Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual page 691

43.5.4.3.3. Binding and Redirection Options
The service configuration files for xinetd support binding the service to an IP address and redirecting
incoming requests for that service to another IP address, hostname, or port.
Binding is controlled with the bind option in the service-specific configuration files and links the
service to one IP address on the system. When this is configured, the bind option only allows
requests to the correct IP address to access the service. You can use this method to bind different
services to different network interfaces based on requirements.
This is particularly useful for systems with multiple network adapters or with multiple IP addresses.
On such a system, insecure services (for example, Telnet), can be configured to listen only on the
interface connected to a private network and not to the interface connected to the Internet.
The redirect option accepts an IP address or hostname followed by a port number. It configures
the service to redirect any requests for this service to the specified host and port number. This feature
can be used to point to another port number on the same system, redirect the request to a different IP
address on the same machine, shift the request to a totally different system and port number, or any
combination of these options. A user connecting to a certain service on a system may therefore be
rerouted to another system without disruption.
The xinetd daemon is able to accomplish this redirection by spawning a process that stays alive for
the duration of the connection between the requesting client machine and the host actually providing
the service, transferring data between the two systems.
The advantages of the bind and redirect options are most clearly evident when they are used
together. By binding a service to a particular IP address on a system and then redirecting requests for
this service to a second machine that only the first machine can see, an internal system can be used
to provide services for a totally different network. Alternatively, these options can be used to limit the
exposure of a particular service on a multi-homed machine to a known IP address, as well as redirect
any requests for that service to another machine especially configured for that purpose.
For example, consider a system that is used as a firewall with this setting for its Telnet service:
service telnet
{
socket_type
wait = no
server = /usr/kerberos/sbin/telnetd
log_on_success += DURATION USERID
log_on_failure += USERID
bind
redirect
}
The bind and redirect options in this file ensure that the Telnet service on the machine is bound to
the external IP address (123.123.123.123), the one facing the Internet. In addition, any requests for
Telnet service sent to 123.123.123.123 are redirected via a second network adapter to an internal
IP address (10.0.1.13) that only the firewall and internal systems can access. The firewall then
sends the communication between the two systems, and the connecting system thinks it is connected
to 123.123.123.123 when it is actually connected to a different machine.
This feature is particularly useful for users with broadband connections and only one fixed IP address.
When using Network Address Translation (NAT), the systems behind the gateway machine, which
= stream
= 123.123.123.123
= 10.0.1.13 23
xinetd Configuration Files
665