[NCLUG] ipchains and firewalls

Michael Dwyer mdwyer at sixthdimension.com
Thu Jan 24 17:20:31 MST 2002


rosing at peakfive.com wrote:
> 
> Mike wrote:
> 
> >On the other hand, I would personally suggest that you lose this rule,
> >and instead use the -X flag on SSH to transmit your X sessions securely.
> 
> I can't ssh to the machine of interest.  I could probably ssh from
> that machine to my machine, assuming I know how to set it up. But then
> would I still need some entry in ipchains to allow ssh in?

Eh, I'm not entirely sure what you are trying to do.  It would probably
take a bar napkin, or at least some ascii art for me to figure out what
you are trying to do...

> >Most of the ones that I have seen (Linksys) will allow you to designate
> >a single DMZ machine, which incomming traffic is routed to.  IPChains
>
> If I understand the DMZ machine idea it means I have one machine
> that's open to the world for everything? I can't do that.

That would seem to be what it did.  The filtering rules may have been a
bit more robust, though.  I think the DMZ idea is just the easiest way
for a non-networking kind of user to get his work done... I think in
Beginner mode, you just designated a DMZ host.  In Advanced mode, you
can carefully specify where you wanted everything to go.
I'm afraid I can't give you a good answer, though.  I just quickly set
one up for a friend.  I use Linux boxes in my own networks.

> This got me thinking of another problem.  I only have one ip address
> but I want to set up a network using masquerading. I also want to
> start an X job on a machine outside the firewall and have it display on
> one machine inside the firewall. It's always the same machine. On
> the remote machine I set the display variable to the one ip address I
> have. Something needs to route the packets to the one machine where I
> want the display.  Can I do this with ipchains?  Can I do this with
> linksys?

Okay, so you have, say, a DSL line or something.  You plug some
firewall/masq/NAT box (F) into that one IP, and on the other side, you
keep all your other machines (B) safe.   In the meantime, you have
another box (A) somewhere on the public internet.  Maybe at work or
something.  You would like to start xeyes on machine A and have the eyes
show up on B.

A portfw rule similar to your original one would probably work.  You
would set the display to your firewall IP address, and your firewall
would translate that address over to your internal machine.

I *think* it would work, I just wouldn't do it. :)

216.17.1.2           12.1.2.3               192.168.1.5
A-----(internet)-----F--|<---(intranet)-----B 
                     Rule: fwd X11 to 192.168.1.5

But what I would do is FROM B, SSH out to A using the X flag.  If A
allows X forwarding (/etc/ssh/sshd_config) then it will automatically
set the DISPLAY and if you consequently run xeyes, it will show up on
your local screen, and be encrypted from end to end to boot.  This also
doesn't require any additional firewall rules, aside from the existing
MASQ rules.

Another thing:  if you do use a Linux box for 'F', you can also look
into CIPE (Crypto IP Encapsulation).  When correctly configured, it
makes two remote networks directly routable, as if they were actually on
the same network.  Its pretty neat, once you get it all set up.



More information about the NCLUG mailing list