Glass Panes That Separate

transparent barriers to communication

Author: nosilver4u

  • review

    A couple of my cousins posted their Christmas letters on their blogs, so I figured I’d follow suit, sort of. I actually put together a little photo collage that we sent out this year, but in case you didn’t get one (sorry), here it is:

    Christmas Collage 2009

    For more details, you can of course read back through my blog posts for the year. The side project I started, God Impact, is going quite well also. I’ve only missed one day (except for yesterday, when I forgot to hit the publish button).

    We’ve also had a lot of exciting things happening at our church, and there’s a little info over at www.glendiveag.org.

  • work

    Seems a lot of my posts lately have been about stuff I’ve been doing at work. This one is going to follow in that tradition, even if it is Christmas. Maybe I’ll write something about Christmas later too…

    At any rate, my assistant (not a secretary) left last week for greener (maybe bluer is proper here) pastures at Miles Community College. We’ll miss him dearly (I already do, it gets lonely on the IT Island). As such, we’re hiring. If you’re looking for a job working with computers, maybe this will be a Christmas present for you. If you’re interested, go to DCC employment opportunities and send in the required application materials.

  • static, but not

    If you ever wondered if an interface with a dhcp obtained address can also have static aliases assigned to it, stop wondering. It can. That said, some (probably most) firewall distributions don’t allow setting aliases if your external IP is obtained via DHCP. I’m looking at you, IPCop (UPDATE: no longer developed). I thought maybe my ISP was the only one that did this to provide static IP addresses to it’s customers, but AT&T also does it, as I’m sure others do too, since I’ve seen a few posts on how to setup such a beast for firewall purposes. Because my beloved IPCop wasn’t up to the task, I ended up using a vanilla install of Ubuntu server, and I used webmin to setup the firewall using iptables. I detailed that process in the post Wall.

  • direction

    In case you’ve ever wondered how to figure out which type of port your traffic is using (source/destination) for the purposes of setting up iptables (with or without webmin), here’s a little help.

    The truth of the matter is that it varies depending on the type of traffic, but you typically want to set the port as a destination port when you’re doing something like port forwarding. Here’s an example of  what’s going on for http traffic: a client computer doesn’t start it’s connection on port 80, it chooses a random, high-numbered port to open the connection on it’s side, so the source port could be 10843. The connection is going to port 80 on the server, since that’s what the server is listening on (unless you’re using a non-standard http port), so 80 is your destination port. This isn’t true for all types of traffic though, which confused me a bit this last week when setting up my firewall from scratch on a Ubuntu server. For something like ntp, the client actually starts it’s request on port 123 (source), and ends up at 123 on the ntp server (destination). So for ntp, you could theoretically set a firewall rule that used 123 as the source port instead of destination port, and it would work, but doing so for port 80 for http traffic will not. Regarding the ntp port, I believe this is also why you can’t run the ntpdate command (a one time synchronization) when the ntp service is running. Both the client and server use the same port on both ends of the communication.

  • forwarding

    This is about using webmin to administer a firewall/router on Ubuntu Server 9.10. If you’ve already done everything in Wall, then there are two parts to forwarding any port to a machine behind your router. We are operating under the assumption that eth1 is your external interface, and eth0 is your internal one.

    First, you need to make a rule under the ‘filter’ IPtable in the INPUT section to allow the traffic in, since it isn’t established or related to any current connections.

    The rule should look something like this if you only have one IP address attached to your router’s external interface (see Static, but Not for a little more information on using IP aliases on your external interface):

    Accept if protocol is TCP and input interface is eth1 and destination port is 80

    Then go to the ‘nat’ IPtable, and add a corresponding rule that will look like this in the PREROUTING section:

    Destination NAT if protocol is TCP and input interface is eth1 and destination port is 80

    If you have multiple IP addresses on your external interface, simply add a condition for destination address that contains your external IP (in both the ‘filter’ rule, and the ‘nat’ rule). Destination NAT (or DNAT) rules are a little tricky (at least for me they were), so here’s a bit more guidance on that:

    Action to take = Destination NAT

    Under IPs and ports for DNAT, set IP range to the internal/private address of the machine that should receive the traffic you are forwarding (leave the ‘to’ field blank)

    Destination address = the external IP address being forwarded

    Incoming interface = your external interface (eth1 for me)

    Network protocol in our example was TCP

    Destination TCP or UDP port = 80

    If you have all those set, you can create the rule, and Apply Configuration. Repeat, and rinse. If the whole destination/source port thing confuses you, see Direction.