ACCEPT -i eth0 -s 0.0.0.0/0 -d $DHCPIP
#
# Loopback (127.0.0.1/localhost): permit
#
ipchains -A input -j ACCEPT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0
#
# Catch-all, denying everything else and logging
#
ipchains -A input -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
#
#
# Outgoing: flush and set default policy of "deny all"
#
ipchains -F output
ipchains -P output DENY
#
# Internal network: anything local is ok
#
ipchains -A output -j ACCEPT -i eth1 -s 0.0.0.0/0 -d 192.168.0.0/24
#
# Outgoing to local net on cablemodem's nic, stuffed routing, etc, deny/log
#
ipchains -A output -j DENY -i eth0 -s 0.0.0.0/0 -d 192.168.0.0/24 -l
#
# Outgoing from local net on cablemodem's nic, stuffed masquerading, etc, deny/l
og
#
ipchains -A output -j DENY -i eth0 -s 192.168.0.0/24 -d 0.0.0.0/0 -l
#
# Anything else outgoing on cablemodem's nic is valid
#
ipchains -A output -j ACCEPT -i eth0 -s $DHCPIP -d 0.0.0.0/0
#
# Loopback/localhost outbound is valid
#
ipchains -A output -j ACCEPT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0
#
# Anything else is denied and logged
#
ipchains -A output -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
#
#
# Forwarding: Flush and set default policy of deny
#
ipchains -F forward
ipchains -P forward DENY
#
# Masquerade from local net on local nic to anywhere
#
ipchains -A forward -j MASQ -i eth0 -s 192.168.0.0/24 -d 0.0.0.0/0
#
#
# Catch-all deny and log
#
ipchains -A forward -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
#
#
# Specific application examples...
#
# Forward web stuff on 80 to another computer
#
#ipmasqadm portfw -a -P tcp -L $DHCPIP 80 -R 192.168.0.100 80
#
# Forward talk to another computer
#
ipmasqadm portfw -a -P udp -L $DHCPIP 517 -R 192.168.0.100 517
ipmasqadm portfw -a -P udp -L $DHCPIP 518 -R 192.168.0.100 518
#
# Forward FTP to a machine
#
#ipmasqadm portfw -a -P tcp -L $DHCPIP 21 -R 192.168.0.100 21
#
# Forward Telnet to a machine
#
#ipmasqadm portfw -a -P tcp -L $DHCPIP 23 -R 192.168.0.100 26
#

The answer to my original post...

[The-Pheon]

I have figured out the problem and thought that some of you may have run into the same thing.

What i was trying to do was forward connections from telnet (port 23) top another box inside my local network. I already had the masqing working which most of the posts were about.

The answer is!
When you are doing port forwarding with ipmasqadm and portfw, it does not work from within your local network! Hence, when i was trying to test it, it did not work. When relized that the forwarding would not work from within my own network, i started it back up and went across the hall. Sure enough, it was working!

The moral of the story.

If you are using ipmasqadm with the portfw module, you must test it from outside your network to make sure it is working, not from within. I hope this helps some people out.

Nerdherd scripts

[Oates]

(Apologies to all if this information is repeated. I can't get /. to display the seven posts before mine.)

I'm terrible at building the firewall rules myself. I understand perfectly what is going on--it's just that any script I make (from ipmasqadm to ipchains) won't work correctly. To compensate for this deficiency, I use the scripts at http://ipchains.nerdherd.org/ [nerdherd.org]. So far, I've recommended them to clients, implemented them at work and at home, and they've made me look really, really good.

The masquerading script is so simple, yet easily configurable. The latest versions are self-configuring and are perfect for the SOHO network.

Chris

Re:The answer to my original post...

[Mark Pitman]

Another very easy way to do this is to use redir. Search for it on freshmeat. It works great, whether you are inside or outside your network.

I got it working on RH 6.

[irix]

I have a RH 6 based firewall using port forwarding (forwarding port 80 for some stuff).

I used:

/sbin/ipchains -I forward -p tcp -s server_ip/32 80 -j MASQ

/sbin/ipchains -P forward DENY

/sbin/ipchains -A forward -s localnet/24 -J MASQ

ipmasqadm portfw -a -P tcp -L external_ip 80 -R internal_ip 80

replace server_ip, localnet, external_ip and internal_ip as appropriate. Also change 80 to whatever port you are using.

You would obviously want some other rules to improve security, but that should get you started.

Warning: Blatant self promotion

[h2odragon]

...and possibly offtopic besides.

I've been collecting documentation [freedom.org] on the linux 2.2 networking fetures for a while now. What I've got is focused less on Masq/portfw than the neat new routing tricks, but I've got just about everything that's out there, I think.

If there's docs out there I don't have, please tell me about 'em and I'll put 'em up. (email addy on the site).