[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 254
  • Last Modified:

ipmasq - 2 machines, same ip

Greetings

I have a gateway machine (funky, Linux 2.0.30) with 3 ethernet cards. It has eth0 for the internal subnet which masquerades out to the world through eth1. I have another machine (dopey, Win95) connected through eth2 which needs to be the same IP as eth1. dopey needs to run some Windows authentication software and only needs to talk to the outside world.

IE. I want to redirect a select few ports from funky to
dopey so that dopey is the sole responder to those ports.

1) How shall I ifconfig and route my eth2?
2) How can I ipfwadm/ipautofw to achieve my goal?
3) Can I achieve my goal without patching my kernal?

Thanks for any help.
0
antonysuter
Asked:
antonysuter
1 Solution
 
sauronCommented:
1/ You set eth2 up in the same way as you set up eth0. At this level things are the same. You will need routing from the Win95 box to the outside world. You may need to alter IP addresses - you should ensure that the machines connected to eth0 are on a different subnet to those on eth2, and the netmasks must be correctly configured.

2/ You use ipfwadm to set up a policy to accept/masquerade packets coming from dopey's IP address, going to outside addresses. So you'll need an accept without masquerade policy for stuff coming from subnet 1 (attached to eth0) destined for subnet 2 (attached to eth2) and vice versa. The you need an accept with masquerade policy for stuff coming from each subnet going to anywhere.

IP masquerading will take care of all network connections that are initiated from behind funky, where the protocol in use expects to receive packets only on ports it has already sent packets from.

Should you wish to use a protocol/app that wishes to receive packets on ports other than those it initiates the connection from, you should use ipautofw to redirect a port range to the last masqueraded host to initiate a connection on a defined port. This will take care of pretty much anything that plain masquerading won't do. The catches are, you need to know the port rangr for the protocol/app in question, and the first connection on the 'control' port must be initiated from behind funky. Ipautofw makes certain assumptions in order to do it's job, so if two masqueraded hosts attempt to simultaneously use a service dealt with by ipautofw, you may have problems.

If you wish to allow connections to certain ports to be initiated externally, and still reach machines behind the firewall, you will need to use an ipfwadm policy to redirect packets coming from anywhere (0.0.0.0) on port whatever to a particular IP address on your local network (dopeys). Where you put this in the config file will be important - it should probably be one of the last rules set up - i.e. if nothing else fits, use this one. By doing this you will be transparently redirecting that port to a specific machine. Obviously, you limit the use other machines can make of this port by doing this, but this should not be a problem in most circumstances.

3/ IP masquerading and Ipautofw both require kernel modifications, and though IP masquerading is now in the released kernels, I'm not aware of IPautofw having been officially added to the kernel source tree. I've also heard that you may need a patch or two to fix a couple of masquerading related bugs in 2.0.30. On the whole, I'd be surprised if you could do it without patching the kernel.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now