NEED
I have been looking for a way to forward selected ports from my ClearOS box to some servers on LAN. The Port Forwarding features in ClearOS are pretty powerful and best is that they use iptables which is considered high performance and kernel level.
However, there is one catch, they require the destination machine to point to the ClearOS as gateway. This isn't possible in all setups especially, where there are multiple gateways in network and you want to build forwards from more than one of them.
SOLUTION
After exploring a lot, I came to socat (
www.dest-unreach.org/socat/) and after getting it to work, its been blazing my setup with small footprint and huge performance.
rinetd vs. socat
I was using rinetd for quite some time but rinetd suffers two problems:
1. No support for IPV6 or UDP
2. No multiprocessing support
socat has both covered and/ but
1. Runs in user space, so may be a bit more secure
2. But, lacks pre-written daemon script so you have to write it
Mechanism
1. Download latest socat RPM from any RPM foundry. Since you will not get any build for ClearOS, get the latest one for EL5 matching your machine architecture i386/i586/i686/x86_64.
2. Install the RPM
3. Create file
/etc/socat.conf with something like following code:
| Code: |
AUTOSTART="server1 server2"
SOCAT_server1_http="TCP4-LISTEN:80,bind=<Ext1IP>,su=nobody,fork,reuseaddr TCP4:<S1destIP>:80"
SOCAT_server1_https="TCP4-LISTEN:443,bind=<Ext1IP>,su=nobody,fork,reuseaddr TCP4:<S1destIP>:443"
SOCAT_server2_https="TCP4-LISTEN:80,bind=<Ext2IP>,su=nobody,fork,reuseaddr TCP4:<S2destIP>:80"
SOCAT_server2_nc="UDP4-LISTEN:4500,bind=<Ext2IP>,su=nobody,fork,reuseaddr UDP4:<S2destIP>:4500"
|
4. Create
/etc/rc.d/init.d/socat with following code
| Code: |
#!/bin/bash
#
# /etc/rc.d/init.d/socat
#
# Based on fantastic document "How to forward port in user space using socat" at http://www.howforge.com/
#
# chkconfig: 2345 90 10
# description: socat - Multipurpose relay (SOcket CAT)
# processname: socat
# config: /etc/socat.conf
#
# Source function library.
. /etc/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0
FORWARD=socat
DESC=Socat daemon
PROGNAME=/usr/bin/socat
SOCAT_CONF=/etc/socat.conf
SOCAT_ARGS="-d -d -lf /var/log/socat.log"
# Read config file
[ ! -f $SOCAT_CONF ] || . $SOCAT_CONF
# Program should be executable
[ -x $PROGNAME ] || exit 0
start() {
echo -n "Starting $DESC: "
# If nothing to start, get out
#
if test "x$AUTOSTART" = "xnone" -o -z "x$AUTOSTART" ; then
echo "Autostart disabled."
exit 0
fi
# Start socat for each SOCAT_ in AUTOSTART
#
for FORWARD in $AUTOSTART ; do
ARGS=`eval echo \\\$SOCAT_$FORWARD`
daemon $PROGNAME $SOCAT_ARGS $ARGS < /dev/null &
RETVAL=$?
done
echo
return $RETVAL
}
stop() {
echo -n "Shutting down $DESC: "
# kill socat
#
killproc -d 10 $PROGNAME
RETVAL=$?
echo
return $RETVAL
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo "Usage: {start|stop|restart}"
exit 1
;;
esac
exit $?
|
5. Give the daemon execute permission
| Code: |
chmod +x /etc/rc.d/init.d/socat
|
6. Using firewall app in webconfigUI open, the required incoming ports and if you have blocked outgoing packets, open outgoing ports too.
7. Add socat to service list
| Code: |
chkconfig --add socat
|
8. Create file
/etc/logrotate.d/socat with following
| Code: |
/var/log/socat.log {
missingok
notifempty
delaycompress
postrotate
/sbin/service socat restart 2> /dev/null > /dev/null || true
endscript
}
|
9. Start socat as daemon
| Code: |
service socat start
|
Of course, this is to help those are facing same situation. And, please try it at your own risk in a testbed before going production.
