| View previous topic :: View next topic |
| Author |
Message |
andrewbarr
Apprentice
Joined: 09 Jul 2004
Posts: 172
Location: Madison County, Ohio
|
 Posted: Mon Oct 25, 2004 12:29 am Post subject: Equivalent of "application gateway" on router |
 |
|
I recently set up a home router/access point/firewall using a Linux box, and now I need to open a port for use with file sharing applications. On the cable/DSL routers I've had before, there was a function called "application gateway" that allowed you to specify a public port and an internal trigger port. I'm not really sure how it worked but my guess is that it detected an internal PC opening up the trigger port and then forwarded the public port there. Is there any way to do this with iptables or other software? I would like to avoid specifying IP addresses in forwarding rules (which is how you do it in the Gentoo Home Router Howto) because there are multiple PCs that will need this port.
edit: clarify subject line.
_________________
"The song I've written for you is so schmultzy it'll make 'Moon River' sound like a farting orangutan." - Homer Simpson |
|
| Back to top |
|
 |
sf_alpha
Tux's lil' helper
Joined: 19 Sep 2002
Posts: 136
Location: Bangkok, TH
|
|
| Back to top |
|
|
andrewbarr
Apprentice
Joined: 09 Jul 2004
Posts: 172
Location: Madison County, Ohio
|
| Posted: Mon Oct 25, 2004 2:27 pm Post subject: |
|
|
Thanks for the link...looks like something I could use. However, it's unclear to me how to write rules to do what I want. I can see from the Layer 7 HOWTO how to mark packets using iptables rules, but I don't know how to then forward the marked packets to the appropriate computer. Preferably the "appropriate computer" could be determined based on who has port X open, where port X is the port configured to be used in the P2P software.
_________________
"The song I've written for you is so schmultzy it'll make 'Moon River' sound like a farting orangutan." - Homer Simpson |
|
| Back to top |
|
|
Lajasha
Veteran
Joined: 17 Mar 2004
Posts: 1040
Location: Vibe Central
|
| Posted: Mon Oct 25, 2004 2:31 pm Post subject: |
|
|
Are you just looking to forward ports? If that is the case then take a look into iptables, as it will allow you to do just that.
_________________
Come and play in my land |
|
| Back to top |
|
|
andrewbarr
Apprentice
Joined: 09 Jul 2004
Posts: 172
Location: Madison County, Ohio
|
| Posted: Mon Oct 25, 2004 3:12 pm Post subject: |
|
|
Yes! The problem is I want to forward ports without specifying an IP address, because I want whoever is running the P2P application to get the forwarded port, irrespective of LAN IP address. I'm not sure if it was possible with my old router to run more than one P2P app at a time (on different computers), so I don't want to even try to set up simultaneous access. If it was possible with my craptacular cable/DSL router, I'm certain it's possible with a Linux box. I've just got to figure out what the Linux analog of this "application gateway" feature is.
_________________
"The song I've written for you is so schmultzy it'll make 'Moon River' sound like a farting orangutan." - Homer Simpson |
|
| Back to top |
|
|
sf_alpha
Tux's lil' helper
Joined: 19 Sep 2002
Posts: 136
Location: Bangkok, TH
|
| Posted: Mon Oct 25, 2004 3:14 pm Post subject: |
|
|
Doing NAT.
man iptables and looking for DNAT. Or google to find examples.
Some service not need to use Layer 7. (I mean it use well-known port)
You can match port and do NAT for ip and port directly. You need to know port number, TCP or UDP.
Example. port 3564 to 192.168.55.7
| Code: |
iptables -t nat -A PREROUTING -p tcp --dport 3564 -s ! 192.168.55.7 -j DNAT --to-destination 192.168.55.7:3564
|
Don't forget to set net.ipv4.ip_forward = 1
You mat need to use Layer 7 if you want to match and set rules for more than ports. i.e. HTTP URLs.
_________________
Gentoo Mirrors in Thailand (and AP)
http://gentoo.in.th |
|
| Back to top |
|
|
Lajasha
Veteran
Joined: 17 Mar 2004
Posts: 1040
Location: Vibe Central
|
| Posted: Mon Oct 25, 2004 3:46 pm Post subject: |
|
|
So you want to forward a port to a changing IP? That is a new one for me and unfortunately I don't have an answer but would love to here it if it exists.
_________________
Come and play in my land |
|
| Back to top |
|
|
andrewbarr
Apprentice
Joined: 09 Jul 2004
Posts: 172
Location: Madison County, Ohio
|
| Posted: Mon Oct 25, 2004 5:17 pm Post subject: |
|
|
I guess if I only knew what my router was doing I would have an easier time finding a Linux equivalent.  Let me be more specific about the situation I have and maybe that'll help:
I want any one of the client computers on my network (which are a mix of Linux (mine) and Windows (everyone else)  ) to have the ability to get on a P2P network at a given time. Not necessarily simultaneously, because I'm not sure that was possible under the old system. All P2P clients on this network have been configured to use port 6346. The problem I run into is that with DNAT, it is forwarded to a specific IP address, and if someone else wants to use P2P, they're out of luck unless I change the DNAT rule to their internal IP address. It will work, but download performance will be inhibited unless port 6346 is open to outside clients (which is not a Good Thing I know but necessary at least while the application is running). I use mlDonkey and the Windows clients use Shareaza.
If you haven't picked up from my previous statements, there is not a P2P application running all the time on this network. Only when someone wants to download something, then it is immediately closed or the daemon stopped in the case of mlDonkey.
Hope this clarifies my situation.
_________________
"The song I've written for you is so schmultzy it'll make 'Moon River' sound like a farting orangutan." - Homer Simpson |
|
| Back to top |
|
|
|
Networking & Security
