Internet Servers behind firewall (passthrough)

Internet Servers behind firewall (passthrough)

[Yuta Kawamoto]

Hi, I am not a very netfilter savvy person. (beginner)
My problem is this:

I have 10 public(internet) IP addresses, each for a server.
These servers run a variety of OS-es, from RedHat Linux to MaxOSX
the only path for them to the internet, is a single network cable(a "red"
colored wire).
Right now, I have a RedHat Linux 9 machine connected to this red wire.
I have installed IPTABLES, but do not really know how to configure rules.

I would like this Linux "routing machine" to take all traffic to the 10
internet IP's
and pass them straight on to the servers connected on the other side of this
machine.


Internet(red wire) -> [eth0]Linux Routing PC[eth1] -> Switch/Hub -> 10
servers

I would need all ports on each of the machines,
as they would be serving all forms of traffic.

I have asked some friends who know more about Linux than I do, to no avail.
I would really appreciate any and all help in this matter.

Yuta Kawamoto

Re: Internet Servers behind firewall (passthrough)

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 1364 bytes --]

On Wed, 2004-02-11 at 03:29, Yuta Kawamoto wrote:
> Hi, I am not a very netfilter savvy person. (beginner)
> My problem is this:
> 
> I have 10 public(internet) IP addresses, each for a server.
> These servers run a variety of OS-es, from RedHat Linux to MaxOSX
> the only path for them to the internet, is a single network cable(a "red"
> colored wire).
> Right now, I have a RedHat Linux 9 machine connected to this red wire.
> I have installed IPTABLES, but do not really know how to configure rules.
> 
> I would like this Linux "routing machine" to take all traffic to the 10
> internet IP's
> and pass them straight on to the servers connected on the other side of this
> machine.
> 
You need to investigate DNAT.

> 
> Internet(red wire) -> [eth0]Linux Routing PC[eth1] -> Switch/Hub -> 10
> servers
> 
> I would need all ports on each of the machines,
> as they would be serving all forms of traffic.
> 
> I have asked some friends who know more about Linux than I do, to no avail.
> I would really appreciate any and all help in this matter.
> 
> Yuta Kawamoto
> 
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Internet Servers behind firewall (passthrough)

[Alexander Konovalenko]

[ ... ]
>> I have 10 public(internet) IP addresses, each for a server.
[ ... ]
>> I would like this Linux "routing machine" to take all traffic to the 10
>> internet IP's
>> and pass them straight on to the servers connected on the other side of this
>> machine.
>> 
>You need to investigate DNAT.

No, you don't.

DNAT is a form of Network Address Translation which would be necessary if you didn't have enough public IP addresses.

What you need is to set up your Red Hat machine (one that is directly connected to the internet) to be a router, that is, to forward IP packets it gets from both sides in the right direction.

You can read how IP routing works in the Linux Network Administrator's guide at http://www.tldp.org/LDP/nag2/x-087-2-issues.html.  Start from there and then search for any additional info on how to set up routing table for your router.  Notice that this issue is offtopic in this list, which is dedicated to packet _filtering_, NAT, etc.

You may want to set up some kind of firewalling at your router to protect your servers against different kinds of attacks or abuse.  _This_ is done using iptables.  Please consult appropriate documentation at http://www.netfilter.org/ and http://www.tldp.org/ first.

 -- alexkon

Windows Update through Mandrake firewall

[cbaker]

I am having trouble running Windows Update through a Mandrake 
Multi Network Firewall. I have already asked for help in several other 
forums.

I am able to browse other web sites just fine. The Windows Update site 
appears to fail up when I checks my PC for updates. Microsoft's site 
support site said that I should "disable the firewall."

What ports do I need to open? What rules do I need to have? Could 
this be a Squid issue (our web proxy server)?

Thanks,

Chris


========================================
Chris Baker -- technical specialist
614-839-2447x108
cbaker@bbbscentralohio.org
Big Brothers Big Sisters of Central Ohio
www.bbbscentralohio.org
Opinions expressed in this e-mail are solely my own.

Re: Windows Update through Mandrake firewall

[Antony Stone]

On Wednesday 11 February 2004 7:02 pm, cbaker@bbbscentralohio.org wrote:

> I am having trouble running Windows Update through a Mandrake
> Multi Network Firewall. I have already asked for help in several other
> forums.
>
> I am able to browse other web sites just fine. The Windows Update site
> appears to fail up when I checks my PC for updates. Microsoft's site
> support site said that I should "disable the firewall."

Hahahaha :)   Wonderful recommendations from Microsoft once again!!

> What ports do I need to open? What rules do I need to have? Could
> this be a Squid issue (our web proxy server)?

Possibly it's a Squid issue, however you should be able to tell that easily 
enough from your Squid logs - see what request comes in from the client, 
whether a response is obtained from the server, and what the status code is.

If in fact it's a netfilter problem, you can find out what ports are being 
blocked (and need to be opened for WinUpdate to work) by adding a LOG rule at 
the end of your FORWARD chain (just before the default DROP policy), and 
seeing what packets get caught (just before being discarded).   If you see 
too much to make sense of it, narrow down the logging rule by specifying the 
source address of the client making the request (this will need to bypass the 
Squid proxy, obviously, otherwise you'll just see the proxy's address, 
however I don't know whether your Squid is on the internal LAN or on a DMZ 
port of your Firewall).

Hope this helps to point you in the right direction,

Regards,

Antony.

-- 
This email is intended for the use of the individual addressee(s) named above 
and may contain information that is confidential, privileged or unsuitable 
for overly sensitive persons with low self-esteem, no sense of humour, or 
irrational religious beliefs.

If you have received this email in error, you are required to shred it 
immediately, add some nutmeg, three egg whites and a dessertspoonful of 
caster sugar.   Whisk until soft peaks form, then place in a warm oven for 40 
minutes.   Remove promptly and let stand for 2 hours before adding some 
decorative kiwi fruit and cream.   Then notify me immediately by return email 
and eat the original message.

                                                     Please reply to the list;
                                                           please don't CC me.

RE: Windows Update through Mandrake firewall

[Ray Anderson]

I have no problems updating several Windows machines behind a Mandrake
machine with iptables.  I do NOT have squid running, and only run the
standard iptables suite vs. the canned Mandrake firewall.

I do not believe this is an iptables issue, but perhaps something else
Mandrake has done with their firewall setup.  My rules are very simple, and
were obtained by following the tutorial from Oskar
(http://iptables-tutorial.frozentux.net/iptables-tutorial.html)  I go back
to this document often, and seem to glean something new from it each time.
(Thanks Oskar!)

You shouldn't have to have any ports open, but should use snat from the
internal machines to your external ip address, and dnat from the external ip
address to the related,established ports.  That should be it.

-=Ray
---------------------------------------
He who gets excited in fighting is sure to make mistakes.
Baron Manfred von Richthofen


> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org 
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of 
> cbaker@bbbscentralohio.org
> Sent: Wednesday, February 11, 2004 11:03 AM
> To: netfilter@lists.netfilter.org
> Subject: Windows Update through Mandrake firewall
> 
> 
> I am having trouble running Windows Update through a Mandrake 
> Multi Network Firewall. I have already asked for help in 
> several other 
> forums.
> 
> I am able to browse other web sites just fine. The Windows 
> Update site 
> appears to fail up when I checks my PC for updates. Microsoft's site 
> support site said that I should "disable the firewall."
> 
> What ports do I need to open? What rules do I need to have? Could 
> this be a Squid issue (our web proxy server)?
> 
> Thanks,
> 
> Chris
> 
> 
> ========================================
> Chris Baker -- technical specialist
> 614-839-2447x108
> cbaker@bbbscentralohio.org
> Big Brothers Big Sisters of Central Ohio
> www.bbbscentralohio.org
> Opinions expressed in this e-mail are solely my own.
> 
> 

SOLVED: Windows Update through Mandrake firewall

[Chris Baker]

It was a Squid problem. Squid had disabled several applications. Once I
enabled those web apps, Windows Update worked fine. Thanks for the
suggestion, even though this wasn't an IP tables issue.

Register your team online today!
BOWL FOR KIDS'SAKE 2004
Saturday, March 6, 2004
www.bfkscentralohio.org
You'll be "bowled over" when our brochure "strikes" your mailbox at the end
of January.sorry.we couldn't help ourselves! If you do not receive one,
please contact me!

==============================================================
Chris Baker -- technical specialist
614-839-2447x108 -- cbaker@bbbscentralohio.org
www.bbbscentralohio.org -- Big Brothers Big Sisters of Central Ohio
Opinions expressed in this e-mail are solely my own.

The document(s) accompanying or within this email transmission may contain
confidential information belonging to Big Brothers Big Sisters of Central
Ohio, which is legally privileged for the entity named above.  If you are
not the intended recipient, you are hereby cautioned that any disclosure,
copying, distribution, or the taking of any action in reliance on the
contents of this email information is strictly prohibited.  If you receive
this email in error, please notify us immediately by fax (614-839-5437) or
phone (614-839-2447) to advise of the error.

-----Original Message-----
From: Ray Anderson [mailto:rsa@prideindustries.com] 
Sent: Wednesday, February 11, 2004 2:56 PM
To: Chris Baker; netfilter@lists.netfilter.org
Subject: RE: Windows Update through Mandrake firewall

I have no problems updating several Windows machines behind a Mandrake
machine with iptables.  I do NOT have squid running, and only run the
standard iptables suite vs. the canned Mandrake firewall.

I do not believe this is an iptables issue, but perhaps something else
Mandrake has done with their firewall setup.  My rules are very simple, and
were obtained by following the tutorial from Oskar
(http://iptables-tutorial.frozentux.net/iptables-tutorial.html)  I go back
to this document often, and seem to glean something new from it each time.
(Thanks Oskar!)

You shouldn't have to have any ports open, but should use snat from the
internal machines to your external ip address, and dnat from the external ip
address to the related,established ports.  That should be it.

-=Ray
---------------------------------------
He who gets excited in fighting is sure to make mistakes.
Baron Manfred von Richthofen


> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org 
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of 
> cbaker@bbbscentralohio.org
> Sent: Wednesday, February 11, 2004 11:03 AM
> To: netfilter@lists.netfilter.org
> Subject: Windows Update through Mandrake firewall
> 
> 
> I am having trouble running Windows Update through a Mandrake 
> Multi Network Firewall. I have already asked for help in 
> several other 
> forums.
> 
> I am able to browse other web sites just fine. The Windows 
> Update site 
> appears to fail up when I checks my PC for updates. Microsoft's site 
> support site said that I should "disable the firewall."
> 
> What ports do I need to open? What rules do I need to have? Could 
> this be a Squid issue (our web proxy server)?
> 
> Thanks,
> 
> Chris
> 
> 
> ========================================
> Chris Baker -- technical specialist
> 614-839-2447x108
> cbaker@bbbscentralohio.org
> Big Brothers Big Sisters of Central Ohio
> www.bbbscentralohio.org
> Opinions expressed in this e-mail are solely my own.
> 
> 

RE: Internet Servers behind firewall (passthrough)

[bmcdowell]

Bridging comes to mind here as well:

bridge.sourceforge.net

ebtables.sourceforge.net


Bob
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Alexander
Konovalenko
Sent: Wednesday, February 11, 2004 11:24 AM
To: netfilter@lists.netfilter.org; sceotjp@ybb.ne.jp
Cc: raymondl@knowledgefactory.co.za
Subject: Re: Internet Servers behind firewall (passthrough)


[ ... ]
>> I have 10 public(internet) IP addresses, each for a server.
[ ... ]
>> I would like this Linux "routing machine" to take all traffic to the
10
>> internet IP's
>> and pass them straight on to the servers connected on the other side
of this
>> machine.
>> 
>You need to investigate DNAT.

No, you don't.

DNAT is a form of Network Address Translation which would be necessary
if you didn't have enough public IP addresses.

What you need is to set up your Red Hat machine (one that is directly
connected to the internet) to be a router, that is, to forward IP
packets it gets from both sides in the right direction.

You can read how IP routing works in the Linux Network Administrator's
guide at http://www.tldp.org/LDP/nag2/x-087-2-issues.html.  Start from
there and then search for any additional info on how to set up routing
table for your router.  Notice that this issue is offtopic in this list,
which is dedicated to packet _filtering_, NAT, etc.

You may want to set up some kind of firewalling at your router to
protect your servers against different kinds of attacks or abuse.
_This_ is done using iptables.  Please consult appropriate documentation
at http://www.netfilter.org/ and http://www.tldp.org/ first.

 -- alexkon