Re: Is DIVERT w/o forwarding feasible?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Anders Fugmann <afu@fugmann.dhs.org>
To: Yury Bokhoncovich <byg@center-f1.ru>, netfilter@lists.netfilter.org
Subject: Re: Is DIVERT w/o forwarding feasible?
Date: Wed, 11 Sep 2002 10:16:15 +0200	[thread overview]
Message-ID: <3D7EFBCF.70406@fugmann.dhs.org> (raw)
In-Reply-To: Pine.LNX.4.33.0209091917581.31845-100000@panda.center-f1.ru

Yury Bokhoncovich wrote:
> Hello!
> 
> I need an advice for this topic: is diverting without forwarding feasible?
> At present time we've managed to work SSL-tunnels via our MAN-provider
> for a few several protocols by well-known method "connect this app to
> border gateway, it takes care all the rest" and with (essentially!)
> forwarding disabled in the kernel at all. But this method fails to meet
> challenge of deploying fully-functional VPN with transparent packet
> crossing over the MAN. In principle situation can be easily resolved if
> there's a way to divert packets to an program on the border gateway
> without need to enable forwarding in the kernel.
Err, please explain why you do not want forwarding enabled. If this is 
because you want to control who accesses the internal network, and are 
afraid of ipspoofing, then VPN is the way to go.

You say that you have ssh-tunnels to the systems.
ssh supports a socks mode. This means that when the client ssh'es to the 
firewall, ssh can be set to act as a local socks server, tunneling all 
packets to the server, making them seem like they originate from the 
server itself. This works just like a VPN, and there is no need to setup 
alot of different tunneling rules. On the client a sock-client should be 
setup. As of today OpenSSH only supports SocksV4, which does not support 
udp packets. There are some simple patches on the net to enable socksV5, 
which does support udp packets to socks.

While talking of VPN's. Have you considered ipsec or other VPN systems?

> 
>  I.e. can I change this:
> "if the kernel does not have forwarding enabled, or it doesn't know how to
> forward the packet, the packet is dropped"
> (sorry ,quote from HOWTO) to something like
> "if the kernel does not have forwarding enabled AND NO SPECIAL DIVERT
> RULES SPECIFIED, or it doesn't know how to forward the packet, the packet
> is dropped" ?
Technically yes. But you would have to spend alot of time coding, and 
understading networking traffic. In essence what you want it to create a 
VPN module for netfilter to be installed on the server and some client 
program to encapsulate packets and send them to the server, which seems 
to me as re-inventing the wheel. (When there are Ferraris out there for 
free, why build your own skoda?)

Regards
Anders Fugmann

-- 
Author of FIAIF
Fiaif Is An Intelligent/Iptables Firewall
http://fiaif.fugmann.dhs.org

next prev parent reply	other threads:[~2002-09-11  8:16 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-09-09 12:40 Is DIVERT w/o forwarding feasible? Yury Bokhoncovich
2002-09-11  8:16 ` Anders Fugmann [this message]
2002-09-11 13:39   ` Yury Bokhoncovich
2002-09-11 14:08     ` Anders Fugmann
2002-09-11 15:37     ` Antony Stone
2002-09-12  4:21       ` Yury Bokhoncovich
2002-09-11 23:50   ` using iptables to filter nimda. code red virus Joe de Vera Jr.
2002-09-13  9:57     ` Martijn Klingens
2002-09-13 10:21     ` Antony Stone
2002-09-11 23:52   ` Filtering Nimda, Code Red and Code Red II Joe de Vera Jr.
2002-09-11  9:21     ` Anders Fugmann
2002-09-11 10:42       ` Maciej Soltysiak
2002-09-11 12:48         ` Antony Stone
2002-09-11 13:59           ` Ramin Alidousti
2002-09-11 14:08             ` Roy Sigurd Karlsbakk
2002-09-11 14:40               ` Ramin Alidousti
2002-09-11 14:50                 ` Antony Stone
2002-09-11 14:13             ` Antony Stone
2002-09-11 11:10       ` Martijn Klingens
2002-09-11  9:58     ` Fabrice MARIE
2002-09-11 12:00     ` Antony Stone
2002-09-12  6:38     ` Torge Szczepanek
2002-09-13  8:28       ` Jozsef Kadlecsik
2003-04-24 11:56   ` Is DIVERT w/o forwarding feasible? Yury Bokhoncovich
  -- strict thread matches above, loose matches on Subject: below --
2002-09-10  1:34 Yury Bokhoncovich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3D7EFBCF.70406@fugmann.dhs.org \
    --to=afu@fugmann.dhs.org \
    --cc=byg@center-f1.ru \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.