Solved

ipmasq - 2 machines, same ip

Posted on 1997-08-12
1
217 Views
Last Modified: 2010-03-17
Greetings

I have a gateway machine (funky, Linux 2.0.30) with 3 ethernet cards. It has eth0 for the internal subnet which masquerades out to the world through eth1. I have another machine (dopey, Win95) connected through eth2 which needs to be the same IP as eth1. dopey needs to run some Windows authentication software and only needs to talk to the outside world.

IE. I want to redirect a select few ports from funky to
dopey so that dopey is the sole responder to those ports.

1) How shall I ifconfig and route my eth2?
2) How can I ipfwadm/ipautofw to achieve my goal?
3) Can I achieve my goal without patching my kernal?

Thanks for any help.
0
Comment
Question by:antonysuter
1 Comment
 
LVL 3

Accepted Solution

by:
sauron earned 150 total points
ID: 1586010
1/ You set eth2 up in the same way as you set up eth0. At this level things are the same. You will need routing from the Win95 box to the outside world. You may need to alter IP addresses - you should ensure that the machines connected to eth0 are on a different subnet to those on eth2, and the netmasks must be correctly configured.

2/ You use ipfwadm to set up a policy to accept/masquerade packets coming from dopey's IP address, going to outside addresses. So you'll need an accept without masquerade policy for stuff coming from subnet 1 (attached to eth0) destined for subnet 2 (attached to eth2) and vice versa. The you need an accept with masquerade policy for stuff coming from each subnet going to anywhere.

IP masquerading will take care of all network connections that are initiated from behind funky, where the protocol in use expects to receive packets only on ports it has already sent packets from.

Should you wish to use a protocol/app that wishes to receive packets on ports other than those it initiates the connection from, you should use ipautofw to redirect a port range to the last masqueraded host to initiate a connection on a defined port. This will take care of pretty much anything that plain masquerading won't do. The catches are, you need to know the port rangr for the protocol/app in question, and the first connection on the 'control' port must be initiated from behind funky. Ipautofw makes certain assumptions in order to do it's job, so if two masqueraded hosts attempt to simultaneously use a service dealt with by ipautofw, you may have problems.

If you wish to allow connections to certain ports to be initiated externally, and still reach machines behind the firewall, you will need to use an ipfwadm policy to redirect packets coming from anywhere (0.0.0.0) on port whatever to a particular IP address on your local network (dopeys). Where you put this in the config file will be important - it should probably be one of the last rules set up - i.e. if nothing else fits, use this one. By doing this you will be transparently redirecting that port to a specific machine. Obviously, you limit the use other machines can make of this port by doing this, but this should not be a problem in most circumstances.

3/ IP masquerading and Ipautofw both require kernel modifications, and though IP masquerading is now in the released kernels, I'm not aware of IPautofw having been officially added to the kernel source tree. I've also heard that you may need a patch or two to fix a couple of masquerading related bugs in 2.0.30. On the whole, I'd be surprised if you could do it without patching the kernel.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question