Solved

ipmasq - 2 machines, same ip

Posted on 1997-08-12
1
236 Views
Last Modified: 2010-03-17
Greetings

I have a gateway machine (funky, Linux 2.0.30) with 3 ethernet cards. It has eth0 for the internal subnet which masquerades out to the world through eth1. I have another machine (dopey, Win95) connected through eth2 which needs to be the same IP as eth1. dopey needs to run some Windows authentication software and only needs to talk to the outside world.

IE. I want to redirect a select few ports from funky to
dopey so that dopey is the sole responder to those ports.

1) How shall I ifconfig and route my eth2?
2) How can I ipfwadm/ipautofw to achieve my goal?
3) Can I achieve my goal without patching my kernal?

Thanks for any help.
0
Comment
Question by:antonysuter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 3

Accepted Solution

by:
sauron earned 150 total points
ID: 1586010
1/ You set eth2 up in the same way as you set up eth0. At this level things are the same. You will need routing from the Win95 box to the outside world. You may need to alter IP addresses - you should ensure that the machines connected to eth0 are on a different subnet to those on eth2, and the netmasks must be correctly configured.

2/ You use ipfwadm to set up a policy to accept/masquerade packets coming from dopey's IP address, going to outside addresses. So you'll need an accept without masquerade policy for stuff coming from subnet 1 (attached to eth0) destined for subnet 2 (attached to eth2) and vice versa. The you need an accept with masquerade policy for stuff coming from each subnet going to anywhere.

IP masquerading will take care of all network connections that are initiated from behind funky, where the protocol in use expects to receive packets only on ports it has already sent packets from.

Should you wish to use a protocol/app that wishes to receive packets on ports other than those it initiates the connection from, you should use ipautofw to redirect a port range to the last masqueraded host to initiate a connection on a defined port. This will take care of pretty much anything that plain masquerading won't do. The catches are, you need to know the port rangr for the protocol/app in question, and the first connection on the 'control' port must be initiated from behind funky. Ipautofw makes certain assumptions in order to do it's job, so if two masqueraded hosts attempt to simultaneously use a service dealt with by ipautofw, you may have problems.

If you wish to allow connections to certain ports to be initiated externally, and still reach machines behind the firewall, you will need to use an ipfwadm policy to redirect packets coming from anywhere (0.0.0.0) on port whatever to a particular IP address on your local network (dopeys). Where you put this in the config file will be important - it should probably be one of the last rules set up - i.e. if nothing else fits, use this one. By doing this you will be transparently redirecting that port to a specific machine. Obviously, you limit the use other machines can make of this port by doing this, but this should not be a problem in most circumstances.

3/ IP masquerading and Ipautofw both require kernel modifications, and though IP masquerading is now in the released kernels, I'm not aware of IPautofw having been officially added to the kernel source tree. I've also heard that you may need a patch or two to fix a couple of masquerading related bugs in 2.0.30. On the whole, I'd be surprised if you could do it without patching the kernel.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question