Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #11  
Old 27th August 2008, 07:53
chillifire chillifire is offline
HowtoForge Supporter
 
Join Date: Oct 2007
Posts: 75
Thanks: 3
Thanked 3 Times in 3 Posts
Thumbs up Even better solution ...

I can now offer a better solution that is based on a script from the Bastille guys as well (see code below). What I added was the MASQUERADE rule and the switch that ensures that port forwarding is actually activated on your LINUX server (tested for Ubuntu/Debian, please check with your LINUX distro the same switch exists in the same location or adjust the script accordingly in the line starting with "echo 1 > ...". Other than being fully compliant with iptables and Bastille the script offers the additional advantage that only port forwarding for explicitly specificied ports is opened, as opposed to the entire tun+ interfaces as was done in my solution. Here goes:

Code:
mkdir /etc/Bastille/firewall.d
mkdir /etc/Bastille/firewall.d/pre-chain-split.d
touch portforward.sh
chmod 755 /etc/Bastille/firewall.d/pre-chain-split.d/portforward.sh
Now copy all the following code into the file portforward.sh
The magic is happening in the lines under item 1. Adjust to suit your port forwarding needs. The explanation in the script should be quite sufficient. This script should be able to handle port forwarding within your network, to connected VPN networks, and to external servers (the latter may require the activation of another line in the script under section0 in some cases).

Code:
# portforward.sh
#
# designed for bastille-firewall
# Copyright (c) 2002 Peter Watkins
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# place in /etc/Bastille/firewall.d/pre-chain-split.d
# as portforward.sh (directory name and .sh suffix are critical)
#
###########################################################################
# 0) Addition to Peter Watkins script by Hanno Scihupp July 2008
#
# a) Switch on port forwarding for your server
# Ensure port forwarding is actually switched on - other wise nothing works
# Having it in this script ensures the setting survives a reboot
# This is working on Ubutu/Debian. Check the filesystem and doku of your
# favourite Linux distro that this switch exixts and is valid
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# b) Enable port forwardiing to an address outside your external network
# (i.e. to a VPN network address or an external server)
# The line below enables forwarding to tunnel connected severs
# (i.e. servers connected through a VPN network)
/sbin/iptables -A POSTROUTING --table nat -o tun+ -j MASQUERADE
# The line below enables forwarding to external severs
# /sbin/iptables -A POSTROUTING --table nat -o eth0 -j MASQUERADE
#########################################################################
#
# Settings:
#
# 1) IP_FORWARDS (all OSes/kernel versions)
#
# List your port forwarding info here. This should be a whitespace
# separated list. Each item in the list should be be a hyphen-separated
# list including the following, in this order
# - interface name, e.g. "eth0" (blank for all)
# - destination address, e.g. "192.168.1.1" for the single
#   address 192.168.1.1, "0.0.0.0" for any address, etc.
#   (this address may contain a netmask, e.g. 192.168.1.1/24)
# - the destination port number, e.g. "80" for standard HTTP
# - the protocol type or number, e.g. "tcp"
# - the forwarding service address, e.g. "172.19.1.2"
# - the forwarding service port, e.g. "8000"
#
# Example:
#   IP_FORWARDS="eth0-0.0.0.0-80-tcp-172.19.1.2-8000"
#  This says we only have one forwarding rule to establish. Any TCP
#  traffic destined for any address bound to the "eth0" interface's port
#  80 will be forwarded to TCP port 8000 of 172.19.1.2. This is a typical
#  rule for a site that wants to run its Web server on an internal
#  machine, using a high port so the Web server can be started by a
#  non-root user. Whether the forwarding or running on a high port are
#  a *good* idea is a question we won't address here.
#
IP_FORWARDS="eth0-1.2.3.4-8004-tcp-10.8.0.4-8080 eth0-1.2.3.4-8005-tcp-10.8.0.5-8080"
#
#
# 2) IPFWADM (Linux 2.2/ipchains only)
#
#
# For 2.2-based kernels, where is ipfwadm?
IPFWADM="/sbin/ipfwadm"
#
if [ -z "${IPCHAINS}" -a -z "${IPTABLES}" ]; then
  echo "Error: only good for iptables or ipchains/ipfwadm" > /dev/stderr
elif [ -n "${IPCHAINS}" -a \( \! -x "${IPFWADM}" \) ]; then
  echo "Please install $IPFWADM for forwarding with 2.2/ipchains systems" >/dev/stderr
else
  if [ -n "${IPCHAINS}" -a \( -x "${IPFWADM}" \) ]; then
    # flush ipfwadm rules
    ${IPFWADM} portfw -f
  fi
  for fw_rule in ${IP_FORWARDS} ; do
    # ugly awk hack
    fw_iface=`echo "$fw_rule" | awk -F\- '{print $1}'`
    fw_inaddr=`echo "$fw_rule" | awk -F\- '{print $2}'`
    fw_inport=`echo "$fw_rule" | awk -F\- '{print $3}'`
    fw_inproto=`echo "$fw_rule" | awk -F\- '{print $4}'`
    fw_outaddr=`echo "$fw_rule" | awk -F\- '{print $5}'`
    fw_outport=`echo "$fw_rule" | awk -F\- '{print $6}'`

    if [ -n "${fw_iface}" ]; then
      # we have an interface specified
      if [ -n "${IPTABLES}" ]; then
        ${IPTABLES} -t nat -A PREROUTING -p $fw_inproto -i $fw_iface -d $fw_inaddr --dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport
        ${IPTABLES} -A FORWARD -p $fw_inproto -i $fw_iface -d $fw_outaddr --dport $fw_outport -j ACCEPT
        ### debug ###
        #echo "${IPTABLES} -t nat -A PREROUTING -p $fw_inproto -i $fw_iface -d $fw_inaddr --dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport"
        #echo "${IPTABLES} -A FORWARD -p $fw_inproto -i $fw_iface -d $fw_outaddr --dport $fw_outport -j ACCEPT"
        ### debug ###
      else
        ${IPFWADM} portfw -P $fw_proto -L $fw_inaddr $fw_inport -R $fw_outaddr $fw_outport
      fi
    else
      # apply forward to all interfaces
      if [ -n "${IPTABLES}" ]; then
        ${IPTABLES} -t nat -A PREROUTING -p $fw_inproto  -d $fw_inaddr --dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport
        ${IPTABLES} -A FORWARD -p $fw_inproto  -d $fw_outaddr --dport $fw_outport -j ACCEPT
      else
        # same as ipfwadm rule above, actually
        ${IPFWADM} portfw -P $fw_proto -L $fw_inaddr $fw_inport -R $fw_outaddr $fw_outport
      fi
    fi
  done
fi
Reply With Quote
Sponsored Links
  #12  
Old 2nd June 2009, 02:08
just.another.alex just.another.alex is offline
Junior Member
 
Join Date: Sep 2007
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via AIM to just.another.alex
Thumbs up quite nice solutions you have there!

Hello!
Long time no hear from you!
Excuse me for too much silence regarding this post!
All began with you asking for help in the forwarding matter, me trying to help, and in the end...you helped me!

So, regarding your first solution:
-you added the MASQUERADE rule for the outgoing packages, so they can find their way back! Correct! I forgot about this in my proposed solution (I guess I considered it enabled by default)

Regarding your second solution:
I didn't know about it! (didn't used Bastille firewall sys). But, it's beautiful!
THANKS for sharing it here!

Cheers!
Reply With Quote
  #13  
Old 2nd June 2009, 03:51
id10t id10t is offline
Senior Member
 
Join Date: Nov 2008
Posts: 242
Thanks: 2
Thanked 22 Times in 22 Posts
 
Default

Or to just do it on the fly...

ssh -L8080:$IP:443 username@ubuntuhost

Then open a browser, go to https://localhost:8080 and you should get it

Replace $IP of the ddwrt box you are connecting to.

You can do the same with the "tunneling" dialog in putty from a windows machine.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Public and private network + High Availability Apache Cluster teleted HOWTO-Related Questions 11 28th January 2008 14:29
subdomain and mail relay configuration aranthorn Installation/Configuration 24 3rd September 2007 22:53
postfix Relay access denied Jshel Installation/Configuration 4 30th March 2007 05:15
The Perfect Setup Suse 9.3 - Postfix problems new_bee05 HOWTO-Related Questions 20 25th November 2005 02:30
Restrict access to my SystemImager server cornelius Installation/Configuration 1 7th June 2005 11:35


All times are GMT +2. The time now is 20:40.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.