Ip handling

Ip handling

[mick]

I have a delema and i'm not sure how to handle it. 
I run a login server on port 5999 that does authentication based on IP
address. So when someone with a dynamic internet connection tries to
login with a differnt IP then the registered one, The login server
rejects them.
I am not good enough with Iptables to know if it is possible or not but
is there some way to make it so all connections to that PORT(5999)
appear to come from my Local network 192.168.0

The other method i thought about was running my authentication/login
server on another machien behind the firewall. but i think i would have
to make all packets coming from the inter net to that port appear to
come from the local network prior to forwarding them to the Other
server. both of which i am unsure how to accomplish. 

The Authentication server is a binary that is not linux/unix nativly so
at this time i can not recode it and remove the IP matching function.
Any help with this problem is greatly appreciated.
Mick


Does anyone know of a way to make say all connections from the outside
going to my outside IP address Appear to be coming from my local lan of
192.168.0.1  

RE: Ip handling

[Paul Albert]

It looks like you would like to do source NAT on the incoming packets.
There is a good tutorial online:

http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html

Paul

-----Original Message-----
From: mick [mailto:mick@mohawkplastics.com] 
Sent: Wednesday, June 18, 2003 10:54 AM
To: netfilter@lists.netfilter.org
Subject: Ip handling


I have a delema and i'm not sure how to handle it. 
I run a login server on port 5999 that does authentication based on IP
address. So when someone with a dynamic internet connection tries to
login with a differnt IP then the registered one, The login server
rejects them. I am not good enough with Iptables to know if it is
possible or not but is there some way to make it so all connections to
that PORT(5999) appear to come from my Local network 192.168.0

The other method i thought about was running my authentication/login
server on another machien behind the firewall. but i think i would have
to make all packets coming from the inter net to that port appear to
come from the local network prior to forwarding them to the Other
server. both of which i am unsure how to accomplish. 

The Authentication server is a binary that is not linux/unix nativly so
at this time i can not recode it and remove the IP matching function.
Any help with this problem is greatly appreciated. Mick


Does anyone know of a way to make say all connections from the outside
going to my outside IP address Appear to be coming from my local lan of
192.168.0.1  

RE: Ip handling

[Daniel Chemko]

If you can connect from your local machine to your program, can you add:

iptables -t nat -A PREROUTING -j DNAT -i <external_ip> -p tcp --dport
5999 --to-destination <firewall_internal_ip> 

iptables -t nat -A POSTROUTING -j SNAT -i <external_ip> -p tcp --dport
5999 --to-source <firewall_internal_ip>

Although, I am not 100% sure that the firewall will reach prerouting if
it is internally redirected to lo...

Barring that, you may need to setup a raw proxy process that just
forwards the packets from port abc to 5999. In that case, you would have
a program listening on a predefined port; let's assume the port is 5998
for this example.

To wire the iptables to connect to the proxy program, connect: 

iptables -t nat -A PREROUTING -j DNAT -i <external_ip> -p tcp --dport
5999 --to-destination <external_ip>:5998

myproxyprogram --lhost <external_ip> --lport 5998 --dhost <external_ip>
--dport 5999


Of course this and all strategies will blow up if this authentication
daemon sends ip/port numbers as a check on the integrity of the
connection... I hate those programs!!!



-----Original Message-----
From: mick [mailto:mick@mohawkplastics.com] 
Sent: Wednesday, June 18, 2003 9:54 AM
To: netfilter@lists.netfilter.org
Subject: Ip handling

I have a delema and i'm not sure how to handle it. 
I run a login server on port 5999 that does authentication based on IP
address. So when someone with a dynamic internet connection tries to
login with a differnt IP then the registered one, The login server
rejects them.
I am not good enough with Iptables to know if it is possible or not but
is there some way to make it so all connections to that PORT(5999)
appear to come from my Local network 192.168.0

The other method i thought about was running my authentication/login
server on another machien behind the firewall. but i think i would have
to make all packets coming from the inter net to that port appear to
come from the local network prior to forwarding them to the Other
server. both of which i am unsure how to accomplish. 

The Authentication server is a binary that is not linux/unix nativly so
at this time i can not recode it and remove the IP matching function.
Any help with this problem is greatly appreciated.
Mick


Does anyone know of a way to make say all connections from the outside
going to my outside IP address Appear to be coming from my local lan of
192.168.0.1  

Re: Ip handling

[Pascal Italiaander]

You wrote:
> Does anyone know of a way to make say all connections from the outside
> going to my outside IP address Appear to be coming from my local lan of
> 192.168.0.1

Did you know that this is spoofing ??

So you want to allow spoofing , bad idea.

To aproach your problem, I would rather match on MAC address.

example:

iptables -I INPUT -p all -m mac --mac-source 10:20:30:40:05:06 -m \
	state state NEW -j ACCEPT
iptables -I OUTPUT -p all -m state ESTABLISHED,RELATED -j ACCEPT

have fun

Pascal

 

Re: Ip handling

[Pascal Italiaander]

Op donderdag 19 juni 2003 01:51, schreef Pascal Italiaander:
> You wrote:
> > Does anyone know of a way to make say all connections from the outside
> > going to my outside IP address Appear to be coming from my local lan of
> > 192.168.0.1
>
> Did you know that this is spoofing ??
>
> So you want to allow spoofing , bad idea.
>
> To aproach your problem, I would rather match on MAC address.
>
> example:
>
> iptables -I INPUT -p all -m mac --mac-source 10:20:30:40:05:06 -m \
> 	state state NEW -j ACCEPT
> iptables -I OUTPUT -p all -m state ESTABLISHED,RELATED -j ACCEPT
>
> have fun
>
> Pascal

small errors were in it, fixed:

 iptables -I INPUT -p all -m mac --mac-source 10:20:30:40:05:06 -m \
 	state --state NEW -j ACCEPT
 iptables -I OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT

Pascal

Re: Ip handling

[Ramin Dousti]

> Does anyone know of a way to make say all connections from the outside
> going to my outside IP address Appear to be coming from my local lan of
> 192.168.0.1

Just out of curiosity: what is the application of such a setup?

Ramin

Re: Ip handling

[Ramin Dousti]

On Thu, Jun 19, 2003 at 02:01:21AM +0200, Pascal Italiaander wrote:

> small errors were in it, fixed:
> 
>  iptables -I INPUT -p all -m mac --mac-source 10:20:30:40:05:06 -m \
>  	state --state NEW -j ACCEPT
>  iptables -I OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT

Just a performance note. Since a high percentage of the packets are
ESTABLISHED,RELATED it is recommended to have this rule at the
beginning of the rule set prior to any other rule and also "-p all"
is redundant...

Ramin

> Pascal

Re: Ip handling

[Pascal Italiaander]

Op donderdag 19 juni 2003 05:31, schreef Ramin Dousti:
> > Does anyone know of a way to make say all connections from the outside
> > going to my outside IP address Appear to be coming from my local lan of
> > 192.168.0.1
>
> Just out of curiosity: what is the application of such a setup?
>
> Ramin

No official application excists.

I will not explain you howto setup a spoofed connection , thats out of order.
This mailing-list is ment to keep "hackers" out of the door, not howto gain 
acces to others.

But if you want to know more about these issues look for the subject 
"exploits".

Pascal

Re: Ip handling

[Pascal Italiaander]

Op donderdag 19 juni 2003 06:02, schreef Ramin Dousti:
> On Thu, Jun 19, 2003 at 02:01:21AM +0200, Pascal Italiaander wrote:
> > small errors were in it, fixed:
> >
> >  iptables -I INPUT -p all -m mac --mac-source 10:20:30:40:05:06 -m \
> >  	state --state NEW -j ACCEPT
> >  iptables -I OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> Just a performance note. Since a high percentage of the packets are
> ESTABLISHED,RELATED it is recommended to have this rule at the
> beginning of the rule set prior to any other rule and also "-p all"
> is redundant...
>
> Ramin
>
> > Pascal


huhum....  , did you notice the -I insert rule ?

The -I rule means that the rule is placed at the beginning of the chain.  :-)

Pascal

Re: Ip handling

[Pascal Italiaander]

Op donderdag 19 juni 2003 05:31, schreef Ramin Dousti:
> > Does anyone know of a way to make say all connections from the outside
> > going to my outside IP address Appear to be coming from my local lan of
> > 192.168.0.1
>
> Just out of curiosity: what is the application of such a setup?
>
> Ramin

Find it out yourself , it's not even apropriate to ask such a thing. 

Since this is a netfilter mailing-list no hackers-chat page.

but nice try

Pascal

Re: Ip handling

[Julian Gomez]

On Thu, Jun 19, 2003 at 10:18:02AM +0200, Pascal Italiaander spoke thusly:
>Op donderdag 19 juni 2003 05:31, schreef Ramin Dousti:
>> > Does anyone know of a way to make say all connections from the outside
>> > going to my outside IP address Appear to be coming from my local lan of
>> > 192.168.0.1
>>
>> Just out of curiosity: what is the application of such a setup?
>>
>> Ramin
>
>Find it out yourself , it's not even apropriate to ask such a thing. 
>
>Since this is a netfilter mailing-list no hackers-chat page.
>
>but nice try

I've seen Ramin post to this list a long time already, though he's been
quite for the past 6-8 months at least I think :-) So, if by the above you
are sorta implying he's some sort of script kiddie; you've probably got the
wrong person targetted. 

A number of times, knowing the problem in full can lead to better ways of
handling the problem, with better tools - rather than a kludged solution.

Oh,.. before I forget, a number of his posts have been nothing short of
extremely informative -- so the hostile behaviour is not really required.
-- 
USG && George Bush : Rot in hell. 

Re: Ip handling

[Ramin Dousti]

On Thu, Jun 19, 2003 at 10:08:54AM +0200, Pascal Italiaander wrote:

> Op donderdag 19 juni 2003 06:02, schreef Ramin Dousti:
> > On Thu, Jun 19, 2003 at 02:01:21AM +0200, Pascal Italiaander wrote:
> > > small errors were in it, fixed:
> > >
> > >  iptables -I INPUT -p all -m mac --mac-source 10:20:30:40:05:06 -m \
> > >  	state --state NEW -j ACCEPT
> > >  iptables -I OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> > Just a performance note. Since a high percentage of the packets are
> > ESTABLISHED,RELATED it is recommended to have this rule at the
> > beginning of the rule set prior to any other rule and also "-p all"
> > is redundant...
> >
> > Ramin
> >
> > > Pascal
> 
> 
> huhum....  , did you notice the -I insert rule ?
> 
> The -I rule means that the rule is placed at the beginning of the chain.  :-)

Yes, sorry. I'm used to -A... which gives you a chronological order of
the rule setup. With -I you have to read the rules in the reverse order ;-)

Ramin

> 
> Pascal
> 
> 
> 

Re: Ip handling

[Ramin Dousti]

On Thu, Jun 19, 2003 at 10:00:20AM +0200, Pascal Italiaander wrote:

> Op donderdag 19 juni 2003 05:31, schreef Ramin Dousti:
> > > Does anyone know of a way to make say all connections from the outside
> > > going to my outside IP address Appear to be coming from my local lan of
> > > 192.168.0.1
> >
> > Just out of curiosity: what is the application of such a setup?
> >
> > Ramin
> 
> No official application excists.
> 
> I will not explain you howto setup a spoofed connection , thats out of order.
> This mailing-list is ment to keep "hackers" out of the door, not howto gain 
> acces to others.

Well, the best way of securing a network is to know exactly how it
can be insecured...

Ramin

> 
> But if you want to know more about these issues look for the subject 
> "exploits".
> 
> Pascal
> 

Re: Ip handling

[Ramin Dousti]

Thanks, Julian, for the complement.

Now back to Mr arrogant: what the original poster was asking was
how to "spoof" back to his own network, which sounded illogical;
hence my question. Although, George Vieira sent a very nice
application for this in a private email to me. Now, as a general
rule, you either know the answer to a question (even a wrong one
will be tolerated) or just shutup.

Ramin

On Thu, Jun 19, 2003 at 09:02:21PM +0800, Julian Gomez wrote:

> >> > Does anyone know of a way to make say all connections from the outside
> >> > going to my outside IP address Appear to be coming from my local lan of
> >> > 192.168.0.1
> >>
> >> Just out of curiosity: what is the application of such a setup?
> >>
> >> Ramin
> >
> >Find it out yourself , it's not even apropriate to ask such a thing. 
> >
> >Since this is a netfilter mailing-list no hackers-chat page.
> >
> >but nice try
> 
> I've seen Ramin post to this list a long time already, though he's been
> quite for the past 6-8 months at least I think :-) So, if by the above you
> are sorta implying he's some sort of script kiddie; you've probably got the
> wrong person targetted. 
> 
> A number of times, knowing the problem in full can lead to better ways of
> handling the problem, with better tools - rather than a kludged solution.
> 
> Oh,.. before I forget, a number of his posts have been nothing short of
> extremely informative -- so the hostile behaviour is not really required.
> -- 
> USG && George Bush : Rot in hell. 

Re: Ip handling

[Pascal Italiaander]

Op donderdag 19 juni 2003 15:59, schreef Ramin Dousti:
> Thanks, Julian, for the complement.
>
> Now back to Mr arrogant: what the original poster was asking was
> how to "spoof" back to his own network, which sounded illogical;
> hence my question. Although, George Vieira sent a very nice
> application for this in a private email to me. Now, as a general
> rule, you either know the answer to a question (even a wrong one
> will be tolerated) or just shutup.
>
> Ramin

Mr arrogant ?, cause i feel this question is way of toppic ? it is.
If it wasn't, wy did you receive a private mail ,and not through 
netfilter-list ? That software is no Netfilter-topic, so "Spoofing HowTo" is 
also no Netfilter-topic.

AND:

1) The linux-kernel is protected for it (spoofing) by default.
2) iptables can block spoofing as well.
3) It works great. 

There are several options to stop spoofing, that are functioning great, so 
what more do you need to know ? 

The exploits where i was talking about ,have nothing to do with iptables 
directly.

All we need to know is what spoofing is about ( not how it is done), for 
iptables to make rules against spoofing.

> On Thu, Jun 19, 2003 at 09:02:21PM +0800, Julian Gomez wrote:
> > >> > Does anyone know of a way to make say all connections from the
> > >> > outside going to my outside IP address Appear to be coming from my
> > >> > local lan of 192.168.0.1
> > >>
> > >> Just out of curiosity: what is the application of such a setup?
> > >>
> > >> Ramin
> > >
> > >Find it out yourself , it's not even apropriate to ask such a thing.
> > >
> > >Since this is a netfilter mailing-list no hackers-chat page.
> > >
> > >but nice try
> >
> > I've seen Ramin post to this list a long time already, though he's been
> > quite for the past 6-8 months at least I think :-) So, if by the above
> > you are sorta implying he's some sort of script kiddie; you've probably
> > got the wrong person targetted.
> >
> > A number of times, knowing the problem in full can lead to better ways of
> > handling the problem, with better tools - rather than a kludged solution.
> > Oh,.. before I forget, a number of his posts have been nothing short of
> > extremely informative -- so the hostile behaviour is not really required.

Julian,

No offend Julian, but by vieuwing someones e-mail , you can tell if someone is 
not a script-kiddy ?
Whauw, how do you do that, teach me . :-)

> > USG && George Bush : Rot in hell.

Pascal

Re: Ip handling

[Arnt Karlsen]

On Thu, 19 Jun 2003 19:16:28 +0200, 
Pascal Italiaander <pc-secure@home.nl> wrote in message 
<200306191916.29001.pc-secure@home.nl>:

> Op donderdag 19 juni 2003 15:59, schreef Ramin Dousti:
> > Thanks, Julian, for the complement.

> 
> All we need to know is what spoofing is about ( not how it is done),
> for iptables to make rules against spoofing.

..the how is useful when testing your (clients etc) boxes, myself, I
portscanned my isp's poptop server this afternoon, yes, I was asked to,
and yes, I charge for such wee stunts.

 
> Julian,
> 
> No offend Julian, but by vieuwing someones e-mail , you can tell if
> someone is not a script-kiddy ?
> Whauw, how do you do that, teach me . :-)

..http://www.catb.org/~esr/faqs/hacker-howto.html

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.