linuxconf Howto/FAQ

Howto index

How to redirect a TCP port to a machine inside the firewall

We have a machine on the Internet, and potentially several machines inside the firewall on the Intranet. We may want to make some services on those machine available on the Internet, leaving the machine protected behind the firewall.

This is achieved by the redir utility. You can find a package for this utility at ftp://ftp.solucorp.qc.ca/pub/misc

By default, redir will redirect all TCP traffic hitting a port on the firewall machine. This might not be what you want. For example, you may have several web server hidden behind the firewall and you want to make several of them available on the net. You will do this by configuring some IP aliases, one for each internal server, and then using some firewall rules, you will redirect the traffic for each one separately to one redir configuration.

Here are the steps:

  • First you allocate one port for each server. These ports could be anywhere (10000,10001 for example).

  • Modify /etc/services like this

          redir1     tcp/10000
          redir2     tcp/10001
          .
          .
          

  • Modify /etc/inetd.conf like this

           redir1 stream tcp nowait root /usr/sbin/redir redir --inetd [--ftp] iserver1 iport
           redir2 stream tcp nowait root /usr/sbin/redir redir --inetd [--ftp] iserver2 iport
           .
           .
           

    Where iserver1 is the IP or name of the first internal server you want to reach and iport1 is the port number of the service. Note that redir1 and iport1 are unrelated.

    The --ftp option is used if the target service is ftp.

  • Let Linuxconf restart inetd

    At this point, you can point a telnet session to your firewall/gateway box like this, and you will reach your intra-net server. Try this just to prove you are going in the good direction.

          telnet gateway-box 10000
          

  • Now we add the firewalling rules

    The purpose of those rules is to associate one port and one IP number to the redirection process.

    You must enable the firewall module in Linuxconf. Then in the firewall defaults, you must enable the blocking firewall.

    Note that once you have done that, you will need to provide blocking to access the box: The box will be locked. Once you have a suitable firewall, you will need to add one blocking rule per redirection, like this:

          [X] This rules is active
          Rules policy (o) accept
          [x] redirect to local port
          redirection port: redir1
          from:
          Host or network: 0.0.0.0
          Netmask:
          Port range:
          Other ports:
          Interface: Any
          To:
          Host or Network: IP alias for first server
          Netmask:
          Port range:
          Other ports: port you want to access on first server
          Interface: Any
          

    Activate those rules and you will have access to you Intranet servers from the Internet.