LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue38/tag/24.html

430 lines
16 KiB
HTML
Raw Permalink Blame History

<!--startcut ======================================================= -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html>
<head>
<META NAME="generator" CONTENT="lgazmail v1.1I.e">
<TITLE>The Answer Guy 38: Drop-in Replacement for "WinGate"</TITLE>
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
LINK="#3366FF" VLINK="#A000A0">
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<H4>"The Linux Gazette...<I>making Linux just a little more fun!</I>"</H4>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<center>
<H1><A NAME="answer">
<img src="../../gx/dennis/qbubble.gif" alt="(?)"
border="0" align="middle">
<font color="#B03060">The Answer Guy</font>
<img src="../../gx/dennis/bbubble.gif" alt="(!)"
border="0" align="middle">
</A></H1>
<BR>
<H4>By James T. Dennis,
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
Starshine Technical Services,
<A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
</H4>
</center>
<p><hr><p>
<!-- endcut ======================================================= -->
<!-- begin 24 -->
<H3 align="left"><img src="../../gx/dennis/qbubble.gif"
height="50" width="60" alt="(?) " border="0"
>Drop-in Replacement for "WinGate"</H3>
<p><strong>From Paul A Pick on Mon, 22 Feb 1999
</strong></p>
<!-- ::
Drop-in Replacement for "WinGate"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:: -->
<P><STRONG><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
Hiya,
</STRONG></P>
<P><STRONG>
I have a win95/redhat5.2 dual boot system, which I use as a proxy
server for one win95 client machine (as my system has the net
connection).
</STRONG></P>
<P><STRONG>
Under win95, I use wingate for my proxy software... so my client's
system is setup expecting things to be wingate-like on my
system. The problem comes with the recent addition of redhat5.2. I
want my linux box to be a transparent plug-in replacement for the
win95/wingate config but I haven't really found the proxy software
to do this.
</STRONG></P>
<P><STRONG>
So... my question is: are you aware of proxy software for linux
which can behave like wingate? So far, I've seen squid (monstrous
overkill) for ftp/http and then I have to add 'portfwd' (?) to map
dns/pop and then there was another app for socks (req'd for
telnet). All of this makes me want to run wingate via wine (which
I will try soon, actually). [ Of course, I could just buy another
system to do ipmasq/ipchains...
<IMG SRC="../../gx/dennis/smily.gif" ALT=":-)"
height="24" width="20" align="middle"> ]
Anyway... have I missed an obvious solution?
<IMG SRC="../../gx/dennis/smily.gif" ALT=":-)"
height="24" width="20" align="middle"> Thanks, - Paul
</STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
I don't know what sort of proxying WinGate does. So
I can't address the issue of a transparent, drop-in
replacement for it.
</BLOCKQUOTE>
<BLOCKQUOTE>
Squid may be "monstrous overkill" for your situation.
However, it will probably provide the key features you
need and it doesn't take appreciably more memory, CPU,
or (non-cache) disk space than any other proxying system.
<A HREF="http://www.apache.org/">Apache</A> can also be
configured to act as a caching proxy web server.
</BLOCKQUOTE>
<BLOCKQUOTE>
You could get the SOCKS RPMs from any
<A HREF="http://www.redhat.com/">Red Hat</A> "contrib"
site/mirror. WinGate probably implements the SOCKS
protocols (which govern how client software traverses
a proxy; how it relays it's service requests through the
proxy). There are also a couple of other SOCKS
compatible proxy server packages for Linux including
DeleGate, and Dante (find them both on Freshmeat
at <A HREF="http://www.freshmeat.net"
>http://www.freshmeat.net</A>).
</BLOCKQUOTE>
<BLOCKQUOTE>
You don't have to add ipportfw or autofw (or tcprelay or
udprelay, or any of its cousins). These are all small
utilities that can listen on a given TCP/UDP port and
relay traffic to another system. They are more
useful to virtual host <EM>servers</EM> on a private net.
</BLOCKQUOTE>
<BLOCKQUOTE>
Consider the following scenario:
</BLOCKQUOTE>
<blockquote><pre>
/^^^^^^^^^^^\ ______
| Internet | ---| fw |------ (Internet LAN)
\___________/ ~~+~~~ 192.168.1.*
|
+--- (servers)
192.168.2.*
</pre></blockquote>
<BLOCKQUOTE>
In this simple diagram we show a gateway/router/firewall
(running Linux). It has three interfaces. One leads to the
Internet. Let's think of that as ppp0 though it doesn't
matter what sort of IP interface we use. Another leads to
our internal LAN (let's call it eth0) and the other leads
to a small segment with one or more <EM>different types</EM> of
servers.
</BLOCKQUOTE>
<BLOCKQUOTE>
We use <tt>192.168.1.*</tt> addresses (one of the RFC1918 "reserved
net" address blocks) on the internal LAN. We use another
RFC1918 on the other (we can use any of the <tt>192.168.x.*</tt>
addresses and we can subnet them in whatever fashion we like).
</BLOCKQUOTE>
<BLOCKQUOTE>
But wait! We can't run an Internet server on an RFC1918
address! No router on the Internet will have valid routes
to any of those addresses. True enough.
</BLOCKQUOTE>
<BLOCKQUOTE>
However, we do have <EM>one</EM> valid, real Internet address
(direct routable IP address or DRIP). We might not want
to run a web server, DNS server, mail relay or other service
on our router (due to security, administrative, or capacity
considerations). So we put ipportfw to relay connections
to our router's web, DNS, or SMTP ports to one or more
machines on the bastion segment. This makes '<tt>fw</tt>' (our
firewall/router) "appear" to be a multi-service host
--- though it is only running a simple set of
port forwarders. (Actually you really wouldn't <EM>need</EM> to
have a third segment --- you could port forward or relay
into hosts on your internal LAN. However, I wouldn't
recommend that --- since any attacker that subverts one
of those servers through the relayed connection can then
attack <EM>all</EM> of your other systems --- rather than
being isolated to one segment).
</BLOCKQUOTE>
<BLOCKQUOTE>
Note: I've never actually done this. However, that's what
the IP, TCP, and UDP port forwarding utilities seem to be
for.
</BLOCKQUOTE>
<BLOCKQUOTE>
However, this doesn't seem to meet your needs. You want
to support the clients on your LAN in their access to
public services out on the net. You don't seem to have
any need to provide services ("virtual" or "relayed" or
whatever) to the 'net.
</BLOCKQUOTE>
<BLOCKQUOTE>
So, you can use proxying. You can run a caching web
server proxy (like Squid and/or Apache or even the old
CERN web server). You can also run a caching name server
on your gateway system. This is handy since your
gateway (<tt>fw</tt>) has routes to your internal LAN and to the
net. So it can reply to DNS request by your internal
clients and make them of the outside world.
</BLOCKQUOTE>
<BLOCKQUOTE>
You can also use IP masquerading (using the ipfwadm command
for your 2.0.x kernels and the newer, snazzier, ipchains
command for 2.2). This is basically an alternative to
proxying. You can think if IP masquerading (a particular
form of "Network Address Translation" or NAT) as a
"transparent, transport layer proxying" method. If you
have a proxy server in place, and all of your client
software supports the proxy (through the SOCKS protocol)
then you don't need NAT/IP masquerading.
</BLOCKQUOTE>
<BLOCKQUOTE>
It's possible to use them together (so your SOCKSified
clients talk to the proxying servers on your system, and
anything else still goes through the NAT system. It's
possible to do this with just one router --- and it's
even useful for some cases. For example, using some
services is difficult and someone unreliable through a
masquerading router.
</BLOCKQUOTE>
<BLOCKQUOTE>
Protocols like FTP pass IP addresses <EM>in band</EM> (as part of
the data/payload of the control connection --- to be used to
establish a series of data connection from the server back
to the client). This is trivial for programs to support at
an applications layer and very difficult to do at the
transport layer (from "under the hood"). It's like
cartography --- making a map by walking around in the forest
takes a lot of work --- doing it from a higher level is much
handier.
</BLOCKQUOTE>
<BLOCKQUOTE>
So, try one of the SOCKS compatible server packages.
If that gives you any trouble try a command like:
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><CODE>
ipfwadm -F -a acc -m -S 192.168.0.0/16
</CODE></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
... one your fw system. This will add (<tt>-a</tt>) a rule
to the forwarding (<tt>-F</tt>) table in the kernel to accept
(acc) for masquerading (<tt>-m</tt>) any packages with a source
address (<tt>-S</tt>) from any of the <tt>192.168.x.*</tt> ranges (to
anywhere).
</BLOCKQUOTE>
<BLOCKQUOTE>
The reason we don't have to be explicit about destinations
and interfaces is because the determination of which packets
are presented to the which packet filtering tables is done
by the kernel's routing table. Teh filtering tables decide
which ones to drop, accept, reject and "re-write"
(masquerade). So that's all given.
</BLOCKQUOTE>
<BLOCKQUOTE>
If we add the following two rules:
</BLOCKQUOTE>
<BLOCKQUOTE><BlockQuote><code>
ipfwadm -F -a acc -m -S 172.16.0.0/12
<br>ipfwadm -F -a acc -m -S 10.0.0.0/8
</code></BlockQuote></BLOCKQUOTE>
<BLOCKQUOTE>
we've configured our system to gleefully masquerade IP
packets from ANY RFC1918 address --- so you can use any
of them for any of your intenal LANs, segments, etc.
</BLOCKQUOTE>
<BLOCKQUOTE>
I personally doubt that WinGate will work properly
under <A HREF="http://www.winehq.com/">WINE</A> ---
and it seems very unlikely that it would
give decent performance or stability.
</BLOCKQUOTE>
<!-- sig -->
<!-- end 24 -->
<hr width="40%">
<!-- begin 27 -->
<H3 align="left"><img src="../../gx/dennis/qbubble.gif"
height="50" width="60" alt="(?) " border="0"
>Drop-in Replacement for "WinGate"</H3>
<p><strong>From Paul A Pick on Tue, 23 Feb 1999
</strong></p>
<!-- ::
Drop-in Replacement for "WinGate"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:: -->
<P><STRONG><FONT COLOR="#000099"><EM>
<BR>&gt;[M]y question is: are you aware of proxy software for linux
<BR>&gt;which can behave like wingate?
</EM></FONT></STRONG></P>
<P><STRONG><FONT COLOR="#000066"><EM>
There are also a couple of other SOCKS
compatible proxy server packages for Linux including
DeleGate, and Dante (find them both on Freshmeat
at <A HREF="http://www.freshmeat.net"
>http://www.freshmeat.net</A>).
</EM></FONT></STRONG></P>
<P><STRONG>
There ya go. I had never heard of freshmeat... (sorry guys)
</STRONG></P>
<P><STRONG>
I just downloaded delegate and it looks to be <em>exactly</em> what I
was looking for... it seems to be available only as source
(for linux) but compiled no problem at all. I'll try configuring
it in the next coupla days.
</STRONG></P>
<P><STRONG>
Interestingly, delegate (according to the documentation, at least)
runs under windows as well. This means that I could chuck wingate
(if I wanted to) and have a very consistent interface to my client.
</STRONG></P>
<P><STRONG>
[ illustration of ipportfw snipped ]
</STRONG></P>
<P><STRONG><FONT COLOR="#000066"><EM>
Note: I've never actually done this. However, that's what
the IP, TCP, and UDP port forwarding utilities seem to be
for.
</EM></FONT></STRONG></P>
<P><STRONG>
Yes, but I was trying to twist them to my own ends anyway.
</STRONG></P>
<P><STRONG><FONT COLOR="#000066"><EM>
You can also use IP masquerading (using the ipfwadm command
for your 2.0.x kernels and the newer, snazzier, ipchains
command for 2.2).
</EM></FONT></STRONG></P>
<P><STRONG>
Alas, my win95 interface and my linux interface must be consistent.
</STRONG></P>
<P><STRONG>
I don't want to think about the client system's net access should I
decide to play half-life, for instance.
</STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
In both cases the clients can point to your server/gateway
as their default route. It just shouldn't be a problem.
</BLOCKQUOTE>
<P><STRONG><FONT COLOR="#000066"><EM><IMG
SRC="../../gx/dennis/qbub.gif" ALT="(?)"
HEIGHT="28" WIDTH="50" BORDER="0" >
I personally doubt that WinGate will work properly
under <A HREF="http://www.winehq.com/">WINE</A>
--- and it seems very unlikely that it would
give decent performance or stability.
</EM></FONT></STRONG></P>
<P><STRONG>
I gave it a shot and it didn't fire up at all. It encountered a
fatal error in 'kernel32' or some such. I wasn't too interested
in performance (my load average is generally 0.00) but stability
would be an issue. A 'moot' issue, as it turns out.
<IMG SRC="../../gx/dennis/smily.gif" ALT=":)"
height="24" width="20" align="middle">
</STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
Presumably WinGate is Win32s (or such). WINE only
has very limited and preliminary support for Win32s.
</BLOCKQUOTE>
<BLOCKQUOTE>
I expect that the moment that WINE has reverse
engineered reasonable support for the Win32s APIs
we'll see a new Win32X out of Redmond and a suite
of compilers that generate the new code by default
--- to minimize the compatibility and interoperation.
</BLOCKQUOTE>
<P><STRONG><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
Thanks for the info. Would you like to know how the delegate
configurations go?
</STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
Sure. You could submit an article or review to
the Linux Gazette.
</BLOCKQUOTE>
<!-- sig -->
<!-- end 27 -->
<!--startcut ======================================================= -->
<P> <hr> <P>
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
>Copyright &copy;</a> 1999, James T. Dennis
<BR>Published in <I>The Linux Gazette</I> Issue 38 March 1999</H5>
<P> <hr> <P>
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
<TABLE WIDTH="96%"><TR VALIGN="center" ALIGN="center">
<TD ROWSPAN="3" COLSPAN="4" WIDTH="24%"><A HREF="../lg_answer38.html"
><IMG SRC="../../gx/dennis/answernew.gif"
ALT="[ Answer Guy Index ]"></A></td>
<TD WIDTH="6%"><A HREF="1.html">1</A></TD>
<TD WIDTH="6%"><A HREF="2.html">2</A></TD>
<TD WIDTH="6%"><A HREF="3.html">3</A></TD>
<TD WIDTH="6%"><A HREF="4.html">4</A></TD>
<TD WIDTH="6%"><A HREF="5.html">5</A></TD>
<TD WIDTH="6%"><A HREF="6.html">6</A></TD>
<TD WIDTH="6%"><A HREF="7.html">7</A></TD>
<TD WIDTH="6%"><A HREF="8.html">8</A></TD>
<TD WIDTH="6%"><A HREF="9.html">9</A></TD>
<TD WIDTH="6%"><A HREF="10.html">10</A></TD>
<TD WIDTH="6%"><A HREF="11.html">11</A></TD>
</TR><TR VALIGN="center" ALIGN="center">
<TD><A HREF="12.html">12</A></TD>
<TD>&nbsp;</TD>
<TD><A HREF="14.html">14</A></TD>
<TD>&nbsp;</TD>
<TD><A HREF="16.html">16</A></TD>
<TD><A HREF="17.html">17</A></TD>
<TD><A HREF="18.html">18</A></TD>
<TD><A HREF="19.html">19</A></TD>
<TD>&nbsp;</TD>
<TD><A HREF="21.html">21</A></TD>
<TD><A HREF="22.html">22</A></TD>
</TR><TR VALIGN="center" ALIGN="center">
<TD><A HREF="23.html">23</A></TD>
<TD><A HREF="24.html">24</A></TD>
<TD>&nbsp;</TD>
<TD><A HREF="26.html">26</A></TD>
<TD>&nbsp;</TD>
<TD><A HREF="28.html">28</A></TD>
<TD><A HREF="29.html">29</A></TD>
<TD><A HREF="30.html">30</A></TD>
<TD><A HREF="31.html">31</A></TD>
<TD><A HREF="32.html">32</A></TD>
<TD>&nbsp;</TD>
</TR></TABLE>
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
<P> <hr> <P>
<!-- begin lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<A HREF="../index.html"
><IMG SRC="../../gx/indexnew.gif" ALT="[ Table Of Contents ]"></A>
<A HREF="../../index.html"
><IMG SRC="../../gx/homenew.gif" ALT="[ Front Page ]"></A>
<A HREF="../lg_bytes38.html"
><IMG SRC="../../gx/back2.gif" ALT="[ Previous Section ]"></A>
<A HREF="../lg_tips38.html"
><IMG SRC="../../gx/fwd.gif" ALT="[ Next Section ]"></A>
<!-- end lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
</BODY></HTML>
<!--endcut ========================================================= -->
Reference in New Issue View Git Blame Copy Permalink