Welcome
Port Scan
Software
About
Contact Us
Links
Support
Documents
Downloads
Firewall w/ Internal Server

Title: Port Forwarding
Date: December 13, 2000
Updated: December 13, 2000
Author: Larry A. Apolonio

Intro:
This is a document try's to explain how to set up a linux firewall with port
forwarding.  It is also assumed that you are running Red Hat 6.2, although this
may not be true, this document should work for most distributions with
Kernel 2.2.x.

I know there are many ways to skin a cat, you don't need exchange, we could use
sendmail, why set up an IIS 4.0 box, there is a lot of ways to do this, proxy,
routing, etc.  Please understand, I am trying to illustrate one way on how to
do something.

Here is the scenario, you have signed up for a DSL line and managed to get an
ISP that allows servers and gives out static IP's.  They assign you the following
live static IP addresses
111.22.33.0 to 111.22.33.7
Your Subnet Mask is 255.255.255.248
111.22.33.0 is your Network IP, that can't be used
111.22.33.7 is your Broadcast IP, that can't be used
111.22.33.6 will be the IP where your router is setup on
111.22.1.1 is the Primary Nameserver
111.22.1.2 is the Secondary Nameserver

Say you were able to register domain.com

Say you have set up a Windows NT Network using TCPIP.
You have 10 computers, and you are using the private address space
192.168.0.0 to 192.168.0.255 a class C network to keep it simple.
The Subnet Mask is 255.255.255.0
192.168.0.0 is your Network IP, that can't be used
192.168.0.255 is your Broadcast IP, that can't be used
192.168.0.1 is your NT PDC (pdc.domain.com)
192.168.0.2 is your Exchange Server (mail.domain.com)
192.168.0.3 is your Web Server (www.domain.com)
192.168.0.4 is a second Web Server (intranet.domain.com)
            this box will also be an FTP server.
192.168.0.254 will be your Linux Firewall
The rest we don't really care.

Here is the IP Mappings
111.22.33.1 -> 192.168.0.2 exchange server
111.22.33.1 -> 192.168.0.3 www.domain.com (main web site)
111.22.33.2 -> 192.168.0.4 intranet.domain.com (internal web site)
111.22.33.2 -> 192.168.0.4 ftp.domain.com (ftp server)
111.22.33.3 -> 192.168.0.254 linux firewall

(This portion is generalized, sorry look out for another DOC that will
 go into more detail on how to setup the Linux Box)
First Setup the Linux box w/ 2 NICs
Assign one NIC eth0 with IP address 111.22.33.3 this will be the
external interface
Assign the other NIC eth1 with IP address 192.168.0.254 this will be the
internal interface

Download the IP Forwarding tool and install it
the current file(as of this update) is:
ipmasqadm-0.4.2-4.i386.rpm

Install it
rpm -iv ipmasqadm-0.4.2-4.i386.rpm
or (if there was a prior version)
rpm -Uv ipmasqadm-0.4.2-4.i386.rpm

On to the other stuff

# This line installs the dummy interface module
insmod dummy

# Next 2 lines assigns live IP addresses
ifconfig dummy0 111.22.33.2 netmask 255.255.255.248 broadcast 111.22.33.7
ifconfig dummy1 111.22.33.3 netmask 255.255.255.248 broadcast 111.22.33.7

# Next line installs Port Forwarding module
modprobe ip_masq_portfw

# ipchains firewall Rules Go Here
echo 1 > /proc/sys/net/ipv4/ip_forward
/usr/sbin/ipchains -F
/usr/sbin/ipchains -P input ACCEPT
/usr/sbin/ipchains -P forward DENY
/usr/sbin/ipchains -P output ACCEPT
/usr/sbin/ipchains -A forward -i eth0 -j MASQ
# Order does matter
# These rules only Allow the Services you allow
/usr/sbin/ipchains -A input -i eth0 -p TCP -s 0/0 -d 111.22.33.1 25 -j ACCEPT
/usr/sbin/ipchains -A input -i eth0 -p TCP -s 0/0 -d 111.22.33.1 80 -j ACCEPT
/usr/sbin/ipchains -A input -i eth0 -p TCP -s 0/0 -d 111.22.33.2 80 -j ACCEPT
/usr/sbin/ipchains -A input -i eth0 -p TCP -s 0/0 -d 111.22.33.2 20 -j ACCEPT
/usr/sbin/ipchains -A input -i eth0 -p TCP -s 0/0 -d 111.22.33.2 21 -j ACCEPT
/usr/sbin/ipchains -A input -i eth0 -p TCP -s 0 53 -d 111.22.33.2 20 -j ACCEPT
/usr/sbin/ipchains -A input -i eth0 -p TCP -s 0 53 -d 111.22.33.2 21 -j ACCEPT
# These rules only Deny the Services you don't want to dummy0 and dummy1
# eth0 is correct
/usr/sbin/ipchains -A input -i eth0 -s 0/0 -d 111.22.1.1 -j DENY
/usr/sbin/ipchains -A input -i eth0 -s 0/0 -d 111.22.1.2 -j DENY
# Rules for eth0 IP address 111.22.1.3 are more complicated and is
# discussed in another Document


# ipmasqadm port forwarding rules Go Here
/usr/sbin/ipmasqadm portfw -f

# 111.22.33.1 -> 192.168.0.2 exchange server SMTP mail
/usr/sbin/ipmasqadm portfw -a -P tcp -L 111.22.33.1 25 -R 192.168.0.2 25

# 111.22.33.1 -> 192.168.0.3 www.domain.com (main web site)
/usr/sbin/ipmasqadm portfw -a -P tcp -L 111.22.33.1 80 -R 192.168.0.3 80

# 111.22.33.2 -> 192.168.0.4 intranet.domain.com (internal web site)
/usr/sbin/ipmasqadm portfw -a -P tcp -L 111.22.33.2 80 -R 192.168.0.4 80

# 111.22.33.2 -> 192.168.0.4 ftp.domain.com (ftp server)
/usr/sbin/ipmasqadm portfw -a -P tcp -L 111.22.33.2 21 -R 192.168.0.4 21
/usr/sbin/ipmasqadm portfw -a -P tcp -L 111.22.33.2 20 -R 192.168.0.4 20

Final Note: If you want to run a web server or smtp server (I don't recommend it)
            directly on the firewall bind the IP address of what you want run to
            the service.
           
 

Copyright 2000 Larry Apolonio if you have any questions or comments regarding this site please contact lapolonio@minihowto.com
Last Updated 02/08/01