Altering a packet's port

Altering a packet's port

[Nicolas Ross]

Hi all !

I have a quite "standard" setup as follow :

192.168.7.x/24 -> iptables/router  SNAT --to-source a.b.c.d  -> internet

What I want to do, is that if a packet originites from the local net 
(192.168.7.x) on tcp port 22, that the final destination of the packet would 
wtill be the same host, but on port 8022...

Like this :

Normal :

192.168.7.1 ssh to f.g.h.i on port 22

the connection is :

192.168.7.1:sport -> f.g.h.i:8022

Is it possible ?

I've tried with REDIRECT, but it afects the destination of the packet, but I 
don't want that...

Thanks,

Nicolas 

Re: Altering a packet's port

[Sertys]

On Mon, 21 Mar 2005 15:43:44 -0500, Nicolas Ross  
<rossnick-lists@cybercat.ca> wrote:

> Hi all !
>
> I have a quite "standard" setup as follow :
>
> 192.168.7.x/24 -> iptables/router  SNAT --to-source a.b.c.d  -> internet
>
> What I want to do, is that if a packet originites from the local net  
> (192.168.7.x) on tcp port 22, that the final destination of the packet  
> would wtill be the same host, but on port 8022...
>
> Like this :
>
> Normal :
>
> 192.168.7.1 ssh to f.g.h.i on port 22
>
> the connection is :
>
> 192.168.7.1:sport -> f.g.h.i:8022
>
> Is it possible ?
>
> I've tried with REDIRECT, but it afects the destination of the packet,  
> but I don't want that...
>
> Thanks,
>
> Nicolas

Redirect works on local hooks. Just DNAT it, dude.
iptables -t nat -A PREROUTING -p tcp -s 192.168.x.x --dport 22 -j DNAT  
--to-destination f.g.h.i:8022

It's crucial to define dport, not sport, cause your sport is not 22, it's  
a client port > 1024 and random.


-- 
www.supportivo.org

I can't stop myself checking for pigs in the outlets. Everybody thinks i'm  
a punk, cause of the hairstyle(220V).
end

Re: Altering a packet's port

[Nicolas Ross]

I saw that in the man page, but I need to do this for ALL hosts to specific 
subnets, and many hosts. So I'll have to define one rule for EACH host I 
need a redirect (something like 50 to 75) ?

Nicolas

----- Original Message ----- 
From: "Sertys" <sertys@supportivo.org>
To: "Netfilter list" <netfilter@lists.netfilter.org>
Sent: Monday, March 21, 2005 5:00 PM
Subject: Re: Altering a packet's port


On Mon, 21 Mar 2005 15:43:44 -0500, Nicolas Ross
<rossnick-lists@cybercat.ca> wrote:

> What I want to do, is that if a packet originites from the local net 
> (192.168.7.x) on tcp port 22, that the final destination of the packet 
> would wtill be the same host, but on port 8022...
> (...)

Redirect works on local hooks. Just DNAT it, dude.
iptables -t nat -A PREROUTING -p tcp -s 192.168.x.x --dport 22 -j DNAT
--to-destination f.g.h.i:8022

It's crucial to define dport, not sport, cause your sport is not 22, it's
a client port > 1024 and random.

Re: Altering a packet's port

[Jason Opperisano]

On Mon, 2005-03-21 at 20:27, Nicolas Ross wrote:
> I saw that in the man page, but I need to do this for ALL hosts to specific 
> subnets, and many hosts. So I'll have to define one rule for EACH host I 
> need a redirect (something like 50 to 75) ?

for loop?

-j

--
"How much is your penny candy?
 Surprisingly expensive."
	--The Simpsons

Re: Altering a packet's port

[Nicolas Ross]

What I'm trying to do isn't working...

In my nat table I have :

-A PREROUTING -s 192.168.7.0/24 -d e.f.g.h -p tcp \
  --dport 22 -j DNAT --to-destination e.f.g.h:8022

So that when a host on the local subnet open a ssh connection to e.f.g.h, 
the destination port is changed to 8022.

The connection starts, on e.f.g.h, I see a tcp connection (with netstat), at 
SYN_SENT state.

On the router, in /proc/net/ip_conntrack, I see :

tcp      6 97 SYN_SENT src=192.168.7.191 dst=e.f.g.h sport=2983 dport=8022 
[UNREPLIED] src=e.f.g.h dst=192.168.7.191 sport=8022 dport=2983 use=1

and the ssh connection never establish.

On my desktop, if I establish a ssh connection on port 8022, it works ok.

What am I missing ?

Nicolas

----- Original Message ----- 
From: "Jason Opperisano" <opie@817west.com>
To: <netfilter@lists.netfilter.org>
Sent: Tuesday, March 22, 2005 6:29 AM
Subject: Re: Altering a packet's port


> On Mon, 2005-03-21 at 20:27, Nicolas Ross wrote:
>> I saw that in the man page, but I need to do this for ALL hosts to
>> specific
>> subnets, and many hosts. So I'll have to define one rule for EACH host I
>> need a redirect (something like 50 to 75) ?
>
> for loop?
>
> -j
>
> --
> "How much is your penny candy?
> Surprisingly expensive."
> --The Simpsons
>
>
>

Re: Altering a packet's port

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



do you have sshd listening on port 8022 on e.f.g.h?

Thanks,

Ron DuFresne

On Tue, 22 Mar 2005, Nicolas Ross wrote:

> What I'm trying to do isn't working...
>
> In my nat table I have :
>
> -A PREROUTING -s 192.168.7.0/24 -d e.f.g.h -p tcp \
> --dport 22 -j DNAT --to-destination e.f.g.h:8022
>
> So that when a host on the local subnet open a ssh connection to e.f.g.h, the 
> destination port is changed to 8022.
>
> The connection starts, on e.f.g.h, I see a tcp connection (with netstat), at 
> SYN_SENT state.
>
> On the router, in /proc/net/ip_conntrack, I see :
>
> tcp      6 97 SYN_SENT src=192.168.7.191 dst=e.f.g.h sport=2983 dport=8022 
> [UNREPLIED] src=e.f.g.h dst=192.168.7.191 sport=8022 dport=2983 use=1
>
> and the ssh connection never establish.
>
> On my desktop, if I establish a ssh connection on port 8022, it works ok.
>
> What am I missing ?
>
> Nicolas
>
> ----- Original Message ----- From: "Jason Opperisano" <opie@817west.com>
> To: <netfilter@lists.netfilter.org>
> Sent: Tuesday, March 22, 2005 6:29 AM
> Subject: Re: Altering a packet's port
>
>
>> On Mon, 2005-03-21 at 20:27, Nicolas Ross wrote:
>>> I saw that in the man page, but I need to do this for ALL hosts to
>>> specific
>>> subnets, and many hosts. So I'll have to define one rule for EACH host I
>>> need a redirect (something like 50 to 75) ?
>> 
>> for loop?
>> 
>> -j
>> 
>> --
>> "How much is your penny candy?
>> Surprisingly expensive."
>> --The Simpsons
>> 
>> 
>> 
>
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                         -Tom Robins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCQDLnst+vzJSwZikRApKVAJ95vWdlZU5CLXK+5AMcSpcqoZA+aQCg0lh8
1ovz9ZcybbMUmjaJchw9vWQ=
=Nu+6
-----END PGP SIGNATURE-----

Re: Altering a packet's port

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


if sshd is there listening on port 8022, do you have rules setup for the 
packets that are returned as well?

Thanks,

Ron DuFresne

On Tue, 22 Mar 2005, R. DuFresne wrote:

> --[PinePGP]--------------------------------------------------[begin]--
>
>
> do you have sshd listening on port 8022 on e.f.g.h?
>
> Thanks,
>
> Ron DuFresne
>
> On Tue, 22 Mar 2005, Nicolas Ross wrote:
>
>> What I'm trying to do isn't working...
>> 
>> In my nat table I have :
>> 
>> -A PREROUTING -s 192.168.7.0/24 -d e.f.g.h -p tcp \
>> --dport 22 -j DNAT --to-destination e.f.g.h:8022
>> 
>> So that when a host on the local subnet open a ssh connection to e.f.g.h, 
>> the
>> destination port is changed to 8022.
>> 
>> The connection starts, on e.f.g.h, I see a tcp connection (with netstat), 
>> at
>> SYN_SENT state.
>> 
>> On the router, in /proc/net/ip_conntrack, I see :
>> 
>> tcp      6 97 SYN_SENT src=192.168.7.191 dst=e.f.g.h sport=2983 dport=8022
>> [UNREPLIED] src=e.f.g.h dst=192.168.7.191 sport=8022 dport=2983 use=1
>> 
>> and the ssh connection never establish.
>> 
>> On my desktop, if I establish a ssh connection on port 8022, it works ok.
>> 
>> What am I missing ?
>> 
>> Nicolas
>> 
>> ----- Original Message ----- From: "Jason Opperisano" <opie@817west.com>
>> To: <netfilter@lists.netfilter.org>
>> Sent: Tuesday, March 22, 2005 6:29 AM
>> Subject: Re: Altering a packet's port
>> 
>> 
>>> On Mon, 2005-03-21 at 20:27, Nicolas Ross wrote:
>>>> I saw that in the man page, but I need to do this for ALL hosts to
>>>> specific
>>>> subnets, and many hosts. So I'll have to define one rule for EACH host 
>>>> I
>>>> need a redirect (something like 50 to 75) ?
>>> 
>>> for loop?
>>> 
>>> -j
>>> 
>>> --
>>> "How much is your penny candy?
>>> Surprisingly expensive."
>>> --The Simpsons
>>> 
>>> 
>>> 
>> 
>> 
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>        admin & senior security consultant:  sysinfo.com
>                        http://sysinfo.com
>
> ...Love is the ultimate outlaw.  It just won't adhere to rules.
> The most any of us can do is sign on as it's accomplice.  Instead
> of vowing to honor and obey, maybe we should swear to aid and abet.
> That would mean that security is out of the question.  The words
> "make" and "stay" become inappropriate.  My love for you has no
> strings attached.  I love you for free...
>                        -Tom Robins <Still Life With Woodpecker>
> --[PinePGP]-----------------------------------------------------------
> gpg: Signature made Tue 22 Mar 2005 09:59:51 AM EST using DSA key ID 94B06629
> gpg: Good signature from "dufresne <dufresne@sysinfo.com>"
> --[PinePGP]----------------------------------------------------[end]--
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                         -Tom Robins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCQDXest+vzJSwZikRArVVAKCQrgz7hwUFtTQ9jnlO7x+8G1O/PwCdH4gh
V3FnrKRIg4D7l2kA2bTlRS8=
=sV6Q
-----END PGP SIGNATURE-----

Re: Altering a packet's port

[Nicolas Ross]

Yes, I have 2 sshd, on both ports 22 and 8022.

As a return rule, I tried :

-A POSTROUTING -d 192.168.7.0/24 -s e.f.g.h -p tcp --sport 8022 -j 
SNAT --to-source e.f.g.h:22

but that rule doesn't have any hits.

----- Original Message ----- 
From: "R. DuFresne" <dufresne@sysinfo.com>
To: "Nicolas Ross" <rossnick-lists@cybercat.ca>
Cc: <netfilter@lists.netfilter.org>
Sent: Tuesday, March 22, 2005 10:12 AM
Subject: Re: Altering a packet's port


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> if sshd is there listening on port 8022, do you have rules setup for the 
> packets that are returned as well?
>
> Thanks,
>
> Ron DuFresne
>
> On Tue, 22 Mar 2005, R. DuFresne wrote:
>
>> --[PinePGP]--------------------------------------------------[begin]--
>>
>>
>> do you have sshd listening on port 8022 on e.f.g.h?
>>
>> Thanks,
>>
>> Ron DuFresne
>>
>> On Tue, 22 Mar 2005, Nicolas Ross wrote:
>>
>>> What I'm trying to do isn't working...
>>>
>>> In my nat table I have :
>>>
>>> -A PREROUTING -s 192.168.7.0/24 -d e.f.g.h -p tcp \
>>> --dport 22 -j DNAT --to-destination e.f.g.h:8022

Re: Altering a packet's port

[Toby]

Nicolas Ross wrote:
> In my nat table I have:
> 
> -A PREROUTING -s 192.168.7.0/24 -d e.f.g.h -p tcp --dport 22 \
> -j DNAT --to-destination e.f.g.h:8022


The source address for the ssh connection is still 192.168.7.x so the
return packets from the ssh daemon don't need to go through the router
and thus don't get nat'ed back.

You need to double-nat, ie. add a second rule:

-A POSTROUTING -s 192.168.7.0/24 -d e.f.g.h -p tcp --dport 8022 \
-j DNAT --to-destination $ROUTER_IP_LAN

$ROUTER_IP_LAN is the address of the router on the 192.168.7.0/24 net.


Toby

Re: Altering a packet's port

[Toby]

Nicolas Ross wrote:
> In my nat table I have:
> 
> -A PREROUTING -s 192.168.7.0/24 -d e.f.g.h -p tcp --dport 22 \
> -j DNAT --to-destination e.f.g.h:8022

Wait, maybe I missed something.

Are you sure e.f.g.h and e.f.g.h:8022 are the same IP address in the
rule above?  Also is e.f.g.h in the 192.168.7.0/24 network?
Is e.f.g.h the router itself?


Toby

Re: Altering a packet's port

[Nicolas Ross]

> Nicolas Ross wrote:
>> In my nat table I have:
>>
>> -A PREROUTING -s 192.168.7.0/24 -d e.f.g.h -p tcp --dport 22 \
>> -j DNAT --to-destination e.f.g.h:8022
>
> Wait, maybe I missed something.
>
> Are you sure e.f.g.h and e.f.g.h:8022 are the same IP address in the
> rule above?  Also is e.f.g.h in the 192.168.7.0/24 network?
> Is e.f.g.h the router itself?

I'll just recap a little, for my own benefit, and your all also...

I have a local office subnet (192.168.7.x), wich is behind a netfilter linux 
firewall/router

192.168.7.x/24 -> iptables/router  SNAT --to-source a.b.c.d  -> internet

e.f.g.h in my quoted example above, isn't related at all with the router 
(which is a.b.c.d on the internet).

The goal of all this, is to use regular, port 22, sshd on all my servers 
(i.e. outside of my local office subnet), and enforce more secure login 
policies in sshd config. For my "trusted" local office subnet, I have a less 
secure login policies in my sshd confg on port 8022. But I want users in my 
local to ssh out on port 22, and transparently redirect them to port 8022...

Nicolas