Re: port redirection
On Sun, Jul 04, 1999 at 12:49:49AM -0400, Jonathan Lupa wrote: On Sun, Jul 04, 1999 at 09:49:53AM +1000, Dan Everton wrote: One thing I can think of is (and this is based on a very hazy grasp of what ipmasq and ipportfw are actually doing) is that that the cvspserver is trying to create another connection channel back to the originating server and that isn't working for some reason. Anybody know if cvspserver does that (like the control and data ports in ftp)? OK, well, after finally getting this to work, I figured I'd post up what I found for posterities sake. Hope it helps someone. Problem: CVS server is behind a masquerading firewall, Have a Win9x client, want secure access to CVS server. Solution: Step 1. For 2.0 kernels, patch ipportfw support in to your firewall box's kernel. See http://www.ox.compsoc.org.uk/~steve/portforwarding.html. For 2.2 kernels masqueraded forwarding is built in...man ipmasqadm. Step 2. Add port forwarding lines to your firewall box. I put ipportfw -A -tXXX.XXX.XXX.XXX/2401 -R 192.168.YYY.YYY/2401. In this example, the XXX's are my ppp0 interface and the YYY's refer to my internal CVS server. Use your appropriate IPs. I found that I could redirect to different ports on my firewall successfully, but that my windows CVS client didn't like that. YMMV. btw, if you saw my earlier posts where I said that I tried this and it wasn't working- well, that was the crack talking. I tried again and it was fine. =) Step 3. Telnet in to check that the portforward worked. Caveat: don't try the telnet from the firewall itself, it got confused for me and failed. I used a remote system to telnet directly to port 2401 of the ppp0 IP address, and hit return after it connected. It should give you some tripe about bad authentification. (rightfully) Step 4. While it might seem like a good idea to use the ext method in your CVSROOT variable and set your external connection type to your ssh program, I couldn't find any windows ssh implementations that used stdin/stdout methods. They all wanted to use that new fangled GUI that you've read so much about. (Besides, we just went to all that work to get the pserver punched through the firewall.) SO! I setup my ssh client to do a secure port redirection from localhost:2401 to my ppp0's IP:2401. Note: The windows CVS software didn't like it when I told it my IP (127.0.0.1). That CVSROOT line wants to do a getHostByName() or some such, so use localhost, and cross your fingers. If it can't find localhost, try copying C:\windows\hosts.sam to c:\windows\hosts. If you were going to skip the ssh layer and use the pserver method to go right to your firewall, follow your heart, but unless I missed it, passwords default to system passwords and are sent in clear text. Step 5. Enjoy working on your palm applicataions (or whatever) from work AND home! =) There are various notes about this scattered through netnews, and a search on www.deja.com for cvs ssh should yeild all you need, it just takes a whole load of digging. Good luck! Jonathan ps. apologies for typos... I hand copied lines and spell terribly. =( ~ [EMAIL PROTECTED]
Re: port redirection
On Fri, Jul 02, 1999 at 03:24:50PM -0400, Jonathan Lupa wrote: On Thursday, July 01, 1999 10:37 AM, Dan Everton [SMTP:[EMAIL PROTECTED] wrote: On Thu, 1 Jul 1999, Ralf G. R. Bergs wrote: There is a patch available. You can find it here http://www.ox.compsoc.org.uk/~steve/portforwarding.html I think it's packaged somewhere in the Debian distribution... *checks package listing* yes it is. You can find it here: http://www.debian.org/Packages/stable/net/ipportfw.html Wow. This opened some doors for me! But now, I get to flood with newbie questions. =) First of all, I have a 486-33dx4 acting as my masq-firewall. Its at Kernel 2.0.36, has a ppp0 properly set up and masquerades to a small network of 192.168.2.* addressed computers. The firewall rules are below. ipfwadm -F -p deny ipfwadm -F -a m -S192.168.2.0/24 -D 0.0.0.0/0 ipfwadm -I -p accept # the following line blocks incoming telnets since I use ssh to connect ipfwadm -I -a r -DXXX.XXX.XXX.XXX/32 23 # address removed to protect the ignorant (me). I compiled in port forwarding support and added the following lines to my setup which allowed quicktime streaming to work for my Wife's machine: ipportfw -A -tXXX.XXX.XXX.XXX/554 -R 192.168.2.2/554 # and a WHOLE BUNCH of udp routing lines. Now, what I want to do, but haven't been able to get working is a forwarding scheme for CVS. I want to have my gateway XXX.XXX.XXX.XXX box redirect its port 6060 to my workstations (192.168.2.1) cvspserver port (2401). To this affect I entered the following lines: ipportfw -A -tXXX.XXX.XXX.XXX/6060 -R 192.168.2.3/2401 ipportfw -A -uXXX.XXX.XXX.XXX/6060 -R 192.168.2.3/2401 Before I was doing portforwarding on 6060 when I telnet to that port on my box I get the message telnet: Unable to connect to remote host: Connection refused. AFTER I add port forwarding on 6060 I get telnet: Unable to connect to remote host: Connection timed out. The transactions are starting, they just aren't finishing. My pet theory is that this port forwarding thing isn't dealing with masquerading of the returned packets, but like I said, I'm pretty clueless with this. Any help appreciated! Jonathan Lupa ~ [EMAIL PROTECTED] Near as I can tell, that should work. I've only used the port forwarding patches in a very limited fashion, but similar lines have worked for all services I've tried. One thing I can think of is (and this is based on a very hazy grasp of what ipmasq and ipportfw are actually doing) is that that the cvspserver is trying to create another connection channel back to the originating server and that isn't working for some reason. Anybody know if cvspserver does that (like the control and data ports in ftp)? Another possibility is that ipportfw doesn't like rewriting ports (although I'm almost certain that does work). Have you tried just passing port 2401 one along as opposed to rewriting 6060 down to 2401? Wish I could help you better. Dan -- Dan Everton [EMAIL PROTECTED] | Have you tried thinking like a shower? www.psynet.net/fada | KBHR's Chris in the Morning
Re: port redirection
On Sun, Jul 04, 1999 at 09:49:53AM +1000, Dan Everton wrote: On Fri, Jul 02, 1999 at 03:24:50PM -0400, Jonathan Lupa wrote: [setup deleted] Now, what I want to do, but haven't been able to get working is a forwarding scheme for CVS. I want to have my gateway XXX.XXX.XXX.XXX box redirect its port 6060 to my workstations (192.168.2.1) cvspserver port (2401). To this affect I entered the following lines: ipportfw -A -tXXX.XXX.XXX.XXX/6060 -R 192.168.2.3/2401 ipportfw -A -uXXX.XXX.XXX.XXX/6060 -R 192.168.2.3/2401 Before I was doing portforwarding on 6060 when I telnet to that port on my box I get the message telnet: Unable to connect to remote host: Connection refused. AFTER I add port forwarding on 6060 I get telnet: Unable to connect to remote host: Connection timed out. The transactions are starting, they just aren't finishing. My pet theory is that this port forwarding thing isn't dealing with masquerading of the returned packets, but like I said, I'm pretty clueless with this. One thing I can think of is (and this is based on a very hazy grasp of what ipmasq and ipportfw are actually doing) is that that the cvspserver is trying to create another connection channel back to the originating server and that isn't working for some reason. Anybody know if cvspserver does that (like the control and data ports in ftp)? One of the things that concerned me is that the pserver was trying to do some rsh authentification stuff, but I had expressly blocked those ports in my firewall. So, I threw open all of the gates, but I still hadd the problem. =( Another possibility is that ipportfw doesn't like rewriting ports (although I'm almost certain that does work). Have you tried just passing port 2401 one along as opposed to rewriting 6060 down to 2401? Yep, that was the second thing I tried. Keeping the firewall all the way open and just punching the port straight through. I got the same results as when I wasnt switching ports. Wish I could help you better. No problem. =) What I'm thinking of trying now is to configure the client that I care about (a win95 box at work) to use ssh to do the cvs work. Of course, that is going to requrire configuration of my closed source gui proprietary ssh implementation to work from the command line with the windows cvs client, so I'm not 100% on whether I'll be able to get that going. Ah well, I guess the original question still stands : Is it possible to punch cvs's pserver through a masqurading firewall using port forwarding. Thanks! Jonathan Lupa ~ [EMAIL PROTECTED]
RE: port redirection
On Thursday, July 01, 1999 10:37 AM, Dan Everton [SMTP:[EMAIL PROTECTED] wrote: On Thu, 1 Jul 1999, Ralf G. R. Bergs wrote: There is a patch available. You can find it here http://www.ox.compsoc.org.uk/~steve/portforwarding.html I think it's packaged somewhere in the Debian distribution... *checks package listing* yes it is. You can find it here: http://www.debian.org/Packages/stable/net/ipportfw.html Wow. This opened some doors for me! But now, I get to flood with newbie questions. =) First of all, I have a 486-33dx4 acting as my masq-firewall. Its at Kernel 2.0.36, has a ppp0 properly set up and masquerades to a small network of 192.168.2.* addressed computers. The firewall rules are below. ipfwadm -F -p deny ipfwadm -F -a m -S192.168.2.0/24 -D 0.0.0.0/0 ipfwadm -I -p accept # the following line blocks incoming telnets since I use ssh to connect ipfwadm -I -a r -DXXX.XXX.XXX.XXX/32 23 # address removed to protect the ignorant (me). I compiled in port forwarding support and added the following lines to my setup which allowed quicktime streaming to work for my Wife's machine: ipportfw -A -tXXX.XXX.XXX.XXX/554 -R 192.168.2.2/554 # and a WHOLE BUNCH of udp routing lines. Now, what I want to do, but haven't been able to get working is a forwarding scheme for CVS. I want to have my gateway XXX.XXX.XXX.XXX box redirect its port 6060 to my workstations (192.168.2.1) cvspserver port (2401). To this affect I entered the following lines: ipportfw -A -tXXX.XXX.XXX.XXX/6060 -R 192.168.2.3/2401 ipportfw -A -uXXX.XXX.XXX.XXX/6060 -R 192.168.2.3/2401 Before I was doing portforwarding on 6060 when I telnet to that port on my box I get the message telnet: Unable to connect to remote host: Connection refused. AFTER I add port forwarding on 6060 I get telnet: Unable to connect to remote host: Connection timed out. The transactions are starting, they just aren't finishing. My pet theory is that this port forwarding thing isn't dealing with masquerading of the returned packets, but like I said, I'm pretty clueless with this. Any help appreciated! Jonathan Lupa ~ [EMAIL PROTECTED]
Re: port redirection
On Thu, Jul 01, 1999 at 09:30:11AM +0200, Ralf G. R. Bergs wrote: On Thu, 01 Jul 1999 04:23:15 +0200 (CEST), Tamas TEVESZ wrote: On Wed, 30 Jun 1999, Nate wrote: I would like to redirect some ports to an internal machine on a private IP. What is the best way to do this? ipportfw ? Just to confirm: What you are suggesting is correct. I use statements like ipmasqadm portfw -a -P tcp -L $EXT_IP pop-3 -R $INT_IP pop-3 ipmasqadm is a potato thingy. I'm still doing slink. Do you know how I can accomplish this with slink and kernel 2.0.36? I'm still trying stuff out with ipfwadm. Does this sound feasible? to redirect ports to internal machines. -- Sign the EU petition against SPAM: L I N U X .~. http://www.politik-digital.de/spam/The Choice /V\ of a GNU /( )\ Generation ^^-^^ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port redirection
On Thu, 01 Jul 1999 01:46:56 -0700, Nate wrote: I use statements like ipmasqadm portfw -a -P tcp -L $EXT_IP pop-3 -R $INT_IP pop-3 ipmasqadm is a potato thingy. I'm still doing slink. Do you know how Ooops. Sorry. Can't you just upgrade the necessary packages Debian 2.1 level? I can accomplish this with slink and kernel 2.0.36? I'm still trying stuff out with ipfwadm. Does this sound feasible? To the best of my knowledge port forwarding wasn't available in stock 2.0.x kernels. There MIGHT however be a patch to provide port forwarding, but I don't know whether it really exists. -- Sign the EU petition against SPAM: L I N U X .~. http://www.politik-digital.de/spam/The Choice /V\ of a GNU /( )\ Generation ^^-^^
Re: port redirection
i'm missing the original message, but 'rinetd' might help in what you're looking for. works for me. On Thu, 1 Jul 1999, Ralf G. R. Bergs wrote: I use statements like ipmasqadm portfw -a -P tcp -L $EXT_IP pop-3 -R $INT_IP pop-3 ipmasqadm is a potato thingy. I'm still doing slink. Do you know how Ooops. Sorry. Can't you just upgrade the necessary packages Debian 2.1 level? I can accomplish this with slink and kernel 2.0.36? I'm still trying stuff out with ipfwadm. Does this sound feasible? To the best of my knowledge port forwarding wasn't available in stock 2.0.x kernels. There MIGHT however be a patch to provide port forwarding, but I don't know whether it really exists. .. [obligatory-useless-waste-of-bits-bit-goes-here] ultra-umbra-magic-crypto EF D8 33 68 B3 E3 E9 D2 C1 3E 51 22 8A AA 7B 98 supercomputer-AES-xspook
Re: port redirection
On Thu, 1 Jul 1999, Ralf G. R. Bergs wrote: On Thu, 01 Jul 1999 01:46:56 -0700, Nate wrote: I use statements like ipmasqadm portfw -a -P tcp -L $EXT_IP pop-3 -R $INT_IP pop-3 ipmasqadm is a potato thingy. I'm still doing slink. Do you know how Ooops. Sorry. Can't you just upgrade the necessary packages Debian 2.1 level? I can accomplish this with slink and kernel 2.0.36? I'm still trying stuff out with ipfwadm. Does this sound feasible? To the best of my knowledge port forwarding wasn't available in stock 2.0.x kernels. There MIGHT however be a patch to provide port forwarding, but I don't know whether it really exists. There is a patch available. You can find it here http://www.ox.compsoc.org.uk/~steve/portforwarding.html I think it's packaged somewhere in the Debian distribution... *checks package listing* yes it is. You can find it here: http://www.debian.org/Packages/stable/net/ipportfw.html Hope that helps Dan
Re: port redirection
There is a patch I've used to 2.0.36, and you want to use the ipportfw package in slink. The patch is included with the documentation, and I think the 2.0.35 patch worked for me. I'm completely running 2.2.10/2.3.x now, and haven't had a chance (or a need anymore) to run port forwarding. On Thu, 1 Jul 1999, Ralf G. R. Bergs wrote: On Thu, 01 Jul 1999 01:46:56 -0700, Nate wrote: I use statements like ipmasqadm portfw -a -P tcp -L $EXT_IP pop-3 -R $INT_IP pop-3 ipmasqadm is a potato thingy. I'm still doing slink. Do you know how Ooops. Sorry. Can't you just upgrade the necessary packages Debian 2.1 level? I can accomplish this with slink and kernel 2.0.36? I'm still trying stuff out with ipfwadm. Does this sound feasible? To the best of my knowledge port forwarding wasn't available in stock 2.0.x kernels. There MIGHT however be a patch to provide port forwarding, but I don't know whether it really exists. -- Sign the EU petition against SPAM: L I N U X .~. http://www.politik-digital.de/spam/The Choice /V\ of a GNU /( )\ Generation ^^-^^ -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: port redirection
On Mon, 15 Jun 1998, Terence Kearns wrote: Does anyone know where I can get a program to redirect a port from one computer to another? I want to redirect port 80 from one of my computers to my gateway (which is a 386SX16 with 4mb RAM and 40MB HDD). The package redir or redir2 should handle this fine. Alternatively, I wrote a perl program to do just this a while back - I can send anyone a copy if they would like. Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]