126
Chapter 8. TCP Wrappers and
xinetd
8.3.1.4. Binding and Port Redirection
The service configuration files for
xinetd
also support binding the service to an IP address and
redirecting incoming requests for that service to another IP address, hostname, or port.
Binding is controlled with the
bind
option in the service configuration files and links the service to
one IP address on the system. When used, the
bind
option only allows requests for the proper IP
address to access the service. Each service can be bound to different network interfaces based on your
needs. This is particularly useful for systems with multiple network adapters or using multiple IP
addresses. For instance, you can configure telnet to listen only on the interface connected to a private
network and not to the interface connected with the Internet.
The
redirect
option accepts an IP address or hostname followed by a port number. It tells the service
to redirect any requests for this service to the specified host and port number. This feature can be used
to point to another port number on the same system, redirect the request to different IP address on the
same machine, shift the request to a totally different system and port number, or any combination of
these options. In this way, a user connecting to certain service on a system may be rerouted to another
system with no disruption.
The
xinetd
daemon is able to accomplish this redirection by spawning a process that stays alive for
the duration of the connection between the requesting client machine and the host actually providing
the service, transferring data between the two systems.
The real strength of the
bind
and
redirect
options can be seen when they are used together. By
binding a service to a particular IP address on a system and then redirecting requests for this service
to a second machine that only the first machine can see, you can use an internal system to provide
services for a totally different network. Alternatively, these options can be used to limit the exposure of
a particular service on a multi homed machine to a known IP address, as well as redirect any requests
for that service to another machine specially configured for that purpose.
For example, consider a system that is used as a firewall with this setting for its telnet service:
service telnet
{
socket_type
= stream
wait
= no
server
= /usr/sbin/in.telnetd
log_on_success
+= DURATION USERID
log_on_failure
+= USERID
bind
= 123.123.123.123
redirect
= 10.0.1.13 21 23
}
The
bind
and
redirect
options in this file will ensure that the telnet service on the machine is bound
to the external IP address (123.123.123.123), the one facing the Internet. In addition, any requests for
telnet service sent to 123.123.123.123 will be redirected via a second network adapter to an internal IP
address (10.0.1.13) that only the firewall and internal systems can access. The firewall will then send
the communication between the two systems, and the connecting system will think it is connected to
123.123.123.123 when it is actually connected to a different machine.
This feature is particularly useful for users with broadband connections and only one fixed IP address.
When using Network Address Translation (NAT), the systems behind the gateway machine, which
are using internal only IP addresses, are not available from outside the gateway system. However,
when certain services controlled by
xinetd
are configured with the
bind
and
redirect
options, the
gateway machine can act as a type of proxy between outside systems and a particular internal machine
configured to provide the service. In addition, the various
xinetd
access control and logging options
are also available for additional protection, such as limiting the number of simultaneous connections
for the redirected service.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved