more about martians

more about martians

[udo]

Hello,

As a follow up on my post about portforwarding to
127.0.0.1 and the 'martian destination 127.0.0.1'
message I can tell I found the probable cause in
/usr/src/linux/net/ipv4/route.c.
A patch here could filter out the martian messages if
a packet is related to sshd (in my case).

Does anyone know if such a patch/solution exist
already?
Maybe there's a better way?

Please post.

Kind regards,
Udo


	
		
__________________________________
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
http://photos.yahoo.com/ph/print_splash

Re: more about martians

[Antony Stone]

On Tuesday 20 April 2004 6:05 pm, udo wrote:

> Hello,
>
> As a follow up on my post about portforwarding to 127.0.0.1 and the 'martian
> destination 127.0.0.1' message I can tell I found the probable cause in
> /usr/src/linux/net/ipv4/route.c.
> A patch here could filter out the martian messages if a packet is related to
> sshd (in my case).
>
> Does anyone know if such a patch/solution exist already?
> Maybe there's a better way?

I think so, yes - connect to a real IP address, not the loopback address, when 
you're connecting from another machine?

Regards,

Antony

-- 
Never write it in Perl if you can do it in Awk.
Never do it in Awk if sed can handle it.
Never use sed when tr can do the job.
Never invoke tr when cat is sufficient.
Avoid using cat whenever possible.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: more about martians

[David Cannings]

On Tuesday 20 April 2004 18:18, Antony Stone wrote:
> On Tuesday 20 April 2004 6:05 pm, udo wrote:
> > Does anyone know if such a patch/solution exist already?
> > Maybe there's a better way?
> I think so, yes - connect to a real IP address, not the loopback
> address, when you're connecting from another machine?

I agree.  Regarding my previous posts, they are merely a test from my 
inquisitive point of view and I do not recommend patching of the kernel 
to accomplish things that aren't the correct way to do something.

David

Re: more about martians

[Henrik Nordstrom]

On Tue, 20 Apr 2004, udo wrote:

> Hello,
> 
> As a follow up on my post about portforwarding to
> 127.0.0.1 and the 'martian destination 127.0.0.1'
> message I can tell I found the probable cause in
> /usr/src/linux/net/ipv4/route.c.

Why do you want to forward to 127.0.0.1? Why not a global IP?

The loopback addresses (127.X/8) are handled very special.

Regards
Henrik

Re: more about martians

[Henrik Nordstrom]

On Tue, 20 Apr 2004, udo wrote:

> Hello,
> 
> As a follow up on my post about portforwarding to
> 127.0.0.1 and the 'martian destination 127.0.0.1'
> message I can tell I found the probable cause in
> /usr/src/linux/net/ipv4/route.c.

Why do you want to forward to 127.0.0.1? Why not a global IP?

The loopback addresses (127.X/8) are handled very special.

Regards
Henrik

Re: more about martians

[udo]

Hello,

--- Henrik Nordstrom <hno@marasystems.com> wrote:
> On Tue, 20 Apr 2004, udo wrote:
> 
> > As a follow up on my post about portforwarding to
> > 127.0.0.1 and the 'martian destination 127.0.0.1'
> > message I can tell I found the probable cause in
> > /usr/src/linux/net/ipv4/route.c.
> 
> Why do you want to forward to 127.0.0.1? Why not a
> global IP?

I only want to offer ssh to the outside world (lan and
wan) on port 22 while still being able to run sshd at
non-root privs.
Say port 2222 for non-root reasons but port 2222 must
not interfere and best not be visible to the outside
world.

> The loopback addresses (127.X/8) are handled very
> special.

I found out.
Why?
It's just another interface.
I would like to use the lo interface because it is
hidden for the outside world, so a sshd at 2222
listening there is no problem.

Kind regards,
Udo


	
		
__________________________________
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
http://photos.yahoo.com/ph/print_splash

Re: more about martians

[Henrik Nordstrom]

On Wed, 21 Apr 2004, udo wrote:

> I only want to offer ssh to the outside world (lan and
> wan) on port 22 while still being able to run sshd at
> non-root privs.
> Say port 2222 for non-root reasons but port 2222 must
> not interfere and best not be visible to the outside
> world.

Then set up a private IP alias (on the lo interface if you like, does not
matter), firewall all access to that IP just in case and NAT the SSH
sessions to this IP, not 127.X.

Or simply run SSH on port 2222, nat to this port and firewall any direct 
access to port 2222 with a "-j REJECT --reject-with tcp-reset" to make it 
look like port 2222 is not used.

> > The loopback addresses (127.X/8) are handled very
> > special.
> 
> I found out.
> Why?

Because it is considered a security violation if these is accessed from 
outside the box.

> It's just another interface.

lo is just another interface, and you can give any IP addresses to it.

127.X is not just another IP. It is the loopback IP address range defined 
by IP as not reachable outside the box. And when you ask iptables to NAT 
sessions to this IP you make the TCP/IP stack very upset thinking that 
someone is trying to abuse your server. As iptables runs outside of the 
TCP/IP stack it looks to your TCP/IP stack as if the sending station did 
attempt to send packets addressed to 127.0.0.1.

It is not lo that is hidden from the outside world, it is the 127.X IP 
addresses.

Regards
Henrik

Re: more about martians

[Henrik Nordstrom]

On Wed, 21 Apr 2004, udo wrote:

> I only want to offer ssh to the outside world (lan and
> wan) on port 22 while still being able to run sshd at
> non-root privs.
> Say port 2222 for non-root reasons but port 2222 must
> not interfere and best not be visible to the outside
> world.

Then set up a private IP alias (on the lo interface if you like, does not
matter), firewall all access to that IP just in case and NAT the SSH
sessions to this IP, not 127.X.

Or simply run SSH on port 2222, nat to this port and firewall any direct 
access to port 2222 with a "-j REJECT --reject-with tcp-reset" to make it 
look like port 2222 is not used.

> > The loopback addresses (127.X/8) are handled very
> > special.
> 
> I found out.
> Why?

Because it is considered a security violation if these is accessed from 
outside the box.

> It's just another interface.

lo is just another interface, and you can give any IP addresses to it.

127.X is not just another IP. It is the loopback IP address range defined 
by IP as not reachable outside the box. And when you ask iptables to NAT 
sessions to this IP you make the TCP/IP stack very upset thinking that 
someone is trying to abuse your server. As iptables runs outside of the 
TCP/IP stack it looks to your TCP/IP stack as if the sending station did 
attempt to send packets addressed to 127.0.0.1.

It is not lo that is hidden from the outside world, it is the 127.X IP 
addresses.

Regards
Henrik

Re: more about martians

[Cedric Blancher]

Le jeu 22/04/2004 à 09:54, Henrik Nordstrom a écrit :
> Or simply run SSH on port 2222, nat to this port and firewall any direct 
> access to port 2222 with a "-j REJECT --reject-with tcp-reset" to make it 
> look like port 2222 is not used.

And REDIRECT ?

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: more about martians

[Henrik Nordstrom]

On Thu, 22 Apr 2004, Cedric Blancher wrote:

> Le jeu 22/04/2004 à 09:54, Henrik Nordstrom a écrit :
> > Or simply run SSH on port 2222, nat to this port and firewall any direct 
> > access to port 2222 with a "-j REJECT --reject-with tcp-reset" to make it 
> > look like port 2222 is not used.
> 
> And REDIRECT ?

Or DNAT. Any of the destination nat methods is fine..

Regards
Henrik

Re: more about martians

[Henrik Nordstrom]

On Thu, 22 Apr 2004, Cedric Blancher wrote:

> Le jeu 22/04/2004 à 09:54, Henrik Nordstrom a écrit :
> > Or simply run SSH on port 2222, nat to this port and firewall any direct 
> > access to port 2222 with a "-j REJECT --reject-with tcp-reset" to make it 
> > look like port 2222 is not used.
> 
> And REDIRECT ?

Or DNAT. Any of the destination nat methods is fine..

Regards
Henrik

Re: more about martians

[Dick St.Peters]

> I only want to offer ssh to the outside world (lan and
> wan) on port 22 while still being able to run sshd at
> non-root privs.
> Say port 2222 for non-root reasons but port 2222 must
> not interfere and best not be visible to the outside
> world.

You could use a loopback alias with some unused private IP,
say something like
    ifconfig lo:0 192.168.15.1 netmask 255.255.255.255

That entire address, not just one port, is invisible to the
outside world (unless you deliberately tell them about it).

--
Dick St.Peters, stpeters@NetHeaven.com