1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
<TITLE>Firewalling and packets accounting: Port redirection</TITLE>
<LINK HREF="firewall-5.html" REL=previous>
<LINK HREF="firewall.html#toc6" REL=contents>
</HEAD>
<BODY>
Next
<A HREF="firewall-5.html">Previous</A>
<A HREF="firewall.html#toc6">Contents</A>
<HR>
<H2><A NAME="s6">6. Port redirection</A></H2>
<P>You can do various things with port redirection. You can either intercept
traffic going out and feed it to a proxy. This "transparent" proxy
may be used to hide the internal network, do some caching or
some filtering of the protocol (A transparent pop-3 proxy could
flag or delete email with special attachement for one).
<P>Port redirection may also be used to provide access to an internal
server (behind a firewall) from outside.
<P>
<H2><A NAME="ss6.1">6.1 Transparent proxy</A>
</H2>
<P>In this case, you select the check-box "redirect to local port/host".
Then you enter the port on which the proxy server is listening.
<P>The firewall rule generally defines a target port (in the "to" section)
and looks like (to enable squid as a transparent proxy for example):
<P>
<BLOCKQUOTE><CODE>
<PRE>
Protocol tcp
-----------From---------------
Host or Network 192.168.1.0
Netmask 255.255.255.0
Port range
Other ports
Interface eth0
-----------To-----------------
Host or Network 0.0.0.0
Netmask
Port range
Other ports 80
Interface Any
---------features-------------
[x] redirect to local port/host
redirect to port 3128
</PRE>
</CODE></BLOCKQUOTE>
<P>
<H2><A NAME="ss6.2">6.2 Access to a local server</A>
</H2>
<P>
<P>In this case, request come from anywhere (from the internet) and goes
to one IP on the firewall (potentially an IP alias). We may want
to "publish" a single port on the internal server, or many (even a port range).
This is done by leaving the "Redirect to port" field empty.
The firewalling rule specify the effective port range accepted.
<P>The following example is making an internal web server available
on the internet.
<P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
Protocol tcp
-----------From---------------
Host or Network 0.0.0.0
Netmask
Port range
Other ports
Interface eth0
-----------To-----------------
Host or Network public_IP
Netmask
Port range
Other ports 80
Interface Any
---------features-------------
[x] redirect to local port/host
redirect to port 80
redirect to host 192.168.1.2
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>
<P>The following example is publishing several services from the
internal server. the trick is to leave "redirect to port" empty
and specify which ports are accepted in the firewall rule.
In the following example, ssh, www and pop-3 are handled.
<P>
<BLOCKQUOTE><CODE>
<PRE>
Protocol tcp
-----------From---------------
Host or Network 0.0.0.0
Netmask
Port range
Other ports
Interface eth0
-----------To-----------------
Host or Network public_IP
Netmask
Port range
Other ports 22 80 pop-3
Interface Any
---------features-------------
[x] redirect to local port/host
redirect to port
redirect to host 192.168.1.2
</PRE>
</CODE></BLOCKQUOTE>
<P>
<HR>
Next
<A HREF="firewall-5.html">Previous</A>
<A HREF="firewall.html#toc6">Contents</A>
</BODY>
</HTML>
|
