PORTFW Redirection of Internal requests:
It should be mention that this IPMASQ HOWTO currently does *NOT* provide any explination or examples on how to use the REDIR tool. If you need help setting it up for 2.2.x kernels, send me an email. For those who want to understand why PORTFW cannot redirect traffic for both external and internal interfaces (what the REDIR tool fixes), here is an email from Juanjo that better explains it.
From Juanjo Ciarlante
--
>If I use:
>
> ipmasqadm portfw -a -P tcp -L 1.2.3.4 80 -R 192.168.2.3 80
>
>Everything works great from the outside but internal requests for the same
>1.2.3.4 address fail. Are there chains that will allow a machine on localnet
>192.168.2.0 to accesss www.periapt.com without using a proxy?
Actually not.
I usually setup a ipmasqadm rule for outside, *AND* a port
redirector for inside. This works because ipmasqadm hooks before
redir will get the eventual outside connection, _but_ leaves things
ok if not (stated by APPROPIATE rules).
The actual "conceptual" problem comes from the TRUE client (peer) IP
goal (thanks to masq) being in the same net as target server.
The failing scenario for "local masq" is :
client: 192.168.2.100
masq: 192.168.2.1
serv: 192.168.2.10
1)client->server packet
a) client: 192.168.2.100:1025 -> 192.168.2.1:80 [SYN]
b) (masq): 192.168.2.100:1025 -> 192.168.2.10:80 [SYN]
(and keep 192.168.2.1:61000 192.168.2.100:1025 related)
c) serv: gets masqed packet (1b)
2)server->client packet
a) serv: 192.168.2.10:80 -> 192.168.2.100:1025 [SYN,ACK]
b) client: 192.168.2.100:1025 -> 192.168.2.10:80 [RST]
Now take a moment to compare (1a) with (2a).
You see, the server replied DIRECTLY to client bypassing masq (not
letting masq to UNDO the packet hacking) because it is in SAME net, so
the client resets the connection.
hope I helped.
Warm regards
Juanjo
