Dit is een printer vriendelijke versie van de webpagina
http://www.ruwebit.net/article/15&print
1999-2008 Maurice de Bijl[Print deze pagina]



how-to's  linux
Port Forwarding HOEDOE
Tools:Printer vriendelijke versieDownload artikel als PDFBookmark:Geef dit artikel een eKudo
Door Maurice op 2000-11-28 (update op 2000-11-30) populariteit:
Wat is port-forwarding? Met port-forwarding kun je port 'forwarden' naar een masqueraded machine (= vaak een machine die via een Linux-bak met IP-masquerading Internet op kan). Toepassing: je wilt een FTP-server draaien op een masqueraded machine. Dit kan alleen als je de juiste port forwarded (hier: 21).

Normaal kun je de portforwarding module van ipmasqadm gewoon gebruiken op RH 6.x... maareh als je je kernel compiled niet meer... En dat had ik dus gedaan :-(

Hieronder staan de aanbevolen compile opties, zoals gevonden op Internet.... let vooral op: CONFIG_IP_ADVANCED_ROUTER (die moet op YES staan). Verder heb ik van CONFIG_IP_MASQUERADE_IPPORTFW (en anderen) een module gemaakt...

Kernel moet dus gerecompiled worden met deze opties:

* Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL)
- YES: though not required for IP MASQ, this option allows the kernel to create the MASQ modules and enable the option for port forwarding

-- Non-MASQ options skipped --

* Enable loadable module support (CONFIG_MODULES)
- YES: allows you to load kernel IP MASQ modules

-- Non-MASQ options skipped --

* Networking support (CONFIG_NET)
- YES: Enables the network subsystem

-- Non-MASQ options skipped --

* Sysctl support (CONFIG_SYSCTL)
- YES: Enables the ability to enable disable options such as forwarding,
dynamic IPs, LooseUDP, etc.

-- Non-MASQ options skipped --

* Packet socket (CONFIG_PACKET)
- YES: Though this is OPTIONAL, this recommended feature will allow you to use TCPDUMP to debug any problems with IP MASQ

* Kernel/User netlink socket (CONFIG_NETLINK)
- YES: Though this is OPTIONAL, this feature will allow the logging of advanced firewall issues such as routing messages, etc

* Routing messages (CONFIG_RTNETLINK)
- NO: This option does not have anything to do with packet firewall logging

-- Non-MASQ options skipped --

* Network firewalls (CONFIG_FIREWALL)
- YES: Enables the kernel to be comfigured by the IPCHAINS firewall tool

* Socket Filtering (CONFIG_FILTER)
- OPTIONAL: Though this doesn't have anything do with IPMASQ, if you plan
on implimenting a DHCP server on the internal network, you WILL need this
option.

* Unix domain sockets (CONFIG_UNIX)
- YES: This enables the UNIX TCP/IP sockets mechanisms

* TCP/IP networking (CONFIG_INET)
- YES: Enables the TCP/IP protocol

-- Non-MASQ options skipped --

* IP: advanced router (CONFIG_IP_ADVANCED_ROUTER)
- YES: This will allow you to configure advanced MASQ options farther down

* IP: policy routing (CONFIG_IP_MULTIPLE_TABLES)
- NO: Not needed by MASQ though users who need advanced features such as
TCP/IP source address-based or TOS-enabled routing will need to
enable this option.

* IP: equal cost multipath (CONFIG_IP_ROUTE_MULTIPATH)
- NO: Not needed for normal MASQ functionality

* IP: use TOS value as routing key (CONFIG_IP_ROUTE_TOS)
- NO: Not needed for normal MASQ functionality

* IP: verbose route monitoring (CONFIG_IP_ROUTE_VERBOSE)
- YES: This is useful if you use the routing code to drop IP spoofed packets (highly recommended) and you want to log them.

* IP: large routing tables (CONFIG_IP_ROUTE_LARGE_TABLES)
- NO: Not needed for normal MASQ functionality

* IP: kernel level autoconfiguration (CONFIG_IP_PNP) ?
- NO: Not needed for normal MASQ functionality

* IP: firewalling (CONFIG_IP_FIREWALL)
- YES: Enable the firewalling feature

* IP: firewall packet netlink device (CONFIG_IP_FIREWALL_NETLINK)
- OPTIONAL: Though this is OPTIONAL, this feature will allow IPCHAINS to copy some packets to UserSpace tools for additional checks

* IP: transparent proxy support (CONFIG_IP_TRANSPARENT_PROXY)
- NO: Not needed for normal MASQ functionality

* IP: masquerading (CONFIG_IP_MASQUERADE)
- YES: Enable IP Masquerade to re-address specific internal to external TCP/IP packets

* IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP)
- YES: Enable support for masquerading ICMP ping packets (ICMP error codes will be MASQed regardless). This is an important feature for troubleshooting connections.

* IP: masquerading special modules support (CONFIG_IP_MASQUERADE_MOD)
- YES: Though OPTIONAL, this enables the OPTION to later enable the TCP/IP Port forwarding system to allow external computers to directly connect to specified internal MASQed machines.

* IP: ipautofw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPAUTOFW)
- NO: IPautofw is a legacy method of port forwarding. It is mainly old code and has been found to have some issues. NOT recommended.

* IP: ipportfw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPPORTFW)
- YES: Enables IPPORTFW which allows external computers on the Internet to directly communicate to specified internal MASQed machines. This feature is typically used to access internal SMTP, TELNET, and WWW servers. FTP port forwarding will need an additional patch as described in the FAQ section of the MASQ HOWTO. Additional information on port forwarding is available in the Forwards section of this HOWTO.

* IP: ip fwmark masq-forwarding support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_MFW)
- OPTIONAL: This is a new method of doing PORTFW. With this option, IPCHAINS can mark packets that should have additional work on. Using a UserSpace tool, much like IPMASQADM or IPPORFW, IPCHAINS would then automaticaly re-address the packets. Currently, this code is less tested than PORTFW but it looks promising. For now, the recommended method is to use IPMASQADM and IPPORTFW. If you have thoughts on MFW, please email me.

* IP: optimize as router not host (CONFIG_IP_ROUTER)
- YES: This optimizes the kernel for the network subsystem though it isn't known if it makes a siginificant performance difference.

* IP: tunneling (CONFIG_NET_IPIP)
- NO: This OPTIONAL section is for IPIP tunnels through IP Masq. If you
need tunneling/VPN functionality, it is recommended to use either GRE or
IPSEC tunnels.

* IP: GRE tunnels over IP (CONFIG_NET_IPGRE)
- NO: This OPTIONAL selection is to enable PPTP and GRE tunnels through the IP MASQ box

-- Non-MASQ options skipped --

* IP: TCP syncookie support (not enabled per default) (CONFIG_SYN_COOKIES)
- YES: HIGHLY recommended for basic TCP/IP network security

-- Non-MASQ options skipped --

* IP: Allow large windows (not recommended if
Site's contents and design are copyright © 1999-2008 Maurice de Bijl - 9358 page requests
gegeneerd op Tue, 06 Jan 2009 06:04:57 CET (GMT+0100) in 195.47 msec op host srv010106.webreus.nl
bron: http://www.ruwebit.net/article/15&print - rev# 1:23M - [Lage bandbreedte versie]