HostWatch-like program for Netfilter ???

HostWatch-like program for Netfilter ???

[Matt Walkowiak]

[-- Attachment #1: Type: text/plain, Size: 973 bytes --]

I was wondering if something exists that can do what I want for netfilter.

In the WatchGuard land, there is a very neat program called HostWatch.  It has two columns: One for Outside and one for Inside.  Then, it draws a line from one column to the other for each connection.  It also refreshes itself about once every second.

Let's say you have a web server on the inside of your firewall, and 10 people are currently hitting it.  HostWatch would show 10 lines (each from a seperate IP addy, resolved if it can find it) drawn to the one ip addy of the web server.

The nice thing about HostWatch is you can see exactly what is happening now.

Now, I generally dont run any kind of X-windows system on my Linux boxes, so it would be nice to get a "text based" version of what I'm looking for, however, if a nice program existed that needed X to run, I'd seriously consider installing X windows.

Anyway, thanks in advance for your responces!

Matt Walkowiak

[-- Attachment #2: Type: text/html, Size: 1898 bytes --]

Re: HostWatch-like program for Netfilter ???

[Marcus Zoller]

Am Don, 2002-06-06 um 06.32 schrieb Matt Walkowiak:
> The nice thing about HostWatch is you can see exactly what is happening now.

Take a look at IPtraf:

http://cebu.mozcom.com/riker/iptraf/

--marcus



- IDNT Antivirus Solutions -
This messages was scanned for virus infection on the IDNT Gateway Series. For more informations on how to protect your network see http://idnt.net/de/security/vprot.xsm or call us now: +49 6403 9526 0.

Forward rule can't specify destination address?

[skmail]

Hi all-

I have a linux box with 1 network card connected the internet with 7
internet IP's, and 1 network card and internal ip.  I'm trying to forward
a port from one of the internet ip's aliased to it across the firewall to
internal.  Here's the forward rule that I use:

$IPTB -A FORWARD -d 1.2.3.4 -p tcp --dport 3389 -j ACCEPT


When I connect to the specified IP address it doesn't work.  If I take the
destination IP out it works fine.  Any ideas as to why it won't work with
the destination IP?


Thanks!

Re: Forward rule can't specify destination address?

[Antony Stone]

On Thursday 06 June 2002 8:10 pm, skmail@mcewen.wcnet.org wrote:

> Hi all-
>
> I have a linux box with 1 network card connected the internet with 7
> internet IP's, and 1 network card and internal ip.  I'm trying to forward
> a port from one of the internet ip's aliased to it across the firewall to
> internal.  Here's the forward rule that I use:
>
> $IPTB -A FORWARD -d 1.2.3.4 -p tcp --dport 3389 -j ACCEPT
>
> When I connect to the specified IP address it doesn't work.  If I take the
> destination IP out it works fine.  Any ideas as to why it won't work with
> the destination IP?

Presumably you are doing DNAT at the same time.   Is 1.2.3.4 the original 
destination address before translation, or the real destination address of 
the translated packet ?

PREROUTING happens before FORWARDing.


Antony.

Re: Forward rule can't specify destination address?

[skmail]

I'm NAT'ing it also.  Should have put these in my first email I guess.

$IPTB -A FORWARD -d 1.2.3.4 -p tcp --dport 3389 -j ACCEPT


$IPTB -t nat -A PREROUTING -d 1.2.3.4  -p tcp --dport 3389 -j DNAT 
--to 192.168.0.1

$IPTB -t nat -A POSTROUTING -s 192.168.0.1 -d ! 192.168.0.0/24 -j SNAT 
--to 1.2.3.4


Prerouting before forwarding?  So I need to specify 192.168.0.1 as the 
destination in the forward rule?

Re: Forward rule can't specify destination address?

[Antony Stone]

On Thursday 06 June 2002 9:36 pm, skmail@mcewen.wcnet.org wrote:

> I'm NAT'ing it also.  Should have put these in my first email I guess.
>
> $IPTB -A FORWARD -d 1.2.3.4 -p tcp --dport 3389 -j ACCEPT
>
> $IPTB -t nat -A PREROUTING -d 1.2.3.4  -p tcp --dport 3389 -j DNAT
> --to 192.168.0.1

Okay, so 1.2.3.4 is your original address, and 192.168.0.1 is what you have 
after it's been translated...

> $IPTB -t nat -A POSTROUTING -s 192.168.0.1 -d ! 192.168.0.0/24 -j SNAT
> --to 1.2.3.4

Just out of interest, why do you specify this as well ?   Does the internal 
server sometimes initiate connections as well ?

You don't need to have this rule if the internal machine only ever *receives* 
connections from the outside (eg a web server).   The reverse translation 
gets done automatically for you by netfilter.

> Prerouting before forwarding?  So I need to specify 192.168.0.1 as the
> destination in the forward rule?

Yes :-)


Antony.

Re: Forward rule can't specify destination address?

[skmail]

Hmm... that sheds some light on stuff.  I think I'll have to rewrite my 
firewall rules now.  :)

I specified the SNAT also because connections are initiated to the
internet from it, and they must come from a specific internet IP address.  
It's doing this for several machines on an internal network. They only 
have a handful of addresses assigned to them.  Each address is assigned 
specifically to a user, and a general one for the firewall.  Each user has 
to come from a unique tracked IP to login to a remote system.  Don't ask 
why, that's the way they set it up on their end. 

I didn't know that the return would be done automatically though, so I'm 
glad you cleared that up.  I do have rules for that also in other places 
in my firewall script that don't need to be there.



On Thu, 6 Jun 2002, Antony Stone wrote:

> On Thursday 06 June 2002 9:36 pm, skmail@mcewen.wcnet.org wrote:
> 
> > I'm NAT'ing it also.  Should have put these in my first email I guess.
> >
> > $IPTB -A FORWARD -d 1.2.3.4 -p tcp --dport 3389 -j ACCEPT
> >
> > $IPTB -t nat -A PREROUTING -d 1.2.3.4  -p tcp --dport 3389 -j DNAT
> > --to 192.168.0.1
> 
> Okay, so 1.2.3.4 is your original address, and 192.168.0.1 is what you have 
> after it's been translated...
> 
> > $IPTB -t nat -A POSTROUTING -s 192.168.0.1 -d ! 192.168.0.0/24 -j SNAT
> > --to 1.2.3.4
> 
> Just out of interest, why do you specify this as well ?   Does the internal 
> server sometimes initiate connections as well ?
> 
> You don't need to have this rule if the internal machine only ever *receives* 
> connections from the outside (eg a web server).   The reverse translation 
> gets done automatically for you by netfilter.
> 
> > Prerouting before forwarding?  So I need to specify 192.168.0.1 as the
> > destination in the forward rule?
> 
> Yes :-)
> 
> 
> Antony.
>