1.\" Copyright (c) 1997, 1998, 1999, Thomas Boutell and Boutell.Com, Inc. 2.\" This software is released for free use under the terms of 3.\" the GNU Public License, version 2 or higher. 4.\" 5.Dd February 18, 1999 6.Dt RINETD 8 7.Os LINUX 8.Sh NAME 9.Nm rinetd 10.Nd internet 11.Dq redirection server 12.Sh SYNOPSIS 13.Nm /usr/local/sbin/rinetd 14.Sh VERSION 15Version 0.62, 04/14/2003. 16.Sh DESCRIPTION 17.Nm rinetd 18redirects TCP connections from one IP address and port to another. rinetd 19is a single-process server which handles any number of connections to 20the address/port pairs specified in the file /usr/local/etc/rinetd.conf. 21Since rinetd runs as a single process using nonblocking I/O, it is 22able to redirect a large number of connections without a severe 23impact on the machine. This makes it practical to run TCP services 24on machines inside an IP masquerading firewall. rinetd does not 25redirect FTP, because FTP requires more than one socket. 26.Pp 27rinetd is typically launched at boot time, using the following syntax: 28.Pp 29/usr/local/sbin/rinetd 30.Pp 31The configuration file is found in the file /usr/local/etc/rinetd.conf, unless 32another file is specified using the -c command line option. 33.Sh FORWARDING RULES 34Most entries in the configuration file are forwarding rules. The 35format of a forwarding rule is as follows: 36.Pp 37bindaddress bindport connectaddress connectport 38.Pp 39For example: 40.Pp 41206.125.69.81 80 10.1.1.2 80 42.Pp 43Would redirect all connections to port 80 of the "real" IP address 44206.125.69.81, which could be a virtual interface, through 45rinetd to port 80 of the address 10.1.1.2, which would typically 46be a machine on the inside of a firewall which has no 47direct routing to the outside world. 48.Pp 49Although responding on individual interfaces rather than on all 50interfaces is one of rinetd's primary features, sometimes it is 51preferable to respond on all IP addresses that belong to the server. 52In this situation, the special IP address 0.0.0.0 53can be used. For example: 54.Pp 550.0.0.0 23 10.1.1.2 23 56.Pp 57Would redirect all connections to port 23, for all IP addresses 58assigned to the server. This is the default behavior for most 59other programs. 60.Pp 61Service names can be specified instead of port numbers. On most systems, 62service names are defined in the file /etc/services. 63.Pp 64Both IP addresses and hostnames are accepted for 65bindaddress and connectaddress. 66.Pp 67.Sh ALLOW AND DENY RULES 68Configuration files can also contain allow and deny rules. 69.Pp 70Allow rules which appear before the first forwarding rule are 71applied globally: if at least one global allow rule exists, 72and the address of a new connection does not 73satisfy at least one of the global allow rules, that connection 74is immediately rejected, regardless of any other rules. 75.Pp 76Allow rules which appear after a specific forwarding rule apply 77to that forwarding rule only. If at least one allow rule 78exists for a particular forwarding rule, and the address of a new 79connection does not satisfy at least one of the allow rules 80for that forwarding rule, that connection is immediately 81rejected, regardless of any other rules. 82.Pp 83Deny rules which appear before the first forwarding rule are 84applied globally: if the address of a new connection satisfies 85any of the global allow rules, that connection 86is immediately rejected, regardless of any other rules. 87.Pp 88Deny rules which appear after a specific forwarding rule apply 89to that forwarding rule only. If the address of a new 90connection satisfies any of the deny rules for that forwarding rule, 91that connection is immediately rejected, regardless of any other rules. 92.Pp 93The format of an allow rule is as follows: 94.Pp 95allow pattern 96.Pp 97Patterns can contain the following characters: 0, 1, 2, 3, 4, 5, 986, 7, 8, 9, . (period), ?, and *. The ? wildcard matches any one 99character. The * wildcard matches any number of characters, including 100zero. 101.Pp 102For example: 103.Pp 104allow 206.125.69.* 105.Pp 106This allow rule matches all IP addresses in the 206.125.69 class C domain. 107.Pp 108Host names are NOT permitted in allow and deny rules. The performance 109cost of looking up IP addresses to find their corresponding names 110is prohibitive. Since rinetd is a single process server, all other 111connections would be forced to pause during the address lookup. 112.Pp 113.Sh LOGGING 114rinetd is able to produce a log file in either of two formats: 115tab-delimited and web server-style "common log format." 116.Pp 117By default, rinetd does not produce a log file. To activate logging, add 118the following line to the configuration file: 119.Pp 120logfile log-file-location 121.Pp 122Example: logfile /var/log/rinetd.log 123.Pp 124By default, rinetd logs in a simple tab-delimited format containing 125the following information: 126.Pp 127Date and time 128.Pp 129Client address 130.Pp 131Listening host 132.Pp 133Listening port 134.Pp 135Forwarded-to host 136.Pp 137Forwarded-to port 138.Pp 139Bytes received from client 140.Pp 141Bytes sent to client 142.Pp 143Result message 144.Pp 145To activate web server-style "common log format" logging, 146add the following line to the configuration file: 147.Pp 148logcommon 149.Sh COMMAND LINE OPTIONS 150The -c command line option is used to specify an alternate 151configuration file. 152.Pp 153The -h command line option produces a short help message. 154.Pp 155The -v command line option displays the version number. 156.Sh REINITIALIZING RINETD 157The kill -1 signal (SIGHUP) can be used to cause rinetd 158to reload its configuration file without interrupting existing 159connections. 160Under Linux\(tm the process id is saved in the file \fI/var/run/rinetd.pid\fR 161to facilitate the kill -HUP. An alternate 162filename can be provided by using the <code>pidlogfile</code> 163configuration file option. 164 165.Sh LIMITATIONS 166rinetd redirects TCP connections only. There is 167no support for UDP. rinetd only redirects protocols which 168use a single TCP socket. This rules out FTP. 169.Sh BUGS 170The server redirected to is not able to identify the host the 171client really came from. This cannot be corrected; however, 172the log produced by rinetd provides a way to obtain this 173information. Under Unix, Sockets would theoretically lose data when closed 174with SO_LINGER turned off, but in Linux this is not the case (kernel 175source comments support this belief on my part). On non-Linux Unix platforms, 176alternate code which uses a different trick to work around blocking close() 177is provided, but this code is untested. The logging is inadequate. 178The duration of each connection should be logged. 179.Sh LICENSE 180Copyright (c) 1997, 1998, 1999, Thomas Boutell and Boutell.Com, Inc. 181This software is released for free use under the terms of 182the GNU Public License, version 2 or higher. NO WARRANTY 183IS EXPRESSED OR IMPLIED. USE THIS SOFTWARE AT YOUR OWN RISK. 184.Sh CONTACT INFORMATION 185See http://www.boutell.com/rinetd/ for the latest release. 186Thomas Boutell can be reached by email: boutell@boutell.com 187.Sh THANKS 188Thanks are due to Bill Davidsen, Libor Pechachek, Sascha Ziemann, the 189Apache Group, and many others who have contributed advice 190and/or source code to this and other free software projects. 191