Newbie question. Please advise

Hi,

At work the boss decides to try out a linux firewall. before I start,
I would like to tell you that i have some basic linux install under my
belt. I have setup pmfirewall under mandrake 7.2 a few years ago.


having said that, I have two questions I need clarifications please.


Can I port forward a port to multiple internal IP address in a
network. Similar to port 80 for instance. If you setup a basic linux
firewall with NAT enable, it opens port 80 and forwards all pockets to
internal IP addresses. I am trying to open a specific port used by
the popular small VNC "tightVNC" There will be several pcs running
windows behind a linux firewall. However, I need to let them have all
access to the same port. In other words, the ports will have to be
open to all internal clients and be ready to accept an incoming
connection.


But what if.....

What if lets say, please bear with me.

You have 1 internal IP address and 3 internal clients. Lets call them
192.168.1.1 / 192.168.1.2 / 192.168.1.3



External IP >>>>>> 192.168.0.1
>>>>>> 192.168.0.2
>>>>>> 192.168.0.3

they all listen to the same port.

Should I be able to port forward the same port to all other in the
internal network, and if the server is running on any of the above ip,
it should respond?

The final question.


Can I setup an iptable rule to allow the port I need to have open, be
accessible to X amount of time. lets say from 9:00 to 12:00pm?


Please, any info is greatly appreciated. Currently I am downloading
mandrake and will be doing a basic install + download a firewall
software.


Thanks guys.

> Can I port forward a port to multiple internal IP address in a
> network. Similar to port 80 for instance. If you setup a basic linux
> firewall with NAT enable, it opens port 80 and forwards all pockets to
> internal IP addresses.

This is possible but it can only forward to one address. Here's why: your
firewall machine will be the public face of your network. It will have a
single IP address given to you by your Internet Service Provider and all
your internal network's Net traffic will seem to have come from this single
IP address. The machines on your local network will have 192.* addresses
which are simply local machine addresses. They won't be seen by the
Internet.

So lets say you want to access TightVNC from outside. You'll have to type
the address of the FIREWALL into TightVNC's connection dialogue (or command
line prompt). Your firewall will have to be configured to pass all the data
that arrives the TightVNC port number through to one machine on the 192.*
network. Why just one machine? Because it's nonsensical to send it to all
of them. So how can you specify WHICH internal network machines the data
should go to?

You're going to have to use port forwarding. This will mean that when you
attempt to connect with TightVNC on your machine at home, you're going to
have to tell it NOT to use its standard port and use a different arbitary
port, which you'll have already setup on the firewall. When the firewall
receives data on the arbitary port, it will forward through to a different
machine on the internal network. You'll need to setup a differnent port
forward on each machine for whcih you want external TightVNC access.

In other words, it'll be like this (let's say the Net address given to you
by your ISP is 123.123.123.123 and lets choose 9400 as our arbitary port
number)

123.123.123.123:9400 >>forward to>> 192.168.1.1
123.123.123.123:9401 >>forward to>> 192.168.1.2
123.123.123.123:9402 >>forward to>> 192.168.1.3

and so on.

> Can I setup an iptable rule to allow the port I need to have open, be
> accessible to X amount of time. lets say from 9:00 to 12:00pm?

Yes. I strongly advise you to look at BBIagent, a Linux-based floppy
firewall and gateway which appears to do everything you want and is easy to
use.

Randy



>
>
> Please, any info is greatly appreciated. Currently I am downloading
> mandrake and will be doing a basic install + download a firewall
> software.
>
>
> Thanks guys.

thanks for the info!! is so informative!!

On Sat, 17 Jul 2004 09:28:52 +0000 (UTC), Randy Sparks <(E-Mail Removed)>
wrote:

>> Can I port forward a port to multiple internal IP address in a
>> network. Similar to port 80 for instance. If you setup a basic linux
>> firewall with NAT enable, it opens port 80 and forwards all pockets to
>> internal IP addresses.
>
>This is possible but it can only forward to one address. Here's why: your
>firewall machine will be the public face of your network. It will have a
>single IP address given to you by your Internet Service Provider and all
>your internal network's Net traffic will seem to have come from this single
>IP address. The machines on your local network will have 192.* addresses
>which are simply local machine addresses. They won't be seen by the
>Internet.
>
>So lets say you want to access TightVNC from outside. You'll have to type
>the address of the FIREWALL into TightVNC's connection dialogue (or command
>line prompt). Your firewall will have to be configured to pass all the data
>that arrives the TightVNC port number through to one machine on the 192.*
>network. Why just one machine? Because it's nonsensical to send it to all
>of them. So how can you specify WHICH internal network machines the data
>should go to?
>
>You're going to have to use port forwarding. This will mean that when you
>attempt to connect with TightVNC on your machine at home, you're going to
>have to tell it NOT to use its standard port and use a different arbitary
>port, which you'll have already setup on the firewall. When the firewall
>receives data on the arbitary port, it will forward through to a different
>machine on the internal network. You'll need to setup a differnent port
>forward on each machine for whcih you want external TightVNC access.
>
>In other words, it'll be like this (let's say the Net address given to you
>by your ISP is 123.123.123.123 and lets choose 9400 as our arbitary port
>number)
>
>123.123.123.123:9400 >>forward to>> 192.168.1.1
>123.123.123.123:9401 >>forward to>> 192.168.1.2
>123.123.123.123:9402 >>forward to>> 192.168.1.3
>
>and so on.
>
>> Can I setup an iptable rule to allow the port I need to have open, be
>> accessible to X amount of time. lets say from 9:00 to 12:00pm?
>
>Yes. I strongly advise you to look at BBIagent, a Linux-based floppy
>firewall and gateway which appears to do everything you want and is easy to
>use.
>
>Randy
>
>
>
>>
>>
>> Please, any info is greatly appreciated. Currently I am downloading
>> mandrake and will be doing a basic install + download a firewall
>> software.
>>
>>
>> Thanks guys.

> Can I setup an iptable rule to allow the port I need to have open, be
> accessible to X amount of time. lets say from 9:00 to 12:00pm?

You may do that in several ways. You can write two firewall scripts
like rc.firewall1 for closed ports and rc.firewall2 for open ports and
add that to crontab for specific time to execute. Don't forget to add
flush rules at the beginning of that firewall rules.

raqueeb hassan
kinshasa (drc)