DNAT possible with the string module?

DNAT possible with the string module?

[Udo Rader]

hi,

I would like to do the following thing:

2 daemons listening on different ports (lets say 1234 and 2345). 

The firewall then ideally takes all connects from clients to port 1234, 
looks for a "magic string" (using -m string) in the packages and based 
upon the (non)existance of the string finally decides, which daemon to 
forward the connect to.

... is there a chance for this to work?
... or any other ways to achieve this?

thanks for your work!!!

udo

Re: DNAT possible with the string module?

[Antony Stone]

On Monday 04 November 2002 3:40 pm, Udo Rader wrote:

> hi,
>
> I would like to do the following thing:
>
> 2 daemons listening on different ports (lets say 1234 and 2345).
>
> The firewall then ideally takes all connects from clients to port 1234,
> looks for a "magic string" (using -m string) in the packages and based
> upon the (non)existance of the string finally decides, which daemon to
> forward the connect to.
>
> ... is there a chance for this to work?

I think the answer is no, it cannot work (assuming you are talking about TCP 
ports and not UDP ports).

The reason is as follows:

Before a client can send the magic string you are looking for, it needs to 
have completed the TCP handshake of SYN - SYN/ACK - ACK, because it's only 
after that's done that any data gets transferred between the systems.

Obviously the SYN and the SYN/ACK are to and from a specific port number on 
the listening server, so by the time you get to see the magic string, the 
choice of port number to connect to has already been made.

Antony.

-- 

If the human brain were so simple that we could understand it,
we'd be so simple that we couldn't.

IPTable Help !

[Louie]

Hello all!

Hope that everyone had a good weekend. I
was wondering does anyone know a site
that has simple explains on iptables
like "Iptables for dummies"

Thank you,

Louie

Re: IPTable Help !

[Ben Russo]

On Tue, 2002-11-05 at 14:51, Louie wrote:
> Hello all!
> 
> Hope that everyone had a good weekend. I
> was wondering does anyone know a site
> that has simple explains on iptables
> like "Iptables for dummies"
> 
Come on Louie, did you do a search for the iptables howto?

A great reference site for many UNIX-like things (with a strong linux
slant)  is:   http://www.tldp.org

There are Iptables howtos there.

Re: IPTable Help !

[hare ram]

go to Linuxgurz

hare
----- Original Message -----
From: "Louie" <bishop@pacbell.net>
To: "Antony Stone" <Antony@Soft-Solutions.co.uk>;
<netfilter@lists.netfilter.org>
Sent: Wednesday, November 06, 2002 1:21 AM
Subject: IPTable Help !


> Hello all!
>
> Hope that everyone had a good weekend. I
> was wondering does anyone know a site
> that has simple explains on iptables
> like "Iptables for dummies"
>
> Thank you,
>
> Louie
>
>
>
>

Re: IPTable Help !

[mourik jan c heupink]

Looking for "Iptables for dummies"?
                          ^^^^^^^
Go to linuxgurus...
           ^^^^^
lol :)

On Wed, 2002-11-06 at 05:53, hare ram wrote:
> go to Linuxgurz
> 
> hare
> ----- Original Message -----
> From: "Louie" <bishop@pacbell.net>
> To: "Antony Stone" <Antony@Soft-Solutions.co.uk>;
> <netfilter@lists.netfilter.org>
> Sent: Wednesday, November 06, 2002 1:21 AM
> Subject: IPTable Help !
> 
> 
> > Hello all!
> >
> > Hope that everyone had a good weekend. I
> > was wondering does anyone know a site
> > that has simple explains on iptables
> > like "Iptables for dummies"
> >
> > Thank you,
> >
> > Louie
> >
> >
> >
> >
> 

Re: DNAT possible with the string module?

[Udo Rader]

On Mon, 04 Nov 2002 21:36:10 +0000, Antony Stone wrote:

> On Monday 04 November 2002 3:40 pm, Udo Rader wrote:
> 
>> hi,
>>
>> I would like to do the following thing:
>>
>> 2 daemons listening on different ports (lets say 1234 and 2345).
>>
>> The firewall then ideally takes all connects from clients to port 1234,
>> looks for a "magic string" (using -m string) in the packages and based
>> upon the (non)existance of the string finally decides, which daemon to
>> forward the connect to.
>>
>> ... is there a chance for this to work?
> 
> I think the answer is no, it cannot work (assuming you are talking about TCP 
> ports and not UDP ports).
> 
> The reason is as follows:
> 
> Before a client can send the magic string you are looking for, it needs to 
> have completed the TCP handshake of SYN - SYN/ACK - ACK, because it's only 
> after that's done that any data gets transferred between the systems.
> 
> Obviously the SYN and the SYN/ACK are to and from a specific port number on 
> the listening server, so by the time you get to see the magic string, the 
> choice of port number to connect to has already been made.
> 
> Antony.

I see your point. 

So am I right that the only way to achive this is by having some kind of
proxy dealing with this "magic-string"??

thanks.

udo

DNAT - TCP_MISS/503

[Eugenio]

Hi all,

This is my problem!

ERROR
The requested URL could not be retrieved
----------------------------------------------------------------------------
----
While trying to retrieve the URL: http://www.localhost.com.br/
The following error was encountered:

Connection Failed

The system returned:

    (111) Connection refused

The remote host or network may be down. Please try the request again.
Your cache administrator is root.

ERROR in Log squid.


1035311411.554     10 123.0.0.1 TCP_MISS/503 999 GET
http://www.domain_localhost.com.br/ -
NONE/- -


I don't know correct this problem, please report me what you think
about this.

Thanks in advance

Eugenio





[root@IMIDIA /root]# cat iptables.txt
# Generated by iptables-save v1.2.1a on Fri Sep 13 12:35:05 2002
*mangle
:PREROUTING ACCEPT [26633:4815741]
:OUTPUT ACCEPT [625:95729]
COMMIT
# Completed on Fri Sep 13 12:35:05 2002
# Generated by iptables-save v1.2.1a on Fri Sep 13 12:35:05 2002
*filter
:INPUT DROP [55:8112]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -s 0/0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 0/0 -p tcp -m tcp --sport 80 -j ACCEPT

-A INPUT -s 0/0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 0/0 -p tcp -m tcp --sport 53 -j ACCEPT

-A INPUT -s 0/0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 0/0 -p udp -m udp --sport 53 -j ACCEPT

-A FORWARD -m unclean -j LOG
-A FORWARD -m unclean -j DROP

-A FORWARD -p icmp -m icmp --icmp-type 8 -j LOG
-A FORWARD -p icmp -m icmp --icmp-type 8 -j DROP

-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j
ACCEPT

-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 80 -j ACCEPT

-A FORWARD -p tcp -m tcp --dport rsync -j ACCEPT
-A FORWARD -p tcp -m tcp --sport rsync -j ACCEPT

-A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 25 -j ACCEPT

-A FORWARD  -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD  -p tcp -m tcp --sport 110 -j ACCEPT

-A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 443 -j ACCEPT

-A FORWARD -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 21 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 20 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 20 -j ACCEPT

-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 53 -j ACCEPT
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -p udp -m udp --sport 53 -j ACCEPT

-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 22 -j ACCEPT

# saida
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 123.0.0.10 -j ACCEPT
-A OUTPUT -s 200.0.2.190 -j ACCEPT
-A OUTPUT -d 0/0 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -d 0/0 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p icmp -m state --state INVALID -j LOG
-A OUTPUT -p icmp -m state --state INVALID -j DROP

COMMIT
# Completed on Fri Sep 13 12:35:05 2002
# Generated by iptables-save v1.2.1a on Fri Sep 13 12:35:05 2002
*nat
:PREROUTING ACCEPT [1192:75377]
:POSTROUTING ACCEPT [17:863]
:OUTPUT ACCEPT [2:136]

# Redirecionamento do trafego local para o servidor squid, controle do
conteudo.
-A PREROUTING -s 123.0.0.10 -p tcp -m tcp --dport 80 -j
DNAT --to-destination 123.0.0.11:3128

# Redirecionamento do Trafego web da Internet para o servidor web.
-A PREROUTING -d 200.0.2.190 -i eth0 -p tcp -m tcp --dport 80 -j
DNAT --to-destination 123.0.0.18

# Criando uma rota de ENTRADA para os e-mails.
-A PREROUTING -d 200.0.2.190 -i eth0 -p tcp -m tcp --dport 25 -j
DNAT --to-destination 123.0.0.11

# Criando uma rota de ENTRADA para DNS
-A PREROUTING -d 200.0.2.190 -i eth0 -p tcp -m tcp --dport 53 -j
DNAT --to-destination 123.0.0.11

# Criando uma rota de ENTRADA para DNS
-A PREROUTING -d 200.0.2.190 -i eth0 -p udp -m udp --dport 53 -j
DNAT --to-destination 123.0.0.11

# Criando uma rota de ENTRADA para o acesso FTP.
# -A PREROUTING -d 200.0.2.190 -i eth0 -p tcp -m tcp --dport 21 -j
DNAT --to-destination 123.0.0.18

# Criando uma rota de SAIDA para os e-mails. Atencao, essa rota pode
permitir
# acao de SPAMMERS, acaso o sendmail nao estiver corretamente fechado.
-A PREROUTING -d 200.0.2.190 -i eth0 -p tcp -m tcp --dport 110 -j
DNAT --to-destination 123.0.0.11

# Trafego de LOCAL de saida para INTERNET via SQUID.
-A POSTROUTING -s 123.0.0.11 -o eth0 -j MASQUERADE

# Trafego de saida para INTERNET de todos os protocolos exceto o Tcp/IP 80
rede LOCAL.
-A POSTROUTING -s 123.0.0.0/255.255.255.0 -o eth0 -p tcp -m tcp ! --dport
80 -j MASQUERADE

COMMIT
# Completed on Fri Sep 13 12:35:05 2002
[root@IMIDIA /root]#

Re: DNAT possible with the string module?

[Antony Stone]

On Wednesday 06 November 2002 5:34 pm, Udo Rader wrote:

> On Mon, 04 Nov 2002 21:36:10 +0000, Antony Stone wrote:
> > On Monday 04 November 2002 3:40 pm, Udo Rader wrote:
> >>
> >> I would like to do the following thing:
> >>
> >> The firewall then ideally takes all connects from clients to port 1234,
> >> looks for a "magic string" (using -m string) in the packages and based
> >> upon the (non)existance of the string finally decides, which daemon to
> >> forward the connect to.
> >
> > I think the answer is no, it cannot work (assuming you are talking about
> > TCP ports and not UDP ports).
> >
> > Before a client can send the magic string you are looking for, it needs
> > to have completed the TCP handshake of SYN - SYN/ACK - ACK, because it's
> > only after that's done that any data gets transferred between the
> > systems.
>
> I see your point.
>
> So am I right that the only way to achive this is by having some kind of
> proxy dealing with this "magic-string"??

Yes, a proxy is the correct solution for this problem (and is nearly always 
the correct solution whenever someone thinks of using the --string match).

Antony.

-- 

Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

Re: DNAT - TCP_MISS/503

[Antony Stone]

On Wednesday 06 November 2002 7:05 pm, Eugenio wrote:

> Hi all,
>
> This is my problem!
>
> ERROR
> The requested URL could not be retrieved
>
> The remote host or network may be down. Please try the request again.
> Your cache administrator is root.
>
> ERROR in Log squid.
>
> 1035311411.554     10 123.0.0.1 TCP_MISS/503 999 GET
> http://www.domain_localhost.com.br/ -
> NONE/- -
>
> I don't know correct this problem, please report me what you think
> about this.

I think this is not a netfilter problem.

It's probably something to do with your Squid setup, but I'm not a Squid 
expert (and this is not a Squid mailing list...)

Antony.

-- 

Anyone that's normal doesn't really achieve much.

 - Mark Blair, Australian rocket engineer

RE: DNAT - TCP_MISS/503

[Eugenio]

Hi,

Sorry! I think this is a netfilter problem, because I'd stoped my squid
and the problem not stoped.

(If you test localhost IP my web server [123.0.0.18] it's okay!! but
if you test the name of the local domain (wwww.mywebserver.com.br) it's not
okay,
the netscape report this error.)

The access from INTERNET IP or domain name it's Okay, I don't undestant why.

It's probably something with my Iptables CHAIS, what do you think?

Thank in a advanced

Eugenio.

ps.: excuse my bad English.


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Antony Stone
Sent: quarta-feira, 6 de novembro de 2002 18:26
To: netfilter@lists.netfilter.org
Subject: Re: DNAT - TCP_MISS/503


On Wednesday 06 November 2002 7:05 pm, Eugenio wrote:

> Hi all,
>
> This is my problem!
>
> ERROR
> The requested URL could not be retrieved
>
> The remote host or network may be down. Please try the request again.
> Your cache administrator is root.
>
> ERROR in Log squid.
>
> 1035311411.554     10 123.0.0.1 TCP_MISS/503 999 GET
> http://www.domain_localhost.com.br/ -
> NONE/- -
>
> I don't know correct this problem, please report me what you think
> about this.

I think this is not a netfilter problem.

It's probably something to do with your Squid setup, but I'm not a Squid
expert (and this is not a Squid mailing list...)

Antony.

--

Anyone that's normal doesn't really achieve much.

 - Mark Blair, Australian rocket engineer

RE: DNAT - TCP_MISS/503

[Rob Sterenborg]

> Sorry! I think this is a netfilter problem, because I'd
> stoped my squid
> and the problem not stoped.
>
> (If you test localhost IP my web server [123.0.0.18] it's okay!! but
> if you test the name of the local domain
> (wwww.mywebserver.com.br) it's not
> okay,
> the netscape report this error.)
>
> The access from INTERNET IP or domain name it's Okay, I don't
> undestant why.
>
> It's probably something with my Iptables CHAIS, what do you think?

What webserver did you test ; http://localhost or http://123.0.0.18 ?

We don't know anything about your setup so it's quite difficult if not
impossible to answer your question.
Could you post your iptables rules so that we might be able help you (and
please, not the output of : iptables -L, but the actual commands) ?


Rob

RE: DNAT - TCP_MISS/503

[Eugenio]

Hi,

| What webserver did you test ; http://localhost or http://123.0.0.18 ?
| We don't know anything about your setup so it's quite difficult if not
| impossible to answer your question.
| Could you post your iptables rules so that we might be able help you (and
| please, not the output of : iptables -L, but the actual commands) ?


I did test http://123.0.0.18 and it's Okay! but, http://www.dominio.com.br
is not okay.

ERROR

The requested URL could not be retrieved
-------------------------------------------------------------
While trying to retrieve the URL: http://www.dominio.com.br

The following error was encountered:

Connection Failed

The system returned:

    (111) Connection refused

The remote host or network may be down. Please try the request again.
Your cache administrator is root.


My rules are ;

[root@IMIDIA /root]# cat iptables.txt
# Generated by iptables-save v1.2.1a on Fri Sep 13 12:35:05 2002
*mangle
:PREROUTING ACCEPT [26633:4815741]
:OUTPUT ACCEPT [625:95729]
COMMIT
# Completed on Fri Sep 13 12:35:05 2002
# Generated by iptables-save v1.2.1a on Fri Sep 13 12:35:05 2002
*filter
:INPUT DROP [55:8112]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -s 0/0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 0/0 -p tcp -m tcp --sport 80 -j ACCEPT

-A INPUT -s 0/0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 0/0 -p tcp -m tcp --sport 53 -j ACCEPT

-A INPUT -s 0/0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 0/0 -p udp -m udp --sport 53 -j ACCEPT

-A FORWARD -m unclean -j LOG
-A FORWARD -m unclean -j DROP

-A FORWARD -p icmp -m icmp --icmp-type 8 -j LOG
-A FORWARD -p icmp -m icmp --icmp-type 8 -j DROP

-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j
ACCEPT

-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 80 -j ACCEPT

-A FORWARD -p tcp -m tcp --dport rsync -j ACCEPT
-A FORWARD -p tcp -m tcp --sport rsync -j ACCEPT

-A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 25 -j ACCEPT

-A FORWARD  -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD  -p tcp -m tcp --sport 110 -j ACCEPT

-A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 443 -j ACCEPT

-A FORWARD -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 21 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 20 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 20 -j ACCEPT

-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 53 -j ACCEPT
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -p udp -m udp --sport 53 -j ACCEPT

-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 22 -j ACCEPT

# saida
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 123.0.0.10 -j ACCEPT
-A OUTPUT -s 200.0.2.190 -j ACCEPT
-A OUTPUT -d 0/0 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -d 0/0 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p icmp -m state --state INVALID -j LOG
-A OUTPUT -p icmp -m state --state INVALID -j DROP

COMMIT
# Completed on Fri Sep 13 12:35:05 2002
# Generated by iptables-save v1.2.1a on Fri Sep 13 12:35:05 2002
*nat
:PREROUTING ACCEPT [1192:75377]
:POSTROUTING ACCEPT [17:863]
:OUTPUT ACCEPT [2:136]

# Redirecionamento do trafego local para o servidor squid, controle do
conteudo.
-A PREROUTING -s 123.0.0.10 -p tcp -m tcp --dport 80 -j
DNAT --to-destination 123.0.0.11:3128

# Redirecionamento do Trafego web da Internet para o servidor web.
-A PREROUTING -d 200.0.2.190 -i eth0 -p tcp -m tcp --dport 80 -j
DNAT --to-destination 123.0.0.18

# Criando uma rota de ENTRADA para os e-mails.
-A PREROUTING -d 200.0.2.190 -i eth0 -p tcp -m tcp --dport 25 -j
DNAT --to-destination 123.0.0.11

# Criando uma rota de ENTRADA para DNS
-A PREROUTING -d 200.0.2.190 -i eth0 -p tcp -m tcp --dport 53 -j
DNAT --to-destination 123.0.0.11

# Criando uma rota de ENTRADA para DNS
-A PREROUTING -d 200.0.2.190 -i eth0 -p udp -m udp --dport 53 -j
DNAT --to-destination 123.0.0.11

# Criando uma rota de ENTRADA para o acesso FTP.
# -A PREROUTING -d 200.0.2.190 -i eth0 -p tcp -m tcp --dport 21 -j
DNAT --to-destination 123.0.0.18

# Criando uma rota de SAIDA para os e-mails. Atencao, essa rota pode
permitir
# acao de SPAMMERS, acaso o sendmail nao estiver corretamente fechado.
-A PREROUTING -d 200.0.2.190 -i eth0 -p tcp -m tcp --dport 110 -j
DNAT --to-destination 123.0.0.11

# Trafego de LOCAL de saida para INTERNET via SQUID.
-A POSTROUTING -s 123.0.0.11 -o eth0 -j MASQUERADE

# Trafego de saida para INTERNET de todos os protocolos exceto o Tcp/IP 80
rede LOCAL.
-A POSTROUTING -s 123.0.0.0/255.255.255.0 -o eth0 -p tcp -m tcp ! --dport
80 -j MASQUERADE

COMMIT
# Completed on Fri Sep 13 12:35:05 2002

Thank in advanced

Eugenio

Re: DNAT - TCP_MISS/503

[Antony Stone]

On Friday 08 November 2002 9:52 am, Eugenio wrote:

> Hi,
>
> | What webserver did you test ; http://localhost or http://123.0.0.18 ?
> | We don't know anything about your setup so it's quite difficult if not
> | impossible to answer your question.
> | Could you post your iptables rules so that we might be able help you (and
> | please, not the output of : iptables -L, but the actual commands) ?
>
> I did test http://123.0.0.18 and it's Okay! but, http://www.dominio.com.br
> is not okay.
>
> ERROR
>
> The requested URL could not be retrieved
> -------------------------------------------------------------
> While trying to retrieve the URL: http://www.dominio.com.br
>
> The following error was encountered:
>
> Connection Failed
>
> The system returned:
>
>     (111) Connection refused
>
> The remote host or network may be down. Please try the request again.
> Your cache administrator is root.

I think the problem is that you have no OUTPUT rule allowing UDP DNS packets.

Antony.

-- 

Wanted: telepath.   You know where to apply.