Talk About Network

Google





Software > Linux Debian Maint Firewall > Re: DNAT TCP 12...
Latest [ Topics | Posts ] Archive Post A New Topic Post a Reply
<< Topic < Post Post 12 of 13 Topic 1561 of 1645
 Post > Topic >>

Re: DNAT TCP 12345 -> 22

by =?ISO-8859-15?Q?Fr=E9d=E9ric_Massot?= <frederic@[EMAIL PROTECTED] Mar 21, 2008 at 08:50 PM

Pascal Hambourg wrote:
> Hello,
> 
> Frédéric Massot a écrit :
>>
>> I have servers with public IP addresses in a DMZ behind a firewall.
>>
>> The firewall has two network interface, one connected to the DMZ, the 
>> other to the ISP router.
>>
>>  From local network, I can access the server via SSH on ****t 22/TCP.
> 
> What local network ?
> 
>> I would like to access the server from the outside on another ****t 
>> like 12345/TCP. I try to translate the SSH ****t on the firewall with a 
>> DNAT rule.
>>
>> I have these rules :
>>
>> iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p 
>> tcp --s****t $UNPRIV****TS -d $SERVER --d****t 22 -m state --state NEW -j 
>> ACCEPT
>>
>> iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp -d $SERVER 
>> --d****t 12345 -j DNAT --to-destination $SERVER:22
>>
>> With these rules I can access the server on ****ts 22/TCP and 12345/TCP.
>>
>> How I can ensure that access will possible only on ****t 12345/TCP and 
>> not on ****t 22/TCP ?
> 
> There are several available methods, all involving some action in the 
> PREROUTING chains before the DNAT rule is reached, because after it is 
> too late.
> 
> 1) Drop packets to $SERVER:22 in mangle/PREROUTING or raw/PREROUTING 
> (the latter requires a kernel >= 2.6.6). Not my preferred method, as 
> packet filtering is not the primary purpose of the mangle and raw 
> tables, and they do not sup****t the REJECT target.
> 
> iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
>   -p tcp --d****t 22 -j DROP
> 
> 
> 2) Mark packets to $SERVER:22 in mangle/PREROUTING and drop or reject 
> the marked packets in filter/FORWARD before the ACCEPT rule.
> 
> iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
>   -p tcp --d****t 22 -j MARK --set-mark 0x22
> iptables -A FORWARD -m mark --mark 0x22 -p tcp \
>   -j REJECT --reject-with tcp-reset
> 
> 
> 3) Conversely, mark packets to $SERVER:12345 in mangle/PREROUTING and 
> accept only packets to $SERVER:22 with the mark in filter/FORWARD.
> 
> iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
>   -p tcp --d****t 12345 -j MARK --set-mark 0x12345
> iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
>   -d $SERVER -p tcp --d****t 22 -m mark --mark 0x12345 -j ACCEPT
> 
> 
> 4) Mark new connexions to $SERVER:12345 in mangle/PREROUTING and accept 
> only packets to $SERVER:22 with the connection mark in filter/FORWARD. 
> Requires kernel >= 2.6.10 or with the connmark patch.
> 
> iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
>   -m state --state NEW -p tcp --d****t 12345 \
>   -j CONNMARK --set-mark 0x12345
> iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
>   -d $SERVER -p tcp --d****t 22 -m connmark --mark 0x12345 -j ACCEPT
> 
> 
> 5) DNAT connections to $SERVER:22 in nat/PREROUTING to whatever 
> destination you want and drop/reject them in FORWARD or INPUT depending 
> whether the new destination is local or remote. Not my preferred method.
> 
> 
> 6) Skip connection tracking on packets to $SERVER:22 in raw/PREROUTING 
> with the NOTRACK target. The packets will have the UNTRACKED state, so 
> you can drop or reject packets matching that state in filter/FORWARD. 
> Requires a kernel >= 2.6.6. Not my preferred method either.
> 
> iptables -t raw -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
>   -p tcp --d****t 22 -j NOTRACK
> iptables -A FORWARD -m state --state UNTRACKED \
>   -p tcp -j REJECT --reject-with tcp-reset
> 

Great !!!

I added DNAT before a rule DROP in chain PREROUTING in the table nat and 
it works, access on ****t 22 is blocked. Well, that's not very proper to 
do filtering on the table nat. I will look at the use of sshd on two
****ts.

iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p tcp 
--s****t $UNPRIV****TS -d $SERVER --d****t 22 -m state --state NEW -j ACCEPT

iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp -d $SERVER 
--d****t 22 -j DROP

iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp -d $SERVER 
--d****t 12345 -j DNAT --to-destination $SERVER:22

Thank you for your responses.

Regards.
-- 
==============================================
|              FRÉDÉRIC MASSOT               |
|     http://www.juliana-multimedia.com
     |
|   mailto:frederic@[EMAIL PROTECTED]
   |
===========================Debian=GNU/Linux===


-- 
To UNSUBSCRIBE, email to debian-firewall-REQUEST@[EMAIL PROTECTED]
 a subject of "unsubscribe". Trouble? Contact
listmaster@[EMAIL PROTECTED]




 13 Posts in Topic:
DNAT TCP 12345 -> 22
 =?ISO-8859-15?Q?Fr=E9d=E9  2008-03-20 20:30:18 
Re: DNAT TCP 12345 -> 22
 Ansgar -59cobalt- Wiecher  2008-03-20 22:10:12 
Re: DNAT TCP 12345 -> 22
 =?ISO-8859-1?Q?Fr=E9d=E9r  2008-03-21 12:20:09 
Re: DNAT TCP 12345 -> 22
 Ansgar -59cobalt- Wiecher  2008-03-21 14:50:12 
Re: DNAT TCP 12345 -> 22
 "Stephen Benoit (Lin  2008-03-20 22:40:11 
Re: DNAT TCP 12345 -> 22
 "=?ISO-8859-1?Q?M=E1  2008-03-21 00:50:12 
Re: DNAT TCP 12345 -> 22
 =?ISO-8859-1?Q?Fr=E9d=E9r  2008-03-21 12:40:18 
Re: DNAT TCP 12345 -> 22
 =?ISO-8859-1?Q?Fr=E9d=E9r  2008-03-21 12:40:10 
Re: DNAT TCP 12345 -> 22
 "Chris Henry" &  2008-03-21 13:20:12 
Re: DNAT TCP 12345 -> 22
 =?ISO-8859-1?Q?Fr=E9d=E9r  2008-03-21 12:50:11 
Re: DNAT TCP 12345 -> 22
 Pascal Hambourg <pasca  2008-03-21 14:00:26 
Re: DNAT TCP 12345 -> 22
 =?ISO-8859-15?Q?Fr=E9d=E9  2008-03-21 20:50:24 
Re: DNAT TCP 12345 -> 22
 Paolo <oopla@[EMAIL PR  2008-03-21 23:30:11 

Post A Reply:
  Go here to Signup

AddThis Feed Button


About - Advertising - Contact - Frequently Asked Questions - Privacy Policy - Terms of Use - Signup
Contact
localhost-V2008-12-19 Wed Jan 7 12:56:48 PST 2009.