open port to specific ip address

open port to specific ip address

[Lohan Spies]

[-- Attachment #1: Type: text/plain, Size: 949 bytes --]

Hi All,
 
I need to know how will i open a specific port to a external ip mapping!
 
I need to specify a internal_ip:port on my internal network, and then if
someone connects to internal_ip:port it must redirect them to
external_ip with no cgi scripting and no authentication support!
 
How will i do this?
 
Thanks,
 
Lohan Spies 
Systems Administrator CSA / DBA / MCP
IQ Business  <http://www.iqgroup.net/> Group
Tel: +27 12 521 7309
Fax: +27 12 541 3441
Cell: +27 83 258 2698
l.spies@petzetakis-africa.co.za 


 

 


CONFIDENTIALITY CAUTION: If you have received this communication in error, please note that it is intended for the addressee only, is private and confidential and dissemination or copying prohibited. Please notify us immediately by e-mail and return the original message. We cannot assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. Thank you

[-- Attachment #2: Type: text/html, Size: 4770 bytes --]

open port to specific ip address

[Lohan Spies]

[-- Attachment #1: Type: text/plain, Size: 949 bytes --]

Hi All,
 
I need to know how will i open a specific port to a external ip mapping!
 
I need to specify a internal_ip:port on my internal network, and then if
someone connects to internal_ip:port it must redirect them to
external_ip with no cgi scripting and no authentication support!
 
How will i do this?
 
Thanks,
 
Lohan Spies 
Systems Administrator CSA / DBA / MCP
IQ Business  <http://www.iqgroup.net/> Group
Tel: +27 12 521 7309
Fax: +27 12 541 3441
Cell: +27 83 258 2698
l.spies@petzetakis-africa.co.za 


 

 


CONFIDENTIALITY CAUTION: If you have received this communication in error, please note that it is intended for the addressee only, is private and confidential and dissemination or copying prohibited. Please notify us immediately by e-mail and return the original message. We cannot assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. Thank you

[-- Attachment #2: Type: text/html, Size: 4874 bytes --]

Re: open port to specific ip address

[Antony Stone]

On Monday 10 November 2003 10:55 am, Lohan Spies wrote:

> Hi All,
>
> I need to know how will i open a specific port to a external ip mapping!
>
> I need to specify a internal_ip:port on my internal network, and then if
> someone connects to internal_ip:port it must redirect them to
> external_ip with no cgi scripting and no authentication support!
>
> How will i do this?

ip addr add dev eth1 internal_ip
iptables -A PREROUTING -t nat -d internal_ip -p tcp --dport port -j DNAT --to 
external_ip
iptables -A FORWARD -d external_ip -p tcp --dport port -j ACCEPT

I'm assuming TCP here since you didn't specify - if you need UDP instead 
simply replace in both lines.   Also I've assumed eth1 is your internal 
interface - change if needed.

Antony.

-- 

It's a natural impulse to shape the random events we live through into 
coherent narrative, otherwise our lives would feel like experimental theatre 
or abstract painting, which would be a complete bloody nightmare.

 - Pete McCarthy, The Road to McCarthy
                                                     Please reply to the list;
                                                           please don't CC me.

RE: open port to specific ip address

[Lohan Spies]

Anthony,

I tried this but it is not working! It is TCP

I want to map (internal) 10.10.10.41 port 15000 to (external)
196.2.147.208 port 80.
And then if anything from ip 196.2.147.208 port 80 comes back it must be
forwarded to 10.10.10.41 port 15000.

And then if I do this mapping will all cgi-scripting and authentication
be disabled?

Thanks,

Lohan

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: 10 November 2003 01:23 PM
To: netfilter@lists.netfilter.org
Subject: Re: open port to specific ip address


On Monday 10 November 2003 10:55 am, Lohan Spies wrote:

> Hi All,
>
> I need to know how will i open a specific port to a external ip 
> mapping!
>
> I need to specify a internal_ip:port on my internal network, and then 
> if someone connects to internal_ip:port it must redirect them to 
> external_ip with no cgi scripting and no authentication support!
>
> How will i do this?

ip addr add dev eth1 internal_ip
iptables -A PREROUTING -t nat -d internal_ip -p tcp --dport port -j DNAT
--to 
external_ip
iptables -A FORWARD -d external_ip -p tcp --dport port -j ACCEPT

I'm assuming TCP here since you didn't specify - if you need UDP instead

simply replace in both lines.   Also I've assumed eth1 is your internal 
interface - change if needed.

Antony.

-- 

It's a natural impulse to shape the random events we live through into 
coherent narrative, otherwise our lives would feel like experimental
theatre 
or abstract painting, which would be a complete bloody nightmare.

 - Pete McCarthy, The Road to McCarthy
                                                     Please reply to the
list;
                                                           please don't
CC me.

CONFIDENTIALITY CAUTION: If you have received this communication in error, please note that it is intended for the addressee only, is private and confidential and dissemination or copying prohibited. Please notify us immediately by e-mail and return the original message. We cannot assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. Thank you

Re: open port to specific ip address

[Antony Stone]

On Monday 10 November 2003 12:01 pm, Lohan Spies wrote:

> Anthony,
>
> I tried this but it is not working! It is TCP
>
> I want to map (internal) 10.10.10.41 port 15000 to (external)
> 196.2.147.208 port 80.

Oh, sorry - you didn't say you wanted to change the port number as well as 
the address.

In that case change the DNAT rule to:

iptables -A PREROUTING -t nat -d 10.10.10.41 -p tcp --dport 15000 -j DNAT
--to 196.2.147.208:80

> And then if anything from ip 196.2.147.208 port 80 comes back it must be
> forwarded to 10.10.10.41 port 15000.

That will be automatically handled by your connection tracking rules.

> And then if I do this mapping will all cgi-scripting and authentication
> be disabled?

Netfilter has no effect on layer 7 protocols (content).   The result will be 
exactly the same as if you had connected to 196.2.147.208 port 80, except you 
can now get to it on 10.10.10.41 port 15000 as well.

Antony.

-- 

"I'm doing a (free) operating system (just a hobby, won't be big and 
professional like gnu) for 386(486) AT clones.

It is NOT portable , and it probably never will support anything other than 
AT-harddisks, as that's all I have :-(."

 - Excerpt from posting to comp.os.minix by Linus Torvalds, 25 Aug 1991
                                                     Please reply to the list;
                                                           please don't CC me.

RE: open port to specific ip address

[Chris Brenton]

On Mon, 2003-11-10 at 07:01, Lohan Spies wrote:
> Anthony,
> 
> I tried this but it is not working! 

I'm not so sure you can actually get this to work.

> It is TCP
> 
> I want to map (internal) 10.10.10.41 port 15000 to (external)
> 196.2.147.208 port 80.
> And then if anything from ip 196.2.147.208 port 80 comes back it must be
> forwarded to 10.10.10.41 port 15000.

This second half of the equation is the problem. 

The traffic come in from the Internet to your internal IP. You then
rewrite the destination IP to go back to some other host on the
Internet. The host on the Internet then replies with a SYN/ACK to the
source IP address, which is the original host on the Internet. 

Now, unless your internal network lies in the direct path of these two
external system, the SYN/ACK is going to be sent directly to this
original external host. So this host is going to see a SYN/ACK packet
from some host it never sent a SYN packet to. This of course means the
SYN/ACK will be discarded with a RST. 

Would it not be easier to simply change DNS to point to the external
host?

HTH,
C

Re: open port to specific ip address

[Antony Stone]

On Monday 10 November 2003 1:08 pm, Chris Brenton wrote:

> On Mon, 2003-11-10 at 07:01, Lohan Spies wrote:
> > Antony,
> >
> > I tried this but it is not working!
>
> I'm not so sure you can actually get this to work.
>
> > It is TCP
> >
> > I want to map (internal) 10.10.10.41 port 15000 to (external)
> > 196.2.147.208 port 80.
> > And then if anything from ip 196.2.147.208 port 80 comes back it must be
> > forwarded to 10.10.10.41 port 15000.
>
> This second half of the equation is the problem.
>
> The traffic come in from the Internet to your internal IP.

Come in from the Internet?   No, that wouldn't work.   You can't route a 
packet to 10.10.10.41 across the Internet.

I assumed (maybe wrongly?) that because Lohan specified an internal IP 
address, the access was required from the internal network.

> You then
> rewrite the destination IP to go back to some other host on the
> Internet. The host on the Internet then replies with a SYN/ACK to the
> source IP address, which is the original host on the Internet.

Well, so long as the SYN packet arrived in the first place, yes.

I hope this is not an accurate model of what Lohan is trying to do :)

Antony.

-- 

All matter in the Universe can be placed into one of two categories:

1. things which need to be fixed
2. things which will need to be fixed once you've had a few minutes to play 
with them
                                                     Please reply to the list;
                                                           please don't CC me.

Re: open port to specific ip address

[Chris Brenton]

On Mon, 2003-11-10 at 08:26, Antony Stone wrote:
> 
> I assumed (maybe wrongly?) that because Lohan specified an internal IP 
> address, the access was required from the internal network.

Obviously Lohan needs to be the one to clarify, but I think your right.
Going back through the thread, it looks like the access is internal to
internal, with forwarding to an external.

Of course this is still going to give him trouble if 10.10.10.41 is part
of the local subnet. Systems are going to ARP for this IP, not send the
traffic to their default gateway. You might be able to use publish ARP
on the internal interface of the firewall, but that assumes a flat
subnet and starts to get real messy.

Thanks for the clarification,
C

Re: open port to specific ip address

[Antony Stone]

On Monday 10 November 2003 2:57 pm, Chris Brenton wrote:

> On Mon, 2003-11-10 at 08:26, Antony Stone wrote:
> > I assumed (maybe wrongly?) that because Lohan specified an internal IP
> > address, the access was required from the internal network.
>
> Obviously Lohan needs to be the one to clarify, but I think your right.
> Going back through the thread, it looks like the access is internal to
> internal, with forwarding to an external.
>
> Of course this is still going to give him trouble if 10.10.10.41 is part
> of the local subnet. Systems are going to ARP for this IP, not send the
> traffic to their default gateway.

That's why I included:

ip addr add dev eth1 internal_ip

as part of the original solution I proposed.

> You might be able to use publish ARP on the internal interface of the
> firewall, but that assumes a flat subnet and starts to get real messy.

Huh?   What do you mean by a 'flat subnet'?   Either the address is on a 
local subnet, in which case arp sorts things out with the above ip addr 
command, or else it's on the other side of a router, in which case there's no 
problem because it gets forwarded anyway.

What's messy about this solution?

Antony.

-- 

Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)
                                                     Please reply to the list;
                                                           please don't CC me.

RE: open port to specific ip address

[Lohan Spies]

Yes, this is exactly what I need. Internal to internal - nat external!

I don't know why the company want this because if I use my linux squid
proxy address for this everything is fine!

Will speak to the requestor and let you know! Thanks for all the help so
far!


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Chris Brenton
Sent: 10 November 2003 04:57 PM
To: netfilter@lists.netfilter.org
Subject: Re: open port to specific ip address


On Mon, 2003-11-10 at 08:26, Antony Stone wrote:
> 
> I assumed (maybe wrongly?) that because Lohan specified an internal IP
> address, the access was required from the internal network.

Obviously Lohan needs to be the one to clarify, but I think your right.
Going back through the thread, it looks like the access is internal to
internal, with forwarding to an external.

Of course this is still going to give him trouble if 10.10.10.41 is part
of the local subnet. Systems are going to ARP for this IP, not send the
traffic to their default gateway. You might be able to use publish ARP
on the internal interface of the firewall, but that assumes a flat
subnet and starts to get real messy.

Thanks for the clarification,
C

CONFIDENTIALITY CAUTION: If you have received this communication in error, please note that it is intended for the addressee only, is private and confidential and dissemination or copying prohibited. Please notify us immediately by e-mail and return the original message. We cannot assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. Thank you