Solved

ipmasq - 2 machines, same ip

Posted on 1997-08-12
1
195 Views
Last Modified: 2010-03-17
Greetings

I have a gateway machine (funky, Linux 2.0.30) with 3 ethernet cards. It has eth0 for the internal subnet which masquerades out to the world through eth1. I have another machine (dopey, Win95) connected through eth2 which needs to be the same IP as eth1. dopey needs to run some Windows authentication software and only needs to talk to the outside world.

IE. I want to redirect a select few ports from funky to
dopey so that dopey is the sole responder to those ports.

1) How shall I ifconfig and route my eth2?
2) How can I ipfwadm/ipautofw to achieve my goal?
3) Can I achieve my goal without patching my kernal?

Thanks for any help.
0
Comment
Question by:antonysuter
1 Comment
 
LVL 3

Accepted Solution

by:
sauron earned 150 total points
Comment Utility
1/ You set eth2 up in the same way as you set up eth0. At this level things are the same. You will need routing from the Win95 box to the outside world. You may need to alter IP addresses - you should ensure that the machines connected to eth0 are on a different subnet to those on eth2, and the netmasks must be correctly configured.

2/ You use ipfwadm to set up a policy to accept/masquerade packets coming from dopey's IP address, going to outside addresses. So you'll need an accept without masquerade policy for stuff coming from subnet 1 (attached to eth0) destined for subnet 2 (attached to eth2) and vice versa. The you need an accept with masquerade policy for stuff coming from each subnet going to anywhere.

IP masquerading will take care of all network connections that are initiated from behind funky, where the protocol in use expects to receive packets only on ports it has already sent packets from.

Should you wish to use a protocol/app that wishes to receive packets on ports other than those it initiates the connection from, you should use ipautofw to redirect a port range to the last masqueraded host to initiate a connection on a defined port. This will take care of pretty much anything that plain masquerading won't do. The catches are, you need to know the port rangr for the protocol/app in question, and the first connection on the 'control' port must be initiated from behind funky. Ipautofw makes certain assumptions in order to do it's job, so if two masqueraded hosts attempt to simultaneously use a service dealt with by ipautofw, you may have problems.

If you wish to allow connections to certain ports to be initiated externally, and still reach machines behind the firewall, you will need to use an ipfwadm policy to redirect packets coming from anywhere (0.0.0.0) on port whatever to a particular IP address on your local network (dopeys). Where you put this in the config file will be important - it should probably be one of the last rules set up - i.e. if nothing else fits, use this one. By doing this you will be transparently redirecting that port to a specific machine. Obviously, you limit the use other machines can make of this port by doing this, but this should not be a problem in most circumstances.

3/ IP masquerading and Ipautofw both require kernel modifications, and though IP masquerading is now in the released kernels, I'm not aware of IPautofw having been officially added to the kernel source tree. I've also heard that you may need a patch or two to fix a couple of masquerading related bugs in 2.0.30. On the whole, I'd be surprised if you could do it without patching the kernel.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now