If you have a WWW server, a POP3 server, etc... (say 192.168.0.2) running behind your MASQing Linux box, you can have the MASQ box forward ALL port 80, port 110, etc connections sent to 192.168.0.2 automatically!
With the stock kernel, you CANNOT port forward FTP traffic or many non-NAT friendly Internet games properly to an internal MASQed host. To do this, you need to apply kernels patches, compile up a new IP_MASQ_FTP kernel module, etc. Though these specific topics are not covered in TrinityOS, they ARE fully covered in the new IP-MASQ-HOWTO that I have written. This new HOWTO is available on the IP MASQ WWW site and the URL for this site in in Section 5
NOTE #2: Many people use IPAUTOFW for this function and it does work. But, I have to warn you, I have seen and PROVEN that IPAUTOFW can cause both performance and reliability issues even when compiled IN! Just don't use IPAUTOFW. Use IPPORTFW.
If you are running a 2.2.x kernel, you will need to use the new tool called IPMASQADM. Please see the IP-MASQ-HOWTO found in Section 5 for FULL details.
IPPORTFW for 2.0.x kernels allow for direct connections from the Internet to connect to one of your internal privately addressed servers. Linux 2.2.x kernels have this functionality built in.
- First, you might be concerned about security with PORTFWing, but this is what Steven had to say about that (the author of IPPORTFW):
"Port Forwarding is only called within masquerading functions so it fits inside the same ipfwadm rules. Masquerading is an extension to IP forwarding. Therefore, ipportfw only sees a packet if it fits both the input and masquerading ipfwadm rule sets."
From this and my IPFWADM rule set in Section 10, you will see that the packet has to pass through your IPFWADM rule sets before being forwarded. Excellent!
- Anyway, download BOTH from the URL in Section 5
- ipportfw.c source file - the kernel patch files for 2.0.36
Put this code into the /usr/src directory. I also recommend that you go to Steven's WWW page and copy the "usage" page into a text file on the Linux for future use (there isn't a Man page for IPPORTFW).
- Ok, FTP the latest stable kernel (URL in Section 5) to /usr/src/
Update: It should be noted that there is some controversy with putting the Linux kernel sources in /usr/src. Please see http://kt.linuxcare.com/kernel-traffic/kt20000814_80.epl#4 for full details. So, though Linus recommends NOT to /usr/src/linux for new kernels, many programs, patches, etc. assume that the newest kernel sources are in there. Personally, I haven't had any issue with putting the sources in /usr/src/linux but I now use /usr/src/kernel/linux instead.
- Uncompress it ( tar -xzvf linux-2.0.36.tar.gz )
- For usability, rename the newly created "linux" direcory to the proper kernel version and then just create a symbolic link to re-create the "linux" directory. e.g.
mv linux linux-2.0.36 ln -s linux-2.0.36 linux
- Copy the IPPORTFW patch into the Linux directory
cp /usr/src/subs-patch-1.37.gz /usr/src/kernel/linux
- Now, you need to patch the kernel for IPPORTFW to become an compilable option:
cd /usr/src/kernel/linux zcat subs-patch-1.3x.gz | patch -p1
- That's it for the kernel for now. Now, compile the IPPORTFW program
cd /usr/src gcc ipportfw.c -o ipportfw
- Finally, install it
mv ipportfw /usr/local/sbin
- If you have additional questions, please see the IP-MASQ-HOWTO found in Section 5 for FULL details.