Re: [Astlinux-users] Any iptables gurus out there?

2008-12-22 Thread Darrick Hartman 
<494f7ec0.5020...@masonc.com> <494fe175.1050...@redfish-solutions.com>
Message-ID: 
X-Sender: dhart...@djhsolutions.com
Received: from 64.246.240.54 [64.246.240.54] with HTTP/1.1 (POST); Mon, 22 Dec
2008 14:42:08 -0600
User-Agent: RoundCube Webmail/0.1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit

On Mon, 22 Dec 2008 10:50:29 -0800, "Philip A. Prindeville"
 wrote:
> Chris Mason (Lists) wrote:
>> Darrick Hartman wrote:
>>
 Really?  It was a very popular thing to do on IOS routers...


>>> Re-read what I said.  In my mind it IS something that many people may
>>> want.  That's why I thought it would be something beneficial to be in
>>> Arno's firewall upstream and not just a hack for this project.
>>>
>>>
>> I do it all the time - for example, I run internal ssh server access on
>> ports 23-28, one for each machine, so I can ssh to the machine by
>> ssh'ing to the corresponding port. I relocate http to 800+ for similar
>> devices that use web configuration interfaces. I also use it for serving
>> multiple webcams to the public, each one on a port above 80. Since they
>> are onlyu found by redirect, it doesn't matter what port they are on. I
>> could change the port they serve on but that makes maintenance a
> headace.
>> I use Shorewall as my firewall and it is relatively easy to do in
> Shorewall.
>>
>>
> 
> That's the curious thing.  If I redirect it to another machine then it
> works fine.  If the service is running on the firewall host itself, it
> doesn't.

It's probably got something to do with the machine not natting for itself. 
I posted a message on the Arno firewall mailing list so hopefully someone
will reply with a work around or get it incorporated into Arno's fw version
1.9.0.

Darrick


--
___
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Re: [Astlinux-users] Any iptables gurus out there?

2008-12-22 Thread Philip A. Prindeville 
Chris Mason (Lists) wrote:
> Darrick Hartman wrote:
>   
>>> Really?  It was a very popular thing to do on IOS routers...
>>> 
>>>   
>> Re-read what I said.  In my mind it IS something that many people may 
>> want.  That's why I thought it would be something beneficial to be in 
>> Arno's firewall upstream and not just a hack for this project.
>>   
>> 
> I do it all the time - for example, I run internal ssh server access on 
> ports 23-28, one for each machine, so I can ssh to the machine by 
> ssh'ing to the corresponding port. I relocate http to 800+ for similar 
> devices that use web configuration interfaces. I also use it for serving 
> multiple webcams to the public, each one on a port above 80. Since they 
> are onlyu found by redirect, it doesn't matter what port they are on. I 
> could change the port they serve on but that makes maintenance a headace.
> I use Shorewall as my firewall and it is relatively easy to do in Shorewall.
>
>   

That's the curious thing.  If I redirect it to another machine then it 
works fine.  If the service is running on the firewall host itself, it 
doesn't.

-Philip


--
___
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Re: [Astlinux-users] Any iptables gurus out there?

2008-12-22 Thread Philip A. Prindeville 
Joseph L. Casale wrote:
>> Well, I started out on trying to do it on the Arno's firewall, but we 
>> couldn't get it to work right...
>> 
>
> Philip,
> If you don't open said port on the ext interface, you should be able to
> put a PREROUTING/REDIRECT from ext_port to app_port and it should just
> work.
>
> At least I do the very same on a multihomed CentOS box this way...
>
> jlc
>   

The problem is that I want the application to be agnostic, and use the 
standard configuration, which is to open all interfaces (wild-card bind) 
and use the standard port #.

-Philip


--
___
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Re: [Astlinux-users] Any iptables gurus out there?

2008-12-22 Thread Darrick Hartman 
Chris Mason (Lists) wrote:
> Darrick Hartman wrote:
>>> Really?  It was a very popular thing to do on IOS routers...
>>> 
>> Re-read what I said.  In my mind it IS something that many people may 
>> want.  That's why I thought it would be something beneficial to be in 
>> Arno's firewall upstream and not just a hack for this project.
>>   
> I do it all the time - for example, I run internal ssh server access on 
> ports 23-28, one for each machine, so I can ssh to the machine by 
> ssh'ing to the corresponding port. I relocate http to 800+ for similar 
> devices that use web configuration interfaces. I also use it for serving 
> multiple webcams to the public, each one on a port above 80. Since they 
> are onlyu found by redirect, it doesn't matter what port they are on. I 
> could change the port they serve on but that makes maintenance a headace.
> I use Shorewall as my firewall and it is relatively easy to do in Shorewall.
> 

Chris,

Arno's firewall handles that situation nicely.  It's if you are running 
a service on the same box that the firewall resides on that you have the 
issue.  Say you have http on the firewall box on port 80, but don't want 
it accessible on port 80 from the outside.  Arno's firewall currently 
doesn't handle this the same way as it does devices behind it.  Probably 
because it's not NAT'ing for itself.

Perhaps the firewall can already do that, but we're just using the wrong 
field/variable.

Darrick


--
___
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Re: [Astlinux-users] Any iptables gurus out there?

2008-12-22 Thread Chris Mason (Lists) 
Darrick Hartman wrote:
>
>> Really?  It was a very popular thing to do on IOS routers...
>> 
>
> Re-read what I said.  In my mind it IS something that many people may 
> want.  That's why I thought it would be something beneficial to be in 
> Arno's firewall upstream and not just a hack for this project.
>   
I do it all the time - for example, I run internal ssh server access on 
ports 23-28, one for each machine, so I can ssh to the machine by 
ssh'ing to the corresponding port. I relocate http to 800+ for similar 
devices that use web configuration interfaces. I also use it for serving 
multiple webcams to the public, each one on a port above 80. Since they 
are onlyu found by redirect, it doesn't matter what port they are on. I 
could change the port they serve on but that makes maintenance a headace.
I use Shorewall as my firewall and it is relatively easy to do in Shorewall.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


--
___
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Re: [Astlinux-users] Any iptables gurus out there?

2008-12-21 Thread Joseph L. Casale 
>Well, I started out on trying to do it on the Arno's firewall, but we 
>couldn't get it to work right...

Philip,
If you don't open said port on the ext interface, you should be able to
put a PREROUTING/REDIRECT from ext_port to app_port and it should just
work.

At least I do the very same on a multihomed CentOS box this way...

jlc

--
___
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Re: [Astlinux-users] Any iptables gurus out there?

2008-12-21 Thread Philip A. Prindeville 
Darrick Hartman wrote:
> Philip A. Prindeville wrote:
>   
>> Darrick Hartman wrote:
>> 
>>> Philip A. Prindeville wrote:
>>>   
>>>   
 What I'm trying to do is this.

 Let's say I have some service that runs on port 101 (hypothetically).

 I want to continue to run it on that port internally, but I want to 
 relocate it on my external interface because I'm tired of it being 
 port-scanned, and it's no a particularly secure service.

 So I run my relocated service externally on port 10100.  Internally on 
 101... and block packets sent directly to the external interface on port 
 101

 What I want to do is this.

 If a connection comes in for TCP/10100 on my external interface, I want 
 to (a) --setmark the packet, and (b) -j DNAT --to-destination 101 on it.

 Then separately, if a packet is for TCP/101 and it came on my external 
 interface:

 (a) accept it if it's marked (i.e. had been reNATted),
 (b) reject it if is isn't marked (i.e. hasn't been reNATted from 
 TCP/10100).

 Simple, right?
 
 
>>> (b) is easy.  Any ports that aren't explicitly opened are dropped from 
>>> the outside.  Default behavior is DROP unless set otherwise.
>>>   
>>>   
>> No, I was referring to the "MARK" module and --mark and --setmark.
>> 
>
> But why do you need that?
>   

It's one possible way of discriminating between a packet that was sent 
directly to port 101 on the external interface (bad), versus one that 
was originally sent to port 10100 on the external interface that got 
reNATted.


>   
>>> (a) should be able to be handled by Arno's firewall already by 
>>> NAT_XXX_FORWARD= where XXX is TCP, UDP or IP.
>>>
>>> You'd use a format that looks like this:
>>>
>>> "101>192.168.101.1:10100"
>>>   
>>>   
>> You know, you'd think that would work... but it doesn't.
>>
>>
>> 
>>> Try that.  If that doesn't work, then I'd ask on Arno's firewall list. 
>>> I don't think that's that odd of a request (to make the service 
>>> accessible on XXX externally and ABC internally).
>>>
>>> Darrick
>>>   
>>>   
>> Really?  It was a very popular thing to do on IOS routers...
>> 
>
> Re-read what I said.  In my mind it IS something that many people may 
> want.  That's why I thought it would be something beneficial to be in 
> Arno's firewall upstream and not just a hack for this project.
>
> Darrick
>   

Well, I started out on trying to do it on the Arno's firewall, but we 
couldn't get it to work right...

And no one on the list seemed able to contribute anything useful.

So I thought I'd try somewhere with better SNR.

And yes, once we get it working, we can bundle it and ship it off to Arno.

-Philip


--
___
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Re: [Astlinux-users] Any iptables gurus out there?

2008-12-21 Thread Darrick Hartman 
Philip A. Prindeville wrote:
> Darrick Hartman wrote:
>> Philip A. Prindeville wrote:
>>   
>>> What I'm trying to do is this.
>>>
>>> Let's say I have some service that runs on port 101 (hypothetically).
>>>
>>> I want to continue to run it on that port internally, but I want to 
>>> relocate it on my external interface because I'm tired of it being 
>>> port-scanned, and it's no a particularly secure service.
>>>
>>> So I run my relocated service externally on port 10100.  Internally on 
>>> 101... and block packets sent directly to the external interface on port 
>>> 101
>>>
>>> What I want to do is this.
>>>
>>> If a connection comes in for TCP/10100 on my external interface, I want 
>>> to (a) --setmark the packet, and (b) -j DNAT --to-destination 101 on it.
>>>
>>> Then separately, if a packet is for TCP/101 and it came on my external 
>>> interface:
>>>
>>> (a) accept it if it's marked (i.e. had been reNATted),
>>> (b) reject it if is isn't marked (i.e. hasn't been reNATted from TCP/10100).
>>>
>>> Simple, right?
>>> 
>> (b) is easy.  Any ports that aren't explicitly opened are dropped from 
>> the outside.  Default behavior is DROP unless set otherwise.
>>   
> 
> No, I was referring to the "MARK" module and --mark and --setmark.

But why do you need that?

> 
>> (a) should be able to be handled by Arno's firewall already by 
>> NAT_XXX_FORWARD= where XXX is TCP, UDP or IP.
>>
>> You'd use a format that looks like this:
>>
>> "101>192.168.101.1:10100"
>>   
> 
> You know, you'd think that would work... but it doesn't.
> 
> 
>> Try that.  If that doesn't work, then I'd ask on Arno's firewall list. 
>> I don't think that's that odd of a request (to make the service 
>> accessible on XXX externally and ABC internally).
>>
>> Darrick
>>   
> 
> Really?  It was a very popular thing to do on IOS routers...

Re-read what I said.  In my mind it IS something that many people may 
want.  That's why I thought it would be something beneficial to be in 
Arno's firewall upstream and not just a hack for this project.

Darrick



--
___
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Re: [Astlinux-users] Any iptables gurus out there?

2008-12-21 Thread Philip A. Prindeville 
Darrick Hartman wrote:
> Philip A. Prindeville wrote:
>   
>> What I'm trying to do is this.
>>
>> Let's say I have some service that runs on port 101 (hypothetically).
>>
>> I want to continue to run it on that port internally, but I want to 
>> relocate it on my external interface because I'm tired of it being 
>> port-scanned, and it's no a particularly secure service.
>>
>> So I run my relocated service externally on port 10100.  Internally on 
>> 101... and block packets sent directly to the external interface on port 
>> 101
>>
>> What I want to do is this.
>>
>> If a connection comes in for TCP/10100 on my external interface, I want 
>> to (a) --setmark the packet, and (b) -j DNAT --to-destination 101 on it.
>>
>> Then separately, if a packet is for TCP/101 and it came on my external 
>> interface:
>>
>> (a) accept it if it's marked (i.e. had been reNATted),
>> (b) reject it if is isn't marked (i.e. hasn't been reNATted from TCP/10100).
>>
>> Simple, right?
>> 
>
> (b) is easy.  Any ports that aren't explicitly opened are dropped from 
> the outside.  Default behavior is DROP unless set otherwise.
>   

No, I was referring to the "MARK" module and --mark and --setmark.


> (a) should be able to be handled by Arno's firewall already by 
> NAT_XXX_FORWARD= where XXX is TCP, UDP or IP.
>
> You'd use a format that looks like this:
>
> "101>192.168.101.1:10100"
>   

You know, you'd think that would work... but it doesn't.


> Try that.  If that doesn't work, then I'd ask on Arno's firewall list. 
> I don't think that's that odd of a request (to make the service 
> accessible on XXX externally and ABC internally).
>
> Darrick
>   

Really?  It was a very popular thing to do on IOS routers...

-Philip


--
___
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Re: [Astlinux-users] Any iptables gurus out there?

2008-12-21 Thread Darrick Hartman 
Philip A. Prindeville wrote:
> What I'm trying to do is this.
> 
> Let's say I have some service that runs on port 101 (hypothetically).
> 
> I want to continue to run it on that port internally, but I want to 
> relocate it on my external interface because I'm tired of it being 
> port-scanned, and it's no a particularly secure service.
> 
> So I run my relocated service externally on port 10100.  Internally on 
> 101... and block packets sent directly to the external interface on port 
> 101
> 
> What I want to do is this.
> 
> If a connection comes in for TCP/10100 on my external interface, I want 
> to (a) --setmark the packet, and (b) -j DNAT --to-destination 101 on it.
> 
> Then separately, if a packet is for TCP/101 and it came on my external 
> interface:
> 
> (a) accept it if it's marked (i.e. had been reNATted),
> (b) reject it if is isn't marked (i.e. hasn't been reNATted from TCP/10100).
> 
> Simple, right?

(b) is easy.  Any ports that aren't explicitly opened are dropped from 
the outside.  Default behavior is DROP unless set otherwise.

(a) should be able to be handled by Arno's firewall already by 
NAT_XXX_FORWARD= where XXX is TCP, UDP or IP.

You'd use a format that looks like this:

"101>192.168.101.1:10100"

Try that.  If that doesn't work, then I'd ask on Arno's firewall list. 
I don't think that's that odd of a request (to make the service 
accessible on XXX externally and ABC internally).

Darrick

--
___
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Re: [Astlinux-users] Any iptables gurus out there?

2008-12-21 Thread Philip A. Prindeville 
What I'm trying to do is this.

Let's say I have some service that runs on port 101 (hypothetically).

I want to continue to run it on that port internally, but I want to 
relocate it on my external interface because I'm tired of it being 
port-scanned, and it's no a particularly secure service.

So I run my relocated service externally on port 10100.  Internally on 
101... and block packets sent directly to the external interface on port 
101

What I want to do is this.

If a connection comes in for TCP/10100 on my external interface, I want 
to (a) --setmark the packet, and (b) -j DNAT --to-destination 101 on it.

Then separately, if a packet is for TCP/101 and it came on my external 
interface:

(a) accept it if it's marked (i.e. had been reNATted),
(b) reject it if is isn't marked (i.e. hasn't been reNATted from TCP/10100).

Simple, right?

-Philip


Lachlan Dunlop wrote:
> Hi Phillip,
>
> I am on the way out the door.  But if you want to send me (or the 
> list) the parameters.  I would like to take a look for you tomorrow am.
>
> Lach
>
> On Sun, Dec 21, 2008 at 7:42 PM, Philip A. Prindeville 
>  > wrote:
>
> Shot in the dark, but anyone on the list really good at iptables?
>
> I've been trying to figure out how to do something and it's simple
> enough... but not obvious how to do it.
>
> I'm trying to get this functionality into trunk, but haven't been
> able to.
>
> Thanks,
>
> -Philip
>


--
___
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Re: [Astlinux-users] Any iptables gurus out there?

2008-12-21 Thread Darrick Hartman 
Kristian Kielhofner wrote:
> On Sun, Dec 21, 2008 at 8:42 PM, Philip A. Prindeville
>  wrote:
>> Shot in the dark, but anyone on the list really good at iptables?
>>
>> I've been trying to figure out how to do something and it's simple
>> enough... but not obvious how to do it.
>>
>> I'm trying to get this functionality into trunk, but haven't been able to.
>>
>> Thanks,
>>
>> -Philip
> 
> I may be able to help too...
> 

Why so obscure in the question?  Curious minds what to know what you've 
cooked up that Arno's fw can't handle?

Darrick

--
___
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Re: [Astlinux-users] Any iptables gurus out there?

2008-12-21 Thread Kristian Kielhofner 
On Sun, Dec 21, 2008 at 8:42 PM, Philip A. Prindeville
 wrote:
> Shot in the dark, but anyone on the list really good at iptables?
>
> I've been trying to figure out how to do something and it's simple
> enough... but not obvious how to do it.
>
> I'm trying to get this functionality into trunk, but haven't been able to.
>
> Thanks,
>
> -Philip

I may be able to help too...

-- 
Kristian Kielhofner
http://blog.krisk.org
http://www.submityoursip.com
http://www.astlinux.org
http://www.star2star.com

--
___
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Re: [Astlinux-users] Any iptables gurus out there?

2008-12-21 Thread Lachlan Dunlop 
Hi Phillip,

I am on the way out the door.  But if you want to send me (or the list) the
parameters.  I would like to take a look for you tomorrow am.

Lach

On Sun, Dec 21, 2008 at 7:42 PM, Philip A. Prindeville <
philipp_s...@redfish-solutions.com> wrote:

> Shot in the dark, but anyone on the list really good at iptables?
>
> I've been trying to figure out how to do something and it's simple
> enough... but not obvious how to do it.
>
> I'm trying to get this functionality into trunk, but haven't been able to.
>
> Thanks,
>
> -Philip
>
>
>
> --
> ___
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
>
--
___
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.