Linux IPCHAINS-HOWTO: I'm confused! Routing, masquerading, portforwarding, ipautofw...
3. I'm confused! Routing, masquerading, portforwarding,
ipautofw...
This HOWTO is about packet filtering. This means deciding whether a packet
should be allowed to pass or not. However, Linux being the hacker's playground
that it is, you probably want to do more than that.
One problem is that the same tool (``ipchains'') is used to control both
masquerading and transparent proxying, although these are notionally separate
from packet filtering (the current Linux implementation blurs these together
unnaturally, leaving the impression that they are closely related).
Masquerading and proxying are covered by separate HOWTOs, and the auto
forwarding and port forwarding features are controlled by separate tools, but
since so many people keep asking me about it, I'll include a set of common
scenarios and indicate when each one should be applied. The security merits of
each setup will not be discussed here.
3.1 Rusty's Three-Line Guide To Masquerading
This assumes that your external interface is called `ppp0'. Use
ifconfig to find out, and adjust to taste.
# ipchains -P forward DENY
# ipchains -A forward -i ppp0 -j MASQ
# echo 1 > /proc/sys/net/ipv4/ip_forward
3.2 Gratuitous Promotion: WatchGuard Rules
You can buy off-the-shelf firewalls. An excellent one is WatchGuard's
FireBox. It's excellent because I like it, it's secure, it's Linux-based, and
because they are funding the maintenance of ipchains as well as the new
firewalling code (aimed for 2.3). In short, WatchGuard are paying for me to eat
while I work for you. So please consider their stuff.
http://www.watchguard.com/
3.3 Common Firewall-like Setups
You run littlecorp.com. You have an internal network, and a single dialup
(PPP) connection to the Internet (firewall.littlecorp.com which is 1.2.3.4). You
run Ethernet on your local network, and your personal machine is called
"myhost".
This section will illustrate the different arrangement which are common. Read
carefully, because they are each subtly different.
Private Network: Traditional Proxies
In this scenario, packets from the private network never traverse the
Internet, and vice versa. The IP addresses of the private network should be
assigned from the RFC1597 Private Network Allocations (ie. 10.*.*.*, 172.16.*.*
or 192.168.*.*).
The only way things ever connect to the Internet is by connecting to the
firewall, which is the only machine on both networks which connects onwards. You
run a program (on the firewall) called a proxy to do this (there are proxies for
FTP, web access, telnet, RealAudio, Usenet News and other services). See the
Firewall HOWTO.
Any services you wish the Internet to access must be on the firewall. (But
see Limited
Internal Services below).
Example: Allowing web access from private network to the Internet.
The private network is assigned 192.168.1.* addresses, with myhost being
192.168.1.100, and the firewall's Ethernet interface being assigned
192.168.1.1.
A web proxy (eg. "squid") is installed and configured on the firewall, say
running on port 8080.
Netscape on the private network is configured to use the firewall port
8080 as a proxy.
DNS does not need to be configured on the private network.
DNS does need to be configured on the firewall.
No default route (aka gateway) needs to be configured on the private
network.
Netscape on myhost reads http://slashdot.org.
Netscape connects to the firewall port 8080, using port 1050 on myhost. It
asks for the web page of "http://slashdot.org".
The proxy looks up the name "slashdot.org", and gets 207.218.152.131. It
then opens a connection to that IP address (using port 1025 on the firewall's
external interface), and asks the web server (port 80) for the web page.
As it receives the web page from its connection to the web server, it
copies the data to the connection from Netscape.
Netscape renders the page.
ie. From slashdot.org's point of view, the connection is made from 1.2.3.4
(firewall's PPP interface) port 1025 to 207.218.152.131 (slashdot.org) port 80.
From myhost's point of view, the connection is made from 192.168.1.100 (myhost)
port 1050, to 192.168.1.1 (firewall's Ethernet interface) port 8080.
Private Network: Transparent Proxies
In this scenario, packets from the private network never traverse the
Internet, and vice versa. The IP addresses of the private network should be
assigned from the RFC1597 Private Network Allocations (ie. 10.*.*.*, 172.16.*.*
or 192.168.*.*).
The only way things ever connect to the Internet is by connecting to the
firewall, which is the only machine on both networks, which connects onwards.
You run a program (on the firewall) called a transparent proxy to do this; the
kernel sends outgoing packets to the transparent proxy instead of sending them
onwards (ie. it bastardizes routing).
Transparent proxying means that the clients don't need to know there is a
proxy involved.
Any services you wish the Internet to access must be on the firewall. (But
see Limited
Internal Services below).
Example: Allowing web access from private network to the Internet.
The private network is assigned 192.168.1.* addresses, with myhost being
192.168.1.100, and the firewall's Ethernet interface being assigned
192.168.1.1.
A transparent web proxy (I believe there are patches for squid to allow it
to operate in this manner, or try "transproxy") is installed and configured on
the firewall, say running on port 8080.
The kernel is told to redirect connections to port 80 to the proxy, using
ipchains.
Netscape on the private network is configured to connect directly.
DNS needs to be configured on the private network (ie. you need to run a
DNS server as a proxy on the firewall).
The default route (aka gateway) needs to be configured on the private
network, to send packets to the firewall.
Netscape on myhost reads http://slashdot.org.
Netscape looks up the name "slashdot.org", and gets 207.218.152.131. It
then opens a connection to that IP address, using local port 1050, and asks
the web server (port 80) for the web page.
As the packets from myhost (port 1050) to slashdot.org (port 80) pass
through the firewall, they are redirected to the waiting transparent proxy on
port 8080. The transparent proxy opens a connection (using local port 1025) to
207.218.152.131 port 80 (which is where the original packets were going).
As the proxy receives the web page from its connection to the web server,
it copies the data to the connection from Netscape.
Netscape renders the page.
ie. From slashdot.org's point of view, the connection is made from 1.2.3.4
(firewall's PPP interface) port 1025 to 207.218.152.131 (slashdot.org) port 80.
From myhost's point of view, the connection is made from 192.168.1.100 (myhost)
port 1050, to 207.218.152.131 (slashdot.org) port 80, but it's actually talking
to the transparent proxy.
Private Network: Masquerading
In this scenario, packets from the private network never traverse the
Internet without special treatment, and vice versa. The IP addresses of the
private network should be assigned from the RFC1597 Private Network Allocations
(ie. 10.*.*.*, 172.16.*.* or 192.168.*.*).
Instead of using a proxy, we use a special kernel facility called
"masquerading". Masquerading rewrites packets as they pass through the firewall,
so that they always seem to come from the firewall itself. It then rewrites the
responses so that they look like they are going to the original recipient.
Masquerading has separate modules to handle "tricky" protocols, such as FTP,
RealAudio, Quake, etc. For really hard-to-handle protocols, the "auto
forwarding" facility can handle some of them by automatically setting up port
forwarding for related sets of ports: look for ``ipportfw'' (2.0 kernels) or
``ipmasqadm'' (2.1 kernels).
Any services you wish the Internet to access must be on the firewall. (But
see Limited
Internal Services below).
Example: Allowing web access from private network to the Internet.
The private network is assigned 192.168.1.* addresses, with myhost being
192.168.1.100, and the firewall's Ethernet interface being assigned
192.168.1.1.
The firewall is set up to masquerade any packets coming from the private
network and going to port 80 on an Internet host.
Netscape is configured to connect directly.
DNS must be configured correctly on the private network.
The firewall should be the default route (aka gateway) for the private
network.
Netscape on myhost reads http://slashdot.org.
Netscape looks up the name "slashdot.org", and gets 207.218.152.131. It
then opens a connection to that IP address, using local port 1050, and asks
the web server (port 80) for the web page.
As the packets from myhost (port 1050) to slashdot.org (port 80) pass
through the firewall, they are rewritten to come from the PPP interface of the
firewall, port 65000. The firewall has a valid Internet address (1.2.3.4) so
reply packets from www.linuxhq.com get routed back OK.
As packets from slashdot.org (port 80) to firewall.littlecorp.com (port
65000) come in, they are rewritten to go to myhost, port 1050. This is the
real magic of masquerading: it remembers when it rewrites outgoing packets to
it can write them back as replies come in.
Netscape renders the page.
ie. From the slashdot.org's point of view, the connection is made from
1.2.3.4 (firewall's PPP interface) port 65000 to 207.218.152.131 (slashdot.org)
port 80. From the myhost's point of view, the connection is made from
192.168.1.100 (myhost) port 1050, to 207.218.152.131 (slashdot.org) port 80.
Public Network
In this scenario, your personal network is a part of the Internet: packets
can flow without change across both networks. The IP addresses of the internal
network must be assigned by applying for a block of IP addresses, so the rest of
the network will know how to get packets to you. This implies a permanent
connection.
In this role, packet filtering is used to restrict which packets can be
forwarded between your network and the rest of the Internet, eg. to restrict the
rest of the Internet to only accessing your internal web servers.
Example: Allowing web access from private network to the Internet.
Your internal network is assigned according to the IP address block you
have registered, (say 1.2.3.*).
The firewall is set up to allow all traffic.
Netscape is configured to connect directly.
DNS must be configured correctly on your network.
The firewall should be the default route (aka gateway) for the private
network.
Netscape on myhost reads http://slashdot.org.
Netscape looks up the name "slashdot.org", and gets 207.218.152.131. It
then opens a connection to that IP address, using local port 1050, and asks
the web server (port 80) for the web page.
Packets pass through your firewall, just as they pass through several
other routers between you and slashdot.org.
Netscape renders the page.
ie. There is only one connection: from 1.2.3.100 (myhost) port 1050, to
207.218.152.131 (slashdot.org) port 80.
Limited Internal Services
There are a few tricks you can pull to allow the Internet to access your
internal services, rather than running the services on the firewall. These will
work with either a proxy or masquerading based approach for external
connections.
The simplest approach is to run a "redirector", which is a poor-man's proxy
which waits for a connection on a given port, and then open a connection a fixed
internal host and port, and copies data between the two connections. An example
of this is the "redir" program. From the Internet point of view, the connection
is made to your firewall. From your internal server's point of view, the
connection is made from the internal interface of the firewall to the server.
Another approach (which requires a 2.0 kernel patched for ipportfw, or a 2.1
or later kernel) is to use port forwarding in the kernel. This does the same job
as "redir" in a different way: the kernel rewrites packets as they pass through,
changing their destination address and ports to point them at an internal host
and port. From the Internet's point of view, the connection is made to your
firewall. From your internal server's point of view, a direct connection is made
from the Internet host to the server.
http://www.ecst.csuchico.edu/~dranch/LINUX/index-LINUX.html#ipmasq
Soon I would expect it to be found under the auspices of the Linux
Documentation Project, at http://www.metalab.unc.edu/LDP
The official Masquerading home page is at
http://ipmasq.cjb.net/
Wyszukiwarka
Podobne podstrony:
Linux Online Linux IPCHAINS HOWTO I m confused! Routing, masquerading, portforwarding, ipautofwLinux IPCHAINS HOWTO Appendix Differences between ipchains and ipfwadmLinux IPCHAINS HOWTO MiscellaneousLinux Online Linux IPCHAINS HOWTO Packet Filtering BasicsLinux IPCHAINS HOWTOLinux Online Linux IPCHAINS HOWTO Appendix Differences between ipchains and ipfwadmLinux IPCHAINS HOWTO A Serious ExampleLinux IPCHAINS HOWTO Packet Filtering BasicsLinux IPCHAINS HOWTO Appendix Using the ipfwadm wrapper scriptLinux Online Linux IPCHAINS HOWTO Appendix Using the ipfwadm wrapper scriptLinux Online Linux IPCHAINS HOWTO IP Firewalling ChainsLinux Online Linux IPCHAINS HOWTO IntroductionLinux Online Linux IPCHAINS HOWTO Appendix ThanksLinux IPCHAINS HOWTO IntroductionLinux Online Linux IPCHAINS HOWTOLinux Online Linux IPCHAINS HOWTO Common ProblemsLinux IPCHAINS HOWTOLinux IPCHAINS HOWTO Common Problemswięcej podobnych podstron