SourceFiles.org - Use the Source, Luke
Home | Register | News | Forums | Guide | MyLinks | Bookmark

Related Sites

Latest News
  General News
  Reviews
  Press Releases
  Software
  Hardware
  Security
  Tutorials
  Off Topic


Back to files

mmtcpfwd v0.5
Copyright (C) 2001 Matthew Mondor

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

INSTALLATION

To compile and install it, make sure that the CFLAGS env var is set, modify the Makefile so that $SCRIPTDIR reflects to the proper boot scripts directory, and do:

make clean
make

To uninstall:

make uninstall

This software comes with absolutely no warranty, use at your own risk. This is also beta software, in beta-testing stage.

USAGE

This is a tcp port forwarder utility, useful to run on firewall to redirect services to internal LAN boxes. It permits limitting connections on the following rules: number of maximum IPs, and number of maximum connections per IP, for each port. It also permits setting how much times an IP with too many connections can be refused before that IP be DENYes using an ipchains command.

There are two typed of configuration entries in /etc/mmtcpfwd.conf: one which requires 4 columns and the other 8. The 4 columns form is used to start a fake service on a port, in a way that any connection to it DENYes the IP immediately: (note that maximum connections per IP must be set to 0)

# Port Resolve Max/IP MaxIPs
138 1 0 32

This would bind port 138 and listen for connections on it, and DENY any IP connecting to it. Hostnames would be resolved when logged. A maximum of 32 IPs could be processed at once.

The 8 columns form is used as: 

# Port  Resolve Max/IP MaxIPs MaxRej ToHost      ToPort Transp msTmout
80      0       2      32     1      192.168.1.2 80     1      60000

This would allow to forward http connections from the firewall box to the http server running on 192.168.1.2 LAN box. It would allow 32 simultanious IP to connect at once, and two maximum simultanious connections per IP. If an IP attempts to connect a third time connections would immediately be closed, the fourth time (MaxRej=1) it would be DENYed and no longer have access to send any packets to us. If a connection has no activity on it for 60 seconds it would be closed (MsTimeout). Hostnames would not be resolved when logged. The internal http LAN server would see http connections being directed to it with the real clients IPs instead of from the firewall box (Transp=1). Read on below about transproxy support.

It logs everything in /var/log/auth.log. mmtcpfwd automatically reads it's config file from /etc/mmtcpfwd.conf, an alternate configureation file may be supplied on the command line. This "superserver" must be started from root, it thus changes it's group and user to wanted uid/gid, as supplied in the configuration file. It starts a root thread which the non-root ones can communicate with through an internal pipe. That root thread can only DENY IPs when asked to by the other threads. It starts one daemon per port it listens to.

SETTING UP

After installation, modify the /etc/mmtcpfwd.conf file to suit your needs. The script to start/restart it is called mmtcpfwd.sh, place that in your /etc/init.d or /etc/rc.d/init.d/ directory, and add the appropriate symlink in the proper runlevel to start it, in /etc/rc.d or /etc/rc.d/rc.d directory, (use the runlevel command to know the default one, replace * with it).

eg
cd /etc/rc2.d ln -s ../init.d/mmtcpfwd.sh S99mmtcpfwd

TRANSPROXY SUPPORT

The "Transp" column, permits forwarding connections keeping the original client's IPs. This only works if connections are getting from the outside network (eg: the internet, ouside the firewall), and are connecting on the firewall port. IP transparent proxying support MUST be compiled into the kernel for this to work (see kernel's network options). Useful for NAT setups. Transproxy support been added in the second beta devel version of mmtcpfwd (v0.3b). It haven't been extensively tested yet. (See CHANGELOG)

CONTACT - BUGREPORTS

Bugfixes/comments: mmondor@linuxguru.net Matthew Mondor


Other Sites

Discussion Groups
  Beginners
  Distributions
  Networking / Security
  Software
  PDAs

About | FAQ | Privacy | Awards | Contact
Comments to the webmaster are welcome.
Copyright 2006 Sourcefiles.org All rights reserved.