10:Using IPMASQADM for services

Using IPMASQADM to establish services

In order to punch holes into your firewall to run services that are accessible form the outside you need the package called "Ipmasqadm". This package essentially gives you the ability to take a port from one IP and forward it to another IP, even though one of the IPs is inside the protected LAN.

REMEMBER! Any service you make available this way MUST be kept up-to-date to avoid outside intrusion. Any service that you open up to the outside is a potential target for hackers, etc.

There are two things that must be done to properly forward ports. You need to forward an outgoing port from the "protected" IP to the outside interface, and you need to forward an incoming portfrom the outside interface into the "protected" IP destination port. For example:

To forward a webserver port from port 80 from your router's outside interface to 192.168.0.12 where your real webserver lies you would need to do this: (this assumes that 1.2.3.4 is your outside interface IP)

ipmasqadm portfw -A -p tcp -L 192.168.0.12 80 -R 1.2.3.4 80
ipmasqadm portfw -A -p tcp -L 1.2.3.4 80 -R 192.168.0.12 80

The first command allows the protected IP address port 80 to send data out through 1.2.3.4, and the seccond one takes the port 80 of 1.2.3.4 and forwards it to your protected IP's port 80. Both commands are necessary because they together allow two-way traffic to go through your protected LAN and out to the public Internet to your outside connecting clients.

To make these come up at boot time, and to save yourself the hassle of rewriting these rules each and every time your router gets a new IP address you can add them to the PMfirewall scripts replacing the outside interface address with the variable $OUTERIP like this:

ipmasqadm portfw -F
ipmasqadm portfw -a -P tcp -L 192.168.0.5 80 -R $OUTERIP 80
ipmasqadm portfw -a -P tcp -L $OUTERIP 80 -R 192.168.0.5 80

The first command should only be put in once. the -F tells ipmasqadm to flush/erase the port forwarding tables.

The -P < protocol > parameter tells ipmasqadm to forward whatever port for the protocol specified. < protocol > can be either tcp or udp

-L < IP address > < Port > parameters specifies the Local IP/port to be forwarded

-R < IP address > < Port > parameters specifies the Remote IP/Port to be forwarded to.
The -L port and -P port do not have to be the same, you can specify diffrent ports as long as you are consistent. you can have 192.168.0.? port 80 forwarded to $OUTERIP 12345.

That's it to port forwarding. If you are going to implement this on a DHCP client computer you might want to take a look the next section 11: Assigning a Hybrid IP address using DHCP.