Solved

ipmasq - 2 machines, same ip

Posted on 1997-08-12
1
203 Views
Last Modified: 2010-03-17
Greetings

I have a gateway machine (funky, Linux 2.0.30) with 3 ethernet cards. It has eth0 for the internal subnet which masquerades out to the world through eth1. I have another machine (dopey, Win95) connected through eth2 which needs to be the same IP as eth1. dopey needs to run some Windows authentication software and only needs to talk to the outside world.

IE. I want to redirect a select few ports from funky to
dopey so that dopey is the sole responder to those ports.

1) How shall I ifconfig and route my eth2?
2) How can I ipfwadm/ipautofw to achieve my goal?
3) Can I achieve my goal without patching my kernal?

Thanks for any help.
0
Comment
Question by:antonysuter
1 Comment
 
LVL 3

Accepted Solution

by:
sauron earned 150 total points
ID: 1586010
1/ You set eth2 up in the same way as you set up eth0. At this level things are the same. You will need routing from the Win95 box to the outside world. You may need to alter IP addresses - you should ensure that the machines connected to eth0 are on a different subnet to those on eth2, and the netmasks must be correctly configured.

2/ You use ipfwadm to set up a policy to accept/masquerade packets coming from dopey's IP address, going to outside addresses. So you'll need an accept without masquerade policy for stuff coming from subnet 1 (attached to eth0) destined for subnet 2 (attached to eth2) and vice versa. The you need an accept with masquerade policy for stuff coming from each subnet going to anywhere.

IP masquerading will take care of all network connections that are initiated from behind funky, where the protocol in use expects to receive packets only on ports it has already sent packets from.

Should you wish to use a protocol/app that wishes to receive packets on ports other than those it initiates the connection from, you should use ipautofw to redirect a port range to the last masqueraded host to initiate a connection on a defined port. This will take care of pretty much anything that plain masquerading won't do. The catches are, you need to know the port rangr for the protocol/app in question, and the first connection on the 'control' port must be initiated from behind funky. Ipautofw makes certain assumptions in order to do it's job, so if two masqueraded hosts attempt to simultaneously use a service dealt with by ipautofw, you may have problems.

If you wish to allow connections to certain ports to be initiated externally, and still reach machines behind the firewall, you will need to use an ipfwadm policy to redirect packets coming from anywhere (0.0.0.0) on port whatever to a particular IP address on your local network (dopeys). Where you put this in the config file will be important - it should probably be one of the last rules set up - i.e. if nothing else fits, use this one. By doing this you will be transparently redirecting that port to a specific machine. Obviously, you limit the use other machines can make of this port by doing this, but this should not be a problem in most circumstances.

3/ IP masquerading and Ipautofw both require kernel modifications, and though IP masquerading is now in the released kernels, I'm not aware of IPautofw having been officially added to the kernel source tree. I've also heard that you may need a patch or two to fix a couple of masquerading related bugs in 2.0.30. On the whole, I'd be surprised if you could do it without patching the kernel.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

3 Experts available now in Live!

Get 1:1 Help Now