280 lines
10 KiB
HTML
280 lines
10 KiB
HTML
<!--startcut ======================================================= -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<html><head>
|
|
<META NAME="generator" CONTENT="lgazmail v1.1preB">
|
|
<TITLE>The Answer Guy 32:
|
|
IP Masquerading/Proxy?
|
|
</TITLE>
|
|
<!-- ORIGINAL SUBJECT:
|
|
IP Masquerading/Proxy?
|
|
JTD SUBTITLE:
|
|
|
|
-->
|
|
</head>
|
|
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#A000A0"
|
|
ALINK="#FF0000">
|
|
<H4>"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|
</H4>
|
|
<P> <hr> <P>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<H1 align="center"><A NAME="answer">
|
|
<img src="../gx/dennis/qbubble.gif" alt="" border="0" align="middle">
|
|
<a href="./index.html">The Answer Guy</a>
|
|
<img src="../gx/dennis/bbubble.gif" alt="" border="0" align="middle">
|
|
</A></H1>
|
|
<BR>
|
|
<H4 align="center">By James T. Dennis,
|
|
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a>
|
|
<BR>Starshine Technical Services, <A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
|
|
</H4>
|
|
<p><hr><p>
|
|
<!--endcut ========================================================= -->
|
|
<H3><img src="../gx/dennis/qbub.gif" alt="(?)"width="50" height="28"
|
|
align="left" border="0">IP Masquerading/Proxy? </H3>
|
|
<p><strong>From Peter Mastren on 20 Aug 1998 </strong></p>
|
|
<!-- begin body -->
|
|
|
|
<p><strong>James,
|
|
</strong></p>
|
|
<p><strong>I appreciate your in depth coverage of the IP Masquerading topic last
|
|
month.
|
|
</strong></p>
|
|
<p><strong>My own private network now is able to talk through my Linux box using
|
|
the techniques you described.
|
|
</strong></p>
|
|
|
|
<blockquote><img src="../gx/dennis/bbub.gif" height="28" width="50"
|
|
alt="(!)" border="0">Glad to help.</blockquote>
|
|
|
|
<strong><p>I, however, can't seem to find an answer to my next problem anywhere
|
|
in the literature. My Linux proxy is connected via ISDN to my
|
|
employers intranet which itself is behind a firewall and served by a
|
|
proxy server. From Linux, I can browse, telnet, ftp etc... using
|
|
SOCKSified clients, i.e. rtelnet, rftp. From any other machine in my
|
|
private network, I am only able to get as far as the companies
|
|
intranet, but not all the way to the internet.
|
|
</p></strong>
|
|
|
|
|
|
<blockquote><img src="../gx/dennis/bbub.gif" height="28" width="50"
|
|
alt="(!)" border="0"
|
|
>If your other machines were using SOCKSified clients they
|
|
would probably work as well. So the first suggestion would
|
|
be to find SOCKSified clients for your other systems.
|
|
</blockquote>
|
|
<blockquote>It is also possible to configure SOCKS (v5 at least) for
|
|
multi-hop traversal (so that one zone or subnet in an
|
|
organization, such as yours can use a SOCKS server to
|
|
relay traffic to another SOCKS server.
|
|
</blockquote>
|
|
|
|
|
|
|
|
<strong><p><img src="../gx/dennis/qbub.gif" height="28" width="50"
|
|
alt="(?)" border="0">How do I get modules,
|
|
<tt>ip_masq_ftp.o</tt>, <tt>ip_masq_raudio.o</tt> etc... to use
|
|
SOCKSified protocols? Basically, another level of indirection is
|
|
required to actually reach the internet. Can this be done?
|
|
</p></strong>
|
|
|
|
<blockquote><img src="../gx/dennis/bbub.gif" height="28" width="50"
|
|
alt="(!)" border="0"
|
|
>I supposed someone could "SOCKSify" the IP Masquerading
|
|
modules or use 'ipfwadm' to redirect all the appropriate
|
|
traffic to custom, SOCKSified, programs through the
|
|
transparent proxying features.
|
|
</blockquote>
|
|
<blockquote>One of the features of the Linux IPFW (kernel packet
|
|
filters) is a provision to redirect incoming TCP connections
|
|
into Unix domain sockets on the localhost, where a user
|
|
space program can be attached to them. This user space
|
|
program can either handle the request directly or
|
|
relay/proxy the connection through whatever interfaces and
|
|
protocols you'd want to build into it.
|
|
</blockquote>
|
|
<blockquote>I think the squid cache and the DeleGate proxy can each be
|
|
configured to support this.
|
|
</blockquote>
|
|
<blockquote>To find out a little bit more about this redirection feature
|
|
look for the "<tt>-r</tt>" switch on the '<tt>ipfwadm</tt>' man pages.
|
|
</blockquote>
|
|
<blockquote>Just off hand I don't see that the newer IP-chains code
|
|
(apparently intended to replace <tt>ipfwadm</tt> in future kernels)
|
|
offers any particular help for your situation. It does add
|
|
significant new features to Linux packet filtering and it
|
|
well worth the work that's going into it. However, I don't
|
|
see anything on it's web site:
|
|
</blockquote>
|
|
|
|
<blockquote><blockquote><code
|
|
><A HREF="http://www.adelaide.net.au/~rustcorp/ipfwchains/"
|
|
>http://www.adelaide.net.au/~rustcorp/ipfwchains/</A>
|
|
</code></blockquote></blockquote>
|
|
|
|
<blockquote>... that applies directly to your situation.
|
|
</blockquote>
|
|
<blockquote>Some other work in this field is at:
|
|
</blockquote>
|
|
<blockquote>
|
|
<dl><dt>The HOWTO for IPChains
|
|
<dd><A HREF="http://www.adelaide.net.au/~rustcorp/ipfwchains/HOWTO.html"
|
|
>http://www.adelaide.net.au/~rustcorp/ipfwchains/HOWTO.html</A>
|
|
</dl>
|
|
</blockquote>
|
|
|
|
<blockquote>As I said It looks like IPChains is going to be the default
|
|
kernel packet filtering code for the 2.2 kernels.
|
|
</blockquote>
|
|
|
|
<blockquote><dl><dt>The Home of Linux IP NAT
|
|
<dd><A HREF="http://www.csn.tu-chemnitz.de/HyperNews/get/linux-ip-nat.html"
|
|
>http://www.csn.tu-chemnitz.de/HyperNews/get/linux-ip-nat.html</A>
|
|
</dl>
|
|
</blockquote>
|
|
|
|
<blockquote>(NAT -- network address translation -- is more
|
|
generalized then IP masquerading. While IP masquerading
|
|
implements a specific many-to-one NAT, IP NAT allows
|
|
complex many-to-many translations. It might be able to
|
|
co-exist with IP masquerading and/or IP Chains).
|
|
</blockquote>
|
|
|
|
<blockquote><dl><dt>Darren Reed's IP Filter
|
|
<dd><A HREF="http://cheops.anu.edu.au/~avalon/"
|
|
>http://cheops.anu.edu.au/~avalon/</A>
|
|
</dl>
|
|
</blockquote>
|
|
|
|
<blockquote>This is the free filtering package used by
|
|
<A HREF="http://www.freebsd.org/">FreeBSD</A> and
|
|
its brethren and it is the most popular packet filtering
|
|
package for Solaris and a few other forms of Unix
|
|
(which don't include packet filtering in their standard
|
|
kernels).
|
|
</blockquote>
|
|
<blockquote>Reportedly this has been successfully run under Linux
|
|
as well.
|
|
</blockquote>
|
|
<blockquote>As we move beyond packet filtering we look into proxying
|
|
systems. We can look in at the home site of NEC SOCKS
|
|
at:
|
|
</blockquote>
|
|
|
|
<blockquote><blockquote><code
|
|
><A HREF="http://www.socks.nec.com">http://www.socks.nec.com</A>
|
|
</code></blockquote></blockquote>
|
|
|
|
<blockquote>(Just hit the "Download" link if you want the
|
|
package itself).
|
|
</blockquote>
|
|
<blockquote>On a whim I used their "Search" link and found 844 results
|
|
for "Linux" and 578 results for "Solaris" The numbers are
|
|
interesting though meaningless and I don't have time to
|
|
do an analysis to say whether the disparity is good or bad
|
|
for the Linux community.
|
|
</blockquote>
|
|
<blockquote>We can also look at Thede Lod's "Simple SOCKS Daemon" page
|
|
at:
|
|
</blockquote>
|
|
|
|
<blockquote><blockquote><code
|
|
><A HREF="http://www.leverage.com/users/tlod/ssockd/ssockd.html"
|
|
>http://www.leverage.com/users/tlod/ssockd/ssockd.html</A>
|
|
</code></blockquote></blockquote>
|
|
|
|
<blockquote>
|
|
This seems to be a simplified replacement/alternative
|
|
to the stock SOCKS v4.x server.
|
|
</blockquote>
|
|
<blockquote>It seem that this as only been tested under FreeBSD
|
|
--- so it might require some coding to port it to
|
|
Linux.
|
|
</blockquote>
|
|
|
|
|
|
<strong><p><img src="../gx/dennis/bbub.gif" height="28" width="50"
|
|
alt="(!)" border="0"
|
|
<blockquote>Thanks for time and keep up the good work. Your efforts are
|
|
appreciated.
|
|
</p></strong>
|
|
<strong><p>Peter F. Mastren
|
|
</p></strong>
|
|
<!-- end body -->
|
|
|
|
<!--startcut ======================================================= -->
|
|
<P> <hr> <P>
|
|
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
|
|
>Copyright ©</a> 1998, James T. Dennis <BR>
|
|
Published in <I>Linux Gazette</I> Issue 32 September 1998</H5>
|
|
<P> <hr> <P>
|
|
|
|
<!--::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<table width="98%"><tr valign="center" align="center">
|
|
<td rowspan="3"><A HREF="./lg_answer32.html"><IMG
|
|
SRC="../gx/dennis/answernew.gif"
|
|
ALT="[ Answer Guy Index ]"></A></td>
|
|
<td><A HREF="tag_phreak.html">phreak</A>
|
|
<td><A HREF="tag_abandon.html">abandon</A>
|
|
<td><A HREF="tag_javaterm.html">javaterm</A>
|
|
<td><A HREF="tag_BBS.html">BBS</A>
|
|
<td><A HREF="tag_flaws.html">flaws</A>
|
|
<td><A HREF="tag_doslinux.html">doslinux</A>
|
|
<td><A HREF="tag_resume.html">resume</A>
|
|
|
|
</tr><tr valign="center" align="center">
|
|
<td><A HREF="tag_softwindows.html">softwindows</A>
|
|
<td><A HREF="tag_convert.html">convert</A>
|
|
<td><A HREF="tag_apache.html">apache</A>
|
|
<td><A HREF="tag_emulate.html">emulate</A>
|
|
<td><A HREF="tag_database.html">database</A>
|
|
<td><A HREF="tag_distrib.html">distrib</A>
|
|
<td><A HREF="tag_proxy.html">proxy</A>
|
|
|
|
</tr><tr valign="center" align="center">
|
|
<td><A HREF="tag_disable.html">disable</A>
|
|
<td><A HREF="tag_DVI.html">DVI</A>
|
|
<td><A HREF="tag_superblock.html">superblock</A>
|
|
<td><A HREF="tag_serial.html">serial</A>
|
|
<td><A HREF="tag_permission.html">permission</A>
|
|
<td><A HREF="tag_detach.html">detach</A>
|
|
<td><A HREF="tag_cdr.html">cdr</A>
|
|
|
|
</tr><tr valign="center" align="center">
|
|
<td><A HREF="tag_rs422.html">rs422</A>
|
|
<td><A HREF="tag_modem.html">modem</A>
|
|
<td><A HREF="tag_notfound.html">notfound</A>
|
|
<td><A HREF="tag_tuning.html">tuning</A>
|
|
<td><A HREF="tag_libc5.html">libc5</A>
|
|
<td><A HREF="tag_startup.html">startup</A>
|
|
<td><A HREF="tag_clock.html">clock</A>
|
|
<td><A HREF="tag_ping.html">ping</A>
|
|
|
|
</tr><tr valign="center" align="center">
|
|
<td><A HREF="tag_accounts.html">accounts</A>
|
|
<td><A HREF="tag_lilo.html">lilo</A>
|
|
<td><A HREF="tag_NDS.html">NDS</A>
|
|
<td><A HREF="tag_95slow.html">95slow</A>
|
|
<td><A HREF="tag_nonlinux.html">nonlinux</A>
|
|
<td><A HREF="tag_progenv.html">progenv</A>
|
|
<td><A HREF="tag_cluster.html">cluster</A>
|
|
<td><A HREF="tag_ftpd.html">ftpd</A>
|
|
|
|
</tr></table>
|
|
<P> <hr> <P>
|
|
<!--::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<A HREF="./index.html"><IMG SRC="../gx/indexnew.gif"
|
|
ALT="[ Table Of Contents ]"></A>
|
|
<A HREF="../index.html"><IMG SRC="../gx/homenew.gif"
|
|
ALT="[ Front Page ]"></A>
|
|
<A HREF="lg_bytes32.html"><IMG SRC="../gx/back2.gif"
|
|
ALT="[ Previous Section ]"></A>
|
|
<A HREF="./stemen.html"><IMG SRC="../gx/fwd.gif"
|
|
ALT="[ Next Section ]"></A>
|
|
<!--::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
</body>
|
|
</html>
|
|
<!--endcut ========================================================= -->
|
|
|
|
|