Problems using ipforwarding 1

[UnknownPerson]

I recently posted a similar message in the TCP/IP forum, but I really believe people there don't know the answer. The problem is this:

I have a Linux server wich I use as a gateway for my home network (wich has three clients, m1, m2 and m3). All the clients are Windows ME, and are set up to use a gateway wich is my Linux server, wich in turn has ip forwarding enabled.

Everything is ok if I use protocols wich do _*NOT*_ need to transmit their IP off the line (for example, HTTP doesn't need to, but FTP needs to, ICQ needs to, and a lot of other protocols need to do that too). But when I try to use othe protocols like FTP, it doesn't work.

I don't really know the cause of the problem, but I have a serious doubt on the PORT command (in FTPs case). As FTP sends a PORT, he must tell where to establish the connection, and since (i.e.) his IP is 192.168.1.3, he tells the remote computer (i.e. ftp.microsoft.com) that he needs to establish a data connection at 192.168.1.3... I don't know if Microsoft uses a 192.168.0.0 network, but that address is private and obviously the attempt will fail, destroying peace.

So, ** How would ipforwarding let me use protocols wich send their IP on my clients without client modification? **
I want something TRANSPARENT, not to be configured host-by-host, and *I KNOW ITS POSSIBLE (AT LEAST ON FTP)*.

I know of a cyber cafe where computers have no special configs in them and can smootly use it, *USING Linux's IPFORWARDING!!*.

Please, if anyone has a clue, please let me know, I really need to know AND this would be an expert post.

Sincerely yours,

 

[jollyroger]

Hello there
I think you have one major problem with this set up. The reason is:
Unless you have been given multiple IP addresses for your machines from your ISP and put them on your windows machines, you will not be able to use IP_Forwarding because the IP address scheme you are using is already being used by somebody else, and therefore the routing set up across the Internet will not return the packets to your machine.
Therefore you will not be able to do anything.
There are two ways to solve this problem. The first would be to use some sort of IP Masquerading, where by the packets you send to your Firewall from your windows machines are translated to the IP address of your Linux Server and out onto the Internet. Upon return they are translated back to your Windows machines and given back to them.
OR
and this is the easy solution. Use some Proxy Server on your Linux machine to take care of this for you. Squid is unbelievably easy to set up, I did it in about 5 minutes with some quick instructions off the net.
Remember you will need to change the Internet Options on your web browser to point to your Proxy Server, Linux Server.
I hope this is of some help
With regards
Ben

 

[ifincham]

Hi,

The answer is undoubtedly IP masquerading.

With linux, the IP masquerading is done with the firewalling code - i.e. using ipchains or possibly the newer iptables w.e.f. kernel 2.4.0 . IP masquerading is just a form of source nat (network address translation) where the linux box dynamically substitutes its own public IP address for the origin lan address within the IP packet before putting it on the wire and does the reverse when it gets an associated response.

Because of this outbound source-nat and inbound destination-nat, some protocols - like active FTP - don't work too well . Active FTP is one of the trickiest because it uses two simulataneous tcp connections - the control channel from the client to server tcp port 21 but also a data channel using port 20 back to the client. Because this latter connex is initiated by the server it may be firewalled out as an attempt to initiate an inbound connection (syn bit set). iptables has a ip_nat_ftp module so it is possible to associate this second connection using iptables but its more tricky with ipchains. Without this, when you add in the masquerade aspects it becomes doubly complicated - how does the linux box know where to send an inbound ftp data channel connection that is not a 'reply' to something previuously sent ?

The simplest answer is to use passive ftp instead of active ftp. With passive, both channels are initiated from the client so there is a conventional connection to track and you don't need to permit inbound packets with syn bit on. Using passive ftp is something the client s/w controls - there is almost always a config option to use passive ftp and virtually all ftp servers will understand passive as well as the more traditional active ftp.

Other protocols can be a bit tricky too but in principle should work as long as the origin client ports are unique.

How do you do it ? In ipchains you can just do :

# echo 1 > /proc/sys/net/ipv4/ip_forward
# ipchains -P forward DENY
# ipchains -A forward -i eth1 -j MASQ

or with iptables....

# echo 1 > /proc/sys/net/ipv4/ip_forward
# /sbin/modprobe iptable_nat
# /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

(The above assume eth1 is the internet interface - change to the correct internet interface if different)

Then you just need to config the clients with (i) dns server IP addresses (ii) default gateway of the linux box .

That's it at a basic level. See also -->

http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html

Hope this helps