From Lawrence Tung on Sun, 04 Jul 1999
I have only one registered IP address (let say 220.127.116.11) and I have a server that run as a firewall and use IP masquerade to serve a couple of other workstations (by using private 192.168.x.x).
You're using IP masquerading to allow some of your client systems access to another network (presumably the Internet).
The phrase "serve a couple of other workstations" is confusing. You normally can't access a server on a private net through a masquerading router.
Now, I want to use net2phone to connect to my workstations but the workstation is using 192.168.x.x address. Is there a way (or any package) that can accept listen to the server machine for a particular port and forward the request to a particular port on the workstations.
listen to: 18.104.22.168:2000 forward to: 192.168.0.1:2000 listen to: 22.214.171.124:2001 forward to: 192.168.0.2:2000
I've tried to use ipfwadm but it doesn't work. Any idea? Or maybe I must have typed the ipfwadm command incorrectly.
I've never heard of net2phone.
I guess you were thinking about using ipfwadm's -r (relay) option. However you can't do it quite as you expected. What this allows you to do is to relay packets that match a given packet pattern to a socket on the localhost.
So you might be able to use a command like:
ipfwadm -I -a acc -r 12345 -D 126.96.36.199 2000
... with another command like 'redir' (Freshmeat URL: http://www.freshmeat.net/appindex/1999/03/14/921462694.html) like:
redir --lport=12345 --caddr=192.168.0.1 --cport=2000
The first command (issued on your Linux router/gateway --- the one doing the IP Masquerading) will accept traffic on port 2000 of your "real address" and redirect it to 12345 (any arbitrary port you've chosen). The other command (also executed on the same system as the first) will listen on localhost port 12345 and make a relay connection to 192.168.0.1 on port 2000. It will also automatically relay back any responses.
This is basically what programs like the TIS FWTK plug-gw (Firewall Toolkit, originally by TIS --- Trusted Information System Inc, now owned by NAI, Network Associates, Inc) and other proxy tools do.
Of course you don't actually need to use the ipfwadm command in your case. You could just use:
redir --lport=2000 --caddr=192.168.0.1 --cport=2000
redir --lport=2001 --caddr=192.168.0.2 --cport=2001
In fact there are several free utilities that do this. Another is simply called 'proxy' (Freshmeat URL: http://www.freshmeat.net/appindex/1999/04/21/924706079.html)
Of the two I just grabbed redir to write this answer (though I'd been planning on playing with this sort of thing for awhile anyway). I'm not particular found of redir's command line style, but it does support the TCP Wrappers library and it allows the option of being launched through inetd and to set it's TCP Wrappers name when its running standalone.
The 'proxy' command includes its own filtering parser (which doesn't seem to be as sophisticated as the TCP Wrappers package and surely hasn't been tested as extensively by as many netizens.
The cases where you might might want to do this ipfwadm redirection would be to "funnel" a bunch of different destination addresses to one process.
For example, you might want to force all of your local systems to transparent get redirected to a Squid web proxy any time they were access any port 80 on any address out on the Internet.
ipfwadm -I -a acc -r 3128 -D 0.0.0.0/0 80
... this will "catch" all traffic destined for port 80 of anywhere and redirect it to your router's port 3128. For a more detailed discussion of this sort of usage look at the SQUID FAQ: Transparent Caching/Proxying (section 17: http://squid.nlanr.net/Squid/FAQ/FAQ-17.html#ss17.2).
There are obviously other ways you could use this.
From Lawrence Tung on Thu, 22 Jul 1999
Thanks for your help. The "redir" works pretty good but I guess it only support TCP but not UDP. Do you know any pacakage that support UDP too?
Look for udprelay at:
- Metalab: Index of /pub/Linux/system/network/misc