Red Hat LINUX 7.2 Reference Manual page 154

154
to access the service. This is particularly useful for systems with multiple network adapters and using
multiple IP addresses, such as machines being used as firewalls, with one network adapter facing the
Internet and the other connected to an internal network. Attackers attempting to connect for a specific
service, such as Telnet or FTP, via the Internet connection may be blocked from connecting to the
service while internal users may connect to the service via the NIC connected to the internal network.
The redirect option, which accepts an IP address or hostname followed by a port number, tells the
service to redirect any requests for this service to the specified location. This feature can be used to
point to another port number on the same system, redirect the request to different IP address on the
same machine, shift the request to a totally different system and port number, or any combination of
these options. In this way, a user connecting to certain service on a system may be rerouted to another
system with no disruption.
The xinetd daemon is able to accomplish this redirection by spawning a process that stays alive for
the duration of the connection between the requesting client machine and the host actually providing
the service, transferring data between the two systems.
The real strength of the bind and redirect options can be seen when they are used together. By
binding a service to a particular IP address on a system and then redirecting requests for this service
to a second machine that only the first machine can see, you can use an internal system to provide
services for a totally different network. Alternatively, these options can be used to limit the exposure
of a particular service on a multihomed machine to a known IP address, as well as redirect any requests
for that service to another machine specially configured for that purpose.
For example, consider a system that is used as a firewall with this setting for its FTP service:
service ftp
{
}
The bind and redirect options in this file will ensure that the FTP service on the machine is bound
to the external IP address (123.123.123.123), the one facing the Internet. In addition, any requests for
FTP service sent to 123.123.123.123 will be redirected via a second network adapter to an internal IP
address (10.0.1.13) that only the firewall and internal systems can access. The firewall will then send
the communication between the two systems, and the connecting system will think it is connected to
123.123.123.123 while it is actually connected to a different machine.
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.ftpd
server_args = -l -a
log_on_success += DURATION USERID
log_on_failure += USERID
bind
redirect
Chapter 9:TCP Wrappers and xinetd
= 123.123.123.123
= 10.0.1.13 21