430 lines
16 KiB
HTML
430 lines
16 KiB
HTML
<!--startcut ======================================================= -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<html>
|
|
<head>
|
|
<META NAME="generator" CONTENT="lgazmail v1.1I.e">
|
|
<TITLE>The Answer Guy 38: Drop-in Replacement for "WinGate"</TITLE>
|
|
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
|
|
LINK="#3366FF" VLINK="#A000A0">
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<H4>"The Linux Gazette...<I>making Linux just a little more fun!</I>"</H4>
|
|
<P> <hr> <P>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<center>
|
|
<H1><A NAME="answer">
|
|
<img src="../../gx/dennis/qbubble.gif" alt="(?)"
|
|
border="0" align="middle">
|
|
<font color="#B03060">The Answer Guy</font>
|
|
<img src="../../gx/dennis/bbubble.gif" alt="(!)"
|
|
border="0" align="middle">
|
|
</A></H1>
|
|
<BR>
|
|
<H4>By James T. Dennis,
|
|
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
|
|
Starshine Technical Services,
|
|
<A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
|
|
</H4>
|
|
</center>
|
|
|
|
<p><hr><p>
|
|
<!-- endcut ======================================================= -->
|
|
<!-- begin 24 -->
|
|
<H3 align="left"><img src="../../gx/dennis/qbubble.gif"
|
|
height="50" width="60" alt="(?) " border="0"
|
|
>Drop-in Replacement for "WinGate"</H3>
|
|
|
|
|
|
<p><strong>From Paul A Pick on Mon, 22 Feb 1999
|
|
</strong></p>
|
|
<!-- ::
|
|
Drop-in Replacement for "WinGate"
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
:: -->
|
|
<P><STRONG><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
Hiya,
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
I have a win95/redhat5.2 dual boot system, which I use as a proxy
|
|
server for one win95 client machine (as my system has the net
|
|
connection).
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
Under win95, I use wingate for my proxy software... so my client's
|
|
system is setup expecting things to be wingate-like on my
|
|
system. The problem comes with the recent addition of redhat5.2. I
|
|
want my linux box to be a transparent plug-in replacement for the
|
|
win95/wingate config but I haven't really found the proxy software
|
|
to do this.
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
So... my question is: are you aware of proxy software for linux
|
|
which can behave like wingate? So far, I've seen squid (monstrous
|
|
overkill) for ftp/http and then I have to add 'portfwd' (?) to map
|
|
dns/pop and then there was another app for socks (req'd for
|
|
telnet). All of this makes me want to run wingate via wine (which
|
|
I will try soon, actually). [ Of course, I could just buy another
|
|
system to do ipmasq/ipchains...
|
|
<IMG SRC="../../gx/dennis/smily.gif" ALT=":-)"
|
|
height="24" width="20" align="middle"> ]
|
|
Anyway... have I missed an obvious solution?
|
|
<IMG SRC="../../gx/dennis/smily.gif" ALT=":-)"
|
|
height="24" width="20" align="middle"> Thanks, - Paul
|
|
</STRONG></P>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
I don't know what sort of proxying WinGate does. So
|
|
I can't address the issue of a transparent, drop-in
|
|
replacement for it.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Squid may be "monstrous overkill" for your situation.
|
|
However, it will probably provide the key features you
|
|
need and it doesn't take appreciably more memory, CPU,
|
|
or (non-cache) disk space than any other proxying system.
|
|
<A HREF="http://www.apache.org/">Apache</A> can also be
|
|
configured to act as a caching proxy web server.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
You could get the SOCKS RPMs from any
|
|
<A HREF="http://www.redhat.com/">Red Hat</A> "contrib"
|
|
site/mirror. WinGate probably implements the SOCKS
|
|
protocols (which govern how client software traverses
|
|
a proxy; how it relays it's service requests through the
|
|
proxy). There are also a couple of other SOCKS
|
|
compatible proxy server packages for Linux including
|
|
DeleGate, and Dante (find them both on Freshmeat
|
|
at <A HREF="http://www.freshmeat.net"
|
|
>http://www.freshmeat.net</A>).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
You don't have to add ipportfw or autofw (or tcprelay or
|
|
udprelay, or any of its cousins). These are all small
|
|
utilities that can listen on a given TCP/UDP port and
|
|
relay traffic to another system. They are more
|
|
useful to virtual host <EM>servers</EM> on a private net.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Consider the following scenario:
|
|
</BLOCKQUOTE>
|
|
|
|
<blockquote><pre>
|
|
/^^^^^^^^^^^\ ______
|
|
| Internet | ---| fw |------ (Internet LAN)
|
|
\___________/ ~~+~~~ 192.168.1.*
|
|
|
|
|
+--- (servers)
|
|
192.168.2.*
|
|
</pre></blockquote>
|
|
<BLOCKQUOTE>
|
|
In this simple diagram we show a gateway/router/firewall
|
|
(running Linux). It has three interfaces. One leads to the
|
|
Internet. Let's think of that as ppp0 though it doesn't
|
|
matter what sort of IP interface we use. Another leads to
|
|
our internal LAN (let's call it eth0) and the other leads
|
|
to a small segment with one or more <EM>different types</EM> of
|
|
servers.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
We use <tt>192.168.1.*</tt> addresses (one of the RFC1918 "reserved
|
|
net" address blocks) on the internal LAN. We use another
|
|
RFC1918 on the other (we can use any of the <tt>192.168.x.*</tt>
|
|
addresses and we can subnet them in whatever fashion we like).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
But wait! We can't run an Internet server on an RFC1918
|
|
address! No router on the Internet will have valid routes
|
|
to any of those addresses. True enough.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
However, we do have <EM>one</EM> valid, real Internet address
|
|
(direct routable IP address or DRIP). We might not want
|
|
to run a web server, DNS server, mail relay or other service
|
|
on our router (due to security, administrative, or capacity
|
|
considerations). So we put ipportfw to relay connections
|
|
to our router's web, DNS, or SMTP ports to one or more
|
|
machines on the bastion segment. This makes '<tt>fw</tt>' (our
|
|
firewall/router) "appear" to be a multi-service host
|
|
--- though it is only running a simple set of
|
|
port forwarders. (Actually you really wouldn't <EM>need</EM> to
|
|
have a third segment --- you could port forward or relay
|
|
into hosts on your internal LAN. However, I wouldn't
|
|
recommend that --- since any attacker that subverts one
|
|
of those servers through the relayed connection can then
|
|
attack <EM>all</EM> of your other systems --- rather than
|
|
being isolated to one segment).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Note: I've never actually done this. However, that's what
|
|
the IP, TCP, and UDP port forwarding utilities seem to be
|
|
for.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
However, this doesn't seem to meet your needs. You want
|
|
to support the clients on your LAN in their access to
|
|
public services out on the net. You don't seem to have
|
|
any need to provide services ("virtual" or "relayed" or
|
|
whatever) to the 'net.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
So, you can use proxying. You can run a caching web
|
|
server proxy (like Squid and/or Apache or even the old
|
|
CERN web server). You can also run a caching name server
|
|
on your gateway system. This is handy since your
|
|
gateway (<tt>fw</tt>) has routes to your internal LAN and to the
|
|
net. So it can reply to DNS request by your internal
|
|
clients and make them of the outside world.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
You can also use IP masquerading (using the ipfwadm command
|
|
for your 2.0.x kernels and the newer, snazzier, ipchains
|
|
command for 2.2). This is basically an alternative to
|
|
proxying. You can think if IP masquerading (a particular
|
|
form of "Network Address Translation" or NAT) as a
|
|
"transparent, transport layer proxying" method. If you
|
|
have a proxy server in place, and all of your client
|
|
software supports the proxy (through the SOCKS protocol)
|
|
then you don't need NAT/IP masquerading.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
It's possible to use them together (so your SOCKSified
|
|
clients talk to the proxying servers on your system, and
|
|
anything else still goes through the NAT system. It's
|
|
possible to do this with just one router --- and it's
|
|
even useful for some cases. For example, using some
|
|
services is difficult and someone unreliable through a
|
|
masquerading router.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Protocols like FTP pass IP addresses <EM>in band</EM> (as part of
|
|
the data/payload of the control connection --- to be used to
|
|
establish a series of data connection from the server back
|
|
to the client). This is trivial for programs to support at
|
|
an applications layer and very difficult to do at the
|
|
transport layer (from "under the hood"). It's like
|
|
cartography --- making a map by walking around in the forest
|
|
takes a lot of work --- doing it from a higher level is much
|
|
handier.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
So, try one of the SOCKS compatible server packages.
|
|
If that gives you any trouble try a command like:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><CODE>
|
|
ipfwadm -F -a acc -m -S 192.168.0.0/16
|
|
</CODE></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... one your fw system. This will add (<tt>-a</tt>) a rule
|
|
to the forwarding (<tt>-F</tt>) table in the kernel to accept
|
|
(acc) for masquerading (<tt>-m</tt>) any packages with a source
|
|
address (<tt>-S</tt>) from any of the <tt>192.168.x.*</tt> ranges (to
|
|
anywhere).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
The reason we don't have to be explicit about destinations
|
|
and interfaces is because the determination of which packets
|
|
are presented to the which packet filtering tables is done
|
|
by the kernel's routing table. Teh filtering tables decide
|
|
which ones to drop, accept, reject and "re-write"
|
|
(masquerade). So that's all given.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
If we add the following two rules:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BlockQuote><code>
|
|
ipfwadm -F -a acc -m -S 172.16.0.0/12
|
|
<br>ipfwadm -F -a acc -m -S 10.0.0.0/8
|
|
</code></BlockQuote></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
we've configured our system to gleefully masquerade IP
|
|
packets from ANY RFC1918 address --- so you can use any
|
|
of them for any of your intenal LANs, segments, etc.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
I personally doubt that WinGate will work properly
|
|
under <A HREF="http://www.winehq.com/">WINE</A> ---
|
|
and it seems very unlikely that it would
|
|
give decent performance or stability.
|
|
</BLOCKQUOTE>
|
|
<!-- sig -->
|
|
|
|
<!-- end 24 -->
|
|
|
|
<hr width="40%">
|
|
|
|
<!-- begin 27 -->
|
|
<H3 align="left"><img src="../../gx/dennis/qbubble.gif"
|
|
height="50" width="60" alt="(?) " border="0"
|
|
>Drop-in Replacement for "WinGate"</H3>
|
|
|
|
|
|
<p><strong>From Paul A Pick on Tue, 23 Feb 1999
|
|
</strong></p>
|
|
<!-- ::
|
|
Drop-in Replacement for "WinGate"
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
:: -->
|
|
<P><STRONG><FONT COLOR="#000099"><EM>
|
|
<BR>>[M]y question is: are you aware of proxy software for linux
|
|
<BR>>which can behave like wingate?
|
|
</EM></FONT></STRONG></P>
|
|
<P><STRONG><FONT COLOR="#000066"><EM>
|
|
There are also a couple of other SOCKS
|
|
compatible proxy server packages for Linux including
|
|
DeleGate, and Dante (find them both on Freshmeat
|
|
at <A HREF="http://www.freshmeat.net"
|
|
>http://www.freshmeat.net</A>).
|
|
</EM></FONT></STRONG></P>
|
|
<P><STRONG>
|
|
There ya go. I had never heard of freshmeat... (sorry guys)
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
I just downloaded delegate and it looks to be <em>exactly</em> what I
|
|
was looking for... it seems to be available only as source
|
|
(for linux) but compiled no problem at all. I'll try configuring
|
|
it in the next coupla days.
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
Interestingly, delegate (according to the documentation, at least)
|
|
runs under windows as well. This means that I could chuck wingate
|
|
(if I wanted to) and have a very consistent interface to my client.
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
[ illustration of ipportfw snipped ]
|
|
</STRONG></P>
|
|
<P><STRONG><FONT COLOR="#000066"><EM>
|
|
Note: I've never actually done this. However, that's what
|
|
the IP, TCP, and UDP port forwarding utilities seem to be
|
|
for.
|
|
</EM></FONT></STRONG></P>
|
|
<P><STRONG>
|
|
Yes, but I was trying to twist them to my own ends anyway.
|
|
</STRONG></P>
|
|
<P><STRONG><FONT COLOR="#000066"><EM>
|
|
You can also use IP masquerading (using the ipfwadm command
|
|
for your 2.0.x kernels and the newer, snazzier, ipchains
|
|
command for 2.2).
|
|
</EM></FONT></STRONG></P>
|
|
<P><STRONG>
|
|
Alas, my win95 interface and my linux interface must be consistent.
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
I don't want to think about the client system's net access should I
|
|
decide to play half-life, for instance.
|
|
</STRONG></P>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
In both cases the clients can point to your server/gateway
|
|
as their default route. It just shouldn't be a problem.
|
|
</BLOCKQUOTE>
|
|
<P><STRONG><FONT COLOR="#000066"><EM><IMG
|
|
SRC="../../gx/dennis/qbub.gif" ALT="(?)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0" >
|
|
I personally doubt that WinGate will work properly
|
|
under <A HREF="http://www.winehq.com/">WINE</A>
|
|
--- and it seems very unlikely that it would
|
|
give decent performance or stability.
|
|
</EM></FONT></STRONG></P>
|
|
<P><STRONG>
|
|
I gave it a shot and it didn't fire up at all. It encountered a
|
|
fatal error in 'kernel32' or some such. I wasn't too interested
|
|
in performance (my load average is generally 0.00) but stability
|
|
would be an issue. A 'moot' issue, as it turns out.
|
|
<IMG SRC="../../gx/dennis/smily.gif" ALT=":)"
|
|
height="24" width="20" align="middle">
|
|
</STRONG></P>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
Presumably WinGate is Win32s (or such). WINE only
|
|
has very limited and preliminary support for Win32s.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
I expect that the moment that WINE has reverse
|
|
engineered reasonable support for the Win32s APIs
|
|
we'll see a new Win32X out of Redmond and a suite
|
|
of compilers that generate the new code by default
|
|
--- to minimize the compatibility and interoperation.
|
|
</BLOCKQUOTE>
|
|
<P><STRONG><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
Thanks for the info. Would you like to know how the delegate
|
|
configurations go?
|
|
</STRONG></P>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
Sure. You could submit an article or review to
|
|
the Linux Gazette.
|
|
</BLOCKQUOTE>
|
|
<!-- sig -->
|
|
|
|
<!-- end 27 -->
|
|
|
|
<!--startcut ======================================================= -->
|
|
<P> <hr> <P>
|
|
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
|
|
>Copyright ©</a> 1999, James T. Dennis
|
|
<BR>Published in <I>The Linux Gazette</I> Issue 38 March 1999</H5>
|
|
<P> <hr> <P>
|
|
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<TABLE WIDTH="96%"><TR VALIGN="center" ALIGN="center">
|
|
<TD ROWSPAN="3" COLSPAN="4" WIDTH="24%"><A HREF="../lg_answer38.html"
|
|
><IMG SRC="../../gx/dennis/answernew.gif"
|
|
ALT="[ Answer Guy Index ]"></A></td>
|
|
<TD WIDTH="6%"><A HREF="1.html">1</A></TD>
|
|
<TD WIDTH="6%"><A HREF="2.html">2</A></TD>
|
|
<TD WIDTH="6%"><A HREF="3.html">3</A></TD>
|
|
<TD WIDTH="6%"><A HREF="4.html">4</A></TD>
|
|
<TD WIDTH="6%"><A HREF="5.html">5</A></TD>
|
|
<TD WIDTH="6%"><A HREF="6.html">6</A></TD>
|
|
<TD WIDTH="6%"><A HREF="7.html">7</A></TD>
|
|
<TD WIDTH="6%"><A HREF="8.html">8</A></TD>
|
|
<TD WIDTH="6%"><A HREF="9.html">9</A></TD>
|
|
<TD WIDTH="6%"><A HREF="10.html">10</A></TD>
|
|
<TD WIDTH="6%"><A HREF="11.html">11</A></TD>
|
|
</TR><TR VALIGN="center" ALIGN="center">
|
|
<TD><A HREF="12.html">12</A></TD>
|
|
<TD> </TD>
|
|
<TD><A HREF="14.html">14</A></TD>
|
|
<TD> </TD>
|
|
<TD><A HREF="16.html">16</A></TD>
|
|
<TD><A HREF="17.html">17</A></TD>
|
|
<TD><A HREF="18.html">18</A></TD>
|
|
<TD><A HREF="19.html">19</A></TD>
|
|
<TD> </TD>
|
|
<TD><A HREF="21.html">21</A></TD>
|
|
<TD><A HREF="22.html">22</A></TD>
|
|
</TR><TR VALIGN="center" ALIGN="center">
|
|
<TD><A HREF="23.html">23</A></TD>
|
|
<TD><A HREF="24.html">24</A></TD>
|
|
<TD> </TD>
|
|
<TD><A HREF="26.html">26</A></TD>
|
|
<TD> </TD>
|
|
<TD><A HREF="28.html">28</A></TD>
|
|
<TD><A HREF="29.html">29</A></TD>
|
|
<TD><A HREF="30.html">30</A></TD>
|
|
<TD><A HREF="31.html">31</A></TD>
|
|
<TD><A HREF="32.html">32</A></TD>
|
|
<TD> </TD>
|
|
</TR></TABLE>
|
|
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<P> <hr> <P>
|
|
<!-- begin lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<A HREF="../index.html"
|
|
><IMG SRC="../../gx/indexnew.gif" ALT="[ Table Of Contents ]"></A>
|
|
<A HREF="../../index.html"
|
|
><IMG SRC="../../gx/homenew.gif" ALT="[ Front Page ]"></A>
|
|
<A HREF="../lg_bytes38.html"
|
|
><IMG SRC="../../gx/back2.gif" ALT="[ Previous Section ]"></A>
|
|
<A HREF="../lg_tips38.html"
|
|
><IMG SRC="../../gx/fwd.gif" ALT="[ Next Section ]"></A>
|
|
<!-- end lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
</BODY></HTML>
|
|
<!--endcut ========================================================= -->
|