Darrick Hartman wrote: > Philip A. Prindeville wrote: > >> Darrick Hartman wrote: >> >>> Philip A. Prindeville wrote: >>> >>> >>>> What I'm trying to do is this. >>>> >>>> Let's say I have some service that runs on port 101 (hypothetically). >>>> >>>> I want to continue to run it on that port internally, but I want to >>>> relocate it on my external interface because I'm tired of it being >>>> port-scanned, and it's no a particularly secure service. >>>> >>>> So I run my relocated service externally on port 10100. Internally on >>>> 101... and block packets sent directly to the external interface on port >>>> 101.... >>>> >>>> What I want to do is this. >>>> >>>> If a connection comes in for TCP/10100 on my external interface, I want >>>> to (a) --setmark the packet, and (b) -j DNAT --to-destination 101 on it. >>>> >>>> Then separately, if a packet is for TCP/101 and it came on my external >>>> interface: >>>> >>>> (a) accept it if it's marked (i.e. had been reNATted), >>>> (b) reject it if is isn't marked (i.e. hasn't been reNATted from >>>> TCP/10100). >>>> >>>> Simple, right? >>>> >>>> >>> (b) is easy. Any ports that aren't explicitly opened are dropped from >>> the outside. Default behavior is DROP unless set otherwise. >>> >>> >> No, I was referring to the "MARK" module and --mark and --setmark. >> > > But why do you need that? >
It's one possible way of discriminating between a packet that was sent directly to port 101 on the external interface (bad), versus one that was originally sent to port 10100 on the external interface that got reNATted. > >>> (a) should be able to be handled by Arno's firewall already by >>> NAT_XXX_FORWARD= where XXX is TCP, UDP or IP. >>> >>> You'd use a format that looks like this: >>> >>> "101>192.168.101.1:10100" >>> >>> >> You know, you'd think that would work... but it doesn't. >> >> >> >>> Try that. If that doesn't work, then I'd ask on Arno's firewall list. >>> I don't think that's that odd of a request (to make the service >>> accessible on XXX externally and ABC internally). >>> >>> Darrick >>> >>> >> Really? It was a very popular thing to do on IOS routers... >> > > Re-read what I said. In my mind it IS something that many people may > want. That's why I thought it would be something beneficial to be in > Arno's firewall upstream and not just a hack for this project. > > Darrick > Well, I started out on trying to do it on the Arno's firewall, but we couldn't get it to work right... And no one on the list seemed able to contribute anything useful. So I thought I'd try somewhere with better SNR. And yes, once we get it working, we can bundle it and ship it off to Arno. -Philip ------------------------------------------------------------------------------ _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
