Re: ssh local port forwarding stopped working
I would test port status with nmap -P0 -p 22 You want the response to be "open" Bruce On 5/28/19 12:17 PM, Gary Dale wrote: I'm running Debian/Testing on an AMD64 machine. I follow what I believe is a fairly conventional way of connecting to remote machines. Firstly I establish an SSH tunnel using a command like: ssh -L 5902:IP>:5900 where the remote server public IP is that of the router (DD-WRT) with port 22 forwarded to the local IP of a remote Debian/Stable server. The remote workstation IPs are in the 192.168.1.* range. The SSH connection works fine. Then I connect to localhost:5902 using a VNC viewer (tried a few). I've been doing this for a decade with no significant problems. However I haven't been able to do this since at least yesterday (previous remote login was a week ago. It worked). No matter which remote machine I try to connect to, I never get to the password prompt. Instead the connection attempt eventually attempt times out. I can log onto a KVM virtual machine running on the remote server using the Virtual Machine Manager GUI. From there I can connect to the other (real) machines using the Tight VNC viewer. Since I can connect to the remote workstations from the VM, the problem cannot be with their service setup. And since the problem isn't resolved by using a different VNC viewer from my local workstation, the problem can't be the VNC client. This just leaves the ssh tunnel - specifically the port forwarding - as the only common element.
Re: ssh local port forwarding stopped working
My first guess would be that port(s) 5900 and/or 5902 have been blocked. Next possibility is that for those credentials a remote user/pwd lookup is being done unexpectedly, the lookup needs to timeout because the credentials are invalid. Is the ID really present locally? On Tue, May 28, 2019, 12:38 PM Gary Dale wrote: > I'm running Debian/Testing on an AMD64 machine. > > I follow what I believe is a fairly conventional way of connecting to > remote machines. Firstly I establish an SSH tunnel using a command like: > >ssh -L 5902::5900 > > where the remote server public IP is that of the router (DD-WRT) with > port 22 forwarded to the local IP of a remote Debian/Stable server. The > remote workstation IPs are in the 192.168.1.* range. The SSH connection > works fine. > > Then I connect to localhost:5902 using a VNC viewer (tried a few). I've > been doing this for a decade with no significant problems. > > However I haven't been able to do this since at least yesterday > (previous remote login was a week ago. It worked). No matter which > remote machine I try to connect to, I never get to the password prompt. > Instead the connection attempt eventually attempt times out. > > I can log onto a KVM virtual machine running on the remote server using > the Virtual Machine Manager GUI. From there I can connect to the other > (real) machines using the Tight VNC viewer. > > Since I can connect to the remote workstations from the VM, the problem > cannot be with their service setup. And since the problem isn't resolved > by using a different VNC viewer from my local workstation, the problem > can't be the VNC client. This just leaves the ssh tunnel - specifically > the port forwarding - as the only common element. > >
ssh local port forwarding stopped working
I'm running Debian/Testing on an AMD64 machine. I follow what I believe is a fairly conventional way of connecting to remote machines. Firstly I establish an SSH tunnel using a command like: ssh -L 5902::5900 where the remote server public IP is that of the router (DD-WRT) with port 22 forwarded to the local IP of a remote Debian/Stable server. The remote workstation IPs are in the 192.168.1.* range. The SSH connection works fine. Then I connect to localhost:5902 using a VNC viewer (tried a few). I've been doing this for a decade with no significant problems. However I haven't been able to do this since at least yesterday (previous remote login was a week ago. It worked). No matter which remote machine I try to connect to, I never get to the password prompt. Instead the connection attempt eventually attempt times out. I can log onto a KVM virtual machine running on the remote server using the Virtual Machine Manager GUI. From there I can connect to the other (real) machines using the Tight VNC viewer. Since I can connect to the remote workstations from the VM, the problem cannot be with their service setup. And since the problem isn't resolved by using a different VNC viewer from my local workstation, the problem can't be the VNC client. This just leaves the ssh tunnel - specifically the port forwarding - as the only common element.
Re: iptables, virtualbox and port forwarding
Le 29.05.2014 06:56, Igor Cicimov a écrit : Maybe something like this? - Kernel config # sysctl -p net.ipv4.conf.default.rp_filter = 1 net.ipv4.ip_forward = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.log_martians = 1 net.ipv4.tcp_keepalive_time = 60 net.ipv4.tcp_keepalive_intvl = 20 net.ipv4.tcp_keepalive_probes = 9 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 - Network interfaces config # This is the host interface auto eth0 allow hot-plug eth0 iface eth0 inet static address 172.20.14.121 netmask 255.255.255.0 network 172.20.14.0 broadcast 192.168.0.255 gateway 172.20.14.1 dns-nameservers 172.20.14.1 8.8.8.8 search virtual.local auto virbr1 iface virbr1 inet static address 192.168.100.1 netmask 255.255.255.0 bridge_ports eth0 bridge_fd 0 bridge_stp off bridge_maxwait 0 - Firewall simple config # Set Default Policy to DROP iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # Allow loopback and localhost access iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -s 127.0.0.1/32 [6] -j ACCEPT # Defense for SYN flood attacks iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT # Set Default Connection States - accept all already established connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Open DHCP and DNS for virbr1 iptables -A INPUT -p udp -m multiport --dports 67:68 -i virbr1 -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp -m multiport --dports 67:68 -i virbr1 -m state --state NEW -j ACCEPT iptables -A INPUT -p udp --dport 53 -i virbr1 -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp --dport 53 -i virbr1 -m state --state NEW -j ACCEPT # Masquerade iptables -t nat -A POSTROUTING -o eth0 -s 192.168.100.0/24 [7] ! -d 192.168.100.0/24 [8] -j MASQUERADE # Forward chain iptables -A FORWARD -i eth0 -o virbr1 -d 192.168.100.0/24 [9] -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i virbr1 -o eth0 -s 192.168.100.0/24 [10] -j ACCEPT iptables -A FORWARD -i virbr1 -o virbr1 -j ACCEPT Now you can create VM's with their own virtual devices, ie vmdev0, vmdev1 etc, and simply add those devices to the virbr1. Then each of the VM's would have static config of their eth0 interface with ip of 192.168.100.0/24 [11] range and 192.168.100.1 as default gateway. If you want to have the VM's get their ip via DHCP then you can install dnsmasq and attach a process to virbr1. Something like this: /usr/sbin/dnsmasq -u dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/dnsmasq/virbr1.pid --conf-file= --except-interface lo --listen-address 192.168.100.1 --dhcp-range 192.168.100.10,192.168.100.20 --dhcp-leasefile=/var/run/dnsmasq/virbr1.leases --dhcp-lease-max=11 --dhcp-no-override I will try this stuff to discover what it does and how it does it, but the previous reply from Pascal Hamburg work like a charm. Thanks a lot anyway for your time. The purpose of the VLAN you have created is not clear as they are usually used to extend a virtual network to more than one host. You will need 802.1Q kernel module enabled and 802.1Q VLAN enabled switch(s) in your network for this to work. Anyway, you can try adding the VLAN in the above configuration as an exercise, ie attach the vlan to eth0 and then include the vlan in the virbr1. About the use of this network, the goal is to simulate the network infrastructure of a client for which we work, but without polluting the LAN we work on. I'll use it to deploy client's network twice ( on different VLANs, obviously, to avoid conflicts ) : one for development purposes, which won't be stable and probably will have to be automatically rebuild regularly, and an other one for release candidates of our work. Since we do not do development tasks only for one client, it will probably contain other other VLANs for other clients at a point. Why I do this is because, currently... erm... I'm ashamed to say that, especially on a public list, but truth is that we send development versions a server, same for release candidate, and same for final version. The problem being that the server is always the same. Ugly imo, so I try to improve the situation, but I'm not a sysadmin, and I do not have the control of our local LAN structure, but I can control the VLAN's structures since they run on a server that my colleagues on admin "gave" me. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/bb33943e56ef690b6a15d2c868e25...@neutralite.org
Re: iptables, virtualbox and port forwarding
Le 29.05.2014 01:00, Pascal Hambourg a écrit : On that network, I have some VMs with static IPs, and the one on which I try to make the configuration for testing and learning purpose have an apache2 server running and up ( I can query on it from my physical computer ). It is using 2 network interfaces, a NAT one and a bridge one, but for others I would like to remove the NAT one, since I need them to simulate the production servers ( which are VMs too, but my company does not control the system on which they are running. Otherwise it would have be far easier: I would have read how it does to understand things ) which only have one interface ( eth0 ). Both LANs ( the physical one and the virtual one ) works perfectly, but now I would like to allow 2 things: _ VMs to access the physical LAN, so that they could access the apt proxy I have installed there for installing softwares and updates - Enable IP forwarding on the host acting as a router. # sysctl -w net.ipv4.ip_forward=1 - Presumably, you need to masquerade forwarded packets from VMs to the physical LAN if the physical hosts or their router doesn't have a route to your virtual LAN. # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE _ physical computers accessing VMs through some ports of my computer. For example, redirecting "172.20.14.XX:80" to "10.10.10.30:80". I will do that port forwarding for ssh ( port 22 ), http ( port 80 ) and postgresql ( port 5432 ) connections in a first time. - You need port forwarding only if the physical hosts or their router doesn't have a route to your virtual LAN. # iptables -t nat -A PREROUTING -i eth0 -d 172.20.14.XX \ -p tcp --dport 80 -j DNAT --to 10.10.10.30 (and so on for each port) And to add to the fun, I remember having discovered after several hours last week that the port forwarding rules I built did not allowed the host computer to access the VM, at least, not when asking on host'IP ( aka 172.20.14.XX ). - For this you need to do the port forwarding on locally generated packets. # iptables -t nat -A OUTPUT -d 172.20.14.XX -p tcp --dport 80 \ -j DNAT --to 10.10.10.30 Sorry for the late reply, I did not had time to try this before. It works! Thanks a lot ( and thanks to other people which have replied too ) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/198c9c5a3baf38a123cc5c64bae48...@neutralite.org
Re: iptables, virtualbox and port forwarding
On Fri, May 30, 2014 at 8:51 PM, wrote: >> Hoping to find something that you can do entirely under your own >> control. :) > > > You mean, be your own boss? Heh, that's another way of interpreting that statement. But no, what I meant was "some way you can get the test/dev systems you need without needing to appeal to other members of the company". As long as you have control of your own one computer, and as long as it has gobs of RAM, you can run a pile of VMs on it without asking for actual servers. That's a Layer 8 advantage, if you like. My hope was that, if not VMs, there'd be some other way that equally needed no intervention from your colleagues. ChrisA -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/captjjmq+xfwkbquezcw0_yxdzbxjvvz4hmhpcfn+lbxzz+w...@mail.gmail.com
Re: iptables, virtualbox and port forwarding
Humpf... finger mistake. Also, there's fossil if you are in that situation: it's It's a DVCS which integrate a wiki and a bugtracker. Sounds really interesting, but I never took time to really play with it. So, in a situation where you are the only one to use real tools, and do not want to bother to deploy your own wikis and bugtrackers... sounds perfect. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/259ae31fe752ae00ece9f3e81dc37...@neutralite.org
Re: iptables, virtualbox and port forwarding
Le 30.05.2014 12:08, Chris Angelico a écrit : On Fri, May 30, 2014 at 7:04 PM, wrote: What I basically want to do, and I do not understand how they ( my programmer colleagues ) can happily live without that, is a server for source versionning, bug tracking, wikis, etc. This stuff does not need any virtual system or network, and is relatively easy to deploy. Thanks to distributed version control systems (the current generation, with git and hg being the two most popular and full-featured), you don't need a "source control server", so you can just start using git on your own computer until someone else is convinced that it's worthwhile. That's what I did in my last job, and that's what I'm doing in this one. But... it is only efficient for the projects I have control on, not for other ones... And if you have a source repo, it's amazing how far you can get without an explicit bug tracker - just keep a text file (or a directoryful of text files, depending on how many bugs you're responsible for) in your source tree. As you find and fix bugs, you'll change code and also update the BUGS file or directory, so it's automatically linked. Sure, but it won't avoid me to have to parse those f** messy excel files first. *This* is a real pain in my... heh... I feel quite lonely sometimes: only real linux user, only guy using a really minimalistic system, only tiling window manager user ( with the problems it pulls: every one just do not mind using dirty tools. But I'm lucky --or tinkerer-- enough to often be able to find better tools that works :p ) and only guy who knows about recent ways to manage source code. All that thanks to free software world and my small contributions here and there hehe. Also, there's fossil if you are in that situation: it's But I absolutely agree. Push for those kinds of features. But, and it is why I need this virtual and iptables stuff, I would like to simulate the production environment of our main client. Would you trust me if I say that currently, testing ( beta ) and development ( alpha ) versions of softwares are directly sent on production servers? It hurt me a lot ( and not only because it is bad and disgusting: it also makes everything a lot more complex ), so I want to have a replica of that network in our own network. 2 replicas, in fact, one for testing, and another for programming, so that automated tests ( which are currently lacking, too ) could be made. If you can't manage it with iptables, can you possibly do it with virtualization? Build up an entire LAN on top of one computer - I'm not sure about other systems, but recent versions of VirtualBox let you easily connect multiple VMs together onto a virtual LAN, using NAT between that and the rest of the host computer. The internal, virtual lan works perfectly: the virtual computers can discuss together, it's damn easy to configure. Use a bridge network card ( or something like that in virtualbox ), configure some static addresses without conflicts in their /etc/network/interfaces, and your done. But they won't be able to access things outside their LAN ( for this, you would need a router ). Having the host communicating with them in that configuration is easy too: just create a new entry in your /etc/network/interfaces using vlan, give it a static address on the VLan which does not conflicts with others, and it's ok, you can now use ssh, http, and whatever you installed on your host from the guests, and vice versa. But VMs are still not able to reach the real LAN, nor the real LAN to access the VLAN, still need a router. Since my host have a hardware ethernet card and a virtual one plugged into the hardware one, I suppose that the way to allow the LAN to communicate with the VLAN is to configure the host so that it will become a router. There are new replies in the thread that I did not had time to try, but I have read them quickly, and I'm quite sure they'll push me on the good road. I'll try to find the time when I'll have finished my more urgent tasks (grumbl... urgent and boring tasks sigh). It's not easy for a junior employee to make sweeping changes, even if they are bringing the company in line with well-known best practices. Yes, but I have some great advantages over most people: _ I am really stubborn, and do not abandon my ideas without discussion with real arguments. Political correctness is not a real argument for me. _ I like to say what I think the way I think it. _ I have a small knowledge about how free softwares works, that kind of projects where people are able to use one-shot contribution, from distant guys they'll never meet. Unlike people who only know how to work in the same open-space with phones ringing that often ( both have advantages and problems, indeed, but only knowing one of them is quite sad for someone which lives from dev ). _ I'm lazy ( remember, I'm a dev :p ) _ I'm in a small enterprise, and my colleag
Re: iptables, virtualbox and port forwarding
On Fri, May 30, 2014 at 7:04 PM, wrote: > What I basically want to do, and I do not understand how they ( my > programmer colleagues ) can happily live without that, is a server for > source versionning, bug tracking, wikis, etc. This stuff does not need any > virtual system or network, and is relatively easy to deploy. Thanks to distributed version control systems (the current generation, with git and hg being the two most popular and full-featured), you don't need a "source control server", so you can just start using git on your own computer until someone else is convinced that it's worthwhile. (That's what I did at my last job. Believe it or not, I spent a couple of *years* using git solely on my own computer, before the boss was willing to give it a shot. He did, however, maintain constant backups, including weekly burn-to-optical; and once convinced of the value of source control, he promised - not that this ever happened, mind - to go through all the backups and import everything into a new repository, so stuff could be found.) And if you have a source repo, it's amazing how far you can get without an explicit bug tracker - just keep a text file (or a directoryful of text files, depending on how many bugs you're responsible for) in your source tree. As you find and fix bugs, you'll change code and also update the BUGS file or directory, so it's automatically linked. But I absolutely agree. Push for those kinds of features. > But, and it is why I need this virtual and iptables stuff, I would like to > simulate the production environment of our main client. Would you trust me > if I say that currently, testing ( beta ) and development ( alpha ) versions > of softwares are directly sent on production servers? It hurt me a lot ( and > not only because it is bad and disgusting: it also makes everything a lot > more complex ), so I want to have a replica of that network in our own > network. 2 replicas, in fact, one for testing, and another for programming, > so that automated tests ( which are currently lacking, too ) could be made. If you can't manage it with iptables, can you possibly do it with virtualization? Build up an entire LAN on top of one computer - I'm not sure about other systems, but recent versions of VirtualBox let you easily connect multiple VMs together onto a virtual LAN, using NAT between that and the rest of the host computer. It's not easy for a junior employee to make sweeping changes, even if they are bringing the company in line with well-known best practices. Hoping to find something that you can do entirely under your own control. :) ChrisA -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAPTjJmp9pTwiBk9CpMAe6Wt1NwKdu3zF3_YMb=k747oheuh=z...@mail.gmail.com
Re: iptables, virtualbox and port forwarding
Le 28.05.2014 18:05, Joe a écrit : On Wed, 28 May 2014 21:25:23 +1000 Chris Angelico wrote: On Wed, May 28, 2014 at 9:03 PM, Joe wrote: > The point here is that all modern hardware is capable of IPv6, and > even if you aren't using it, malware writers may be. And by > default, a Debian machine is wide open to IPv6, and some of its > software is listening to it. Run a netstat to see which. On the other hand, internet connections generally don't offer IPv6 without loudly proclaiming it as an advertisable feature, so if your computer is v6 accessible from the internet, you probably know. The OP implied living in a network he didn't control completely, which may have a mix of operating systems, and possibly local malware. -- Joe It is the LAN of my employers, I do not know if I can trust the network or not: I am the only linux users here ( modulo servers ), but except the boss and one administrative person, everyone have programming and/or networking knowledge. Honestly, I do not really mind security for now, I just want to have the tools I consider essential for a professional programming activity. But if there are things to know about security, I will be very happy to learn and use those. In short: I am a newly employed guy in an enterprise where a lot of income is from 1 client ( which is bad enough by itself but: ), with versionning system named cp.OLD, no automated testing at all, no bugtracking ( oh, yes, there is: some excel files... sigh ) and "send to client's servers to test your soft, man" politic. I can not ( well, I can, but it's stupid and imply a lot of loss of time for everyone ) work like that, so I want to install all of those tools. I asked for a server to network guys, and finally have one now on which I can work. I obviously do not use it when I try to configure all this stuff, only to deploy what I achieved to make working on my own computer, and that VLan stuff is the last part ( but probably the most important one, too ). With more details: What I basically want to do, and I do not understand how they ( my programmer colleagues ) can happily live without that, is a server for source versionning, bug tracking, wikis, etc. This stuff does not need any virtual system or network, and is relatively easy to deploy. But, and it is why I need this virtual and iptables stuff, I would like to simulate the production environment of our main client. Would you trust me if I say that currently, testing ( beta ) and development ( alpha ) versions of softwares are directly sent on production servers? It hurt me a lot ( and not only because it is bad and disgusting: it also makes everything a lot more complex ), so I want to have a replica of that network in our own network. 2 replicas, in fact, one for testing, and another for programming, so that automated tests ( which are currently lacking, too ) could be made. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/ecdcd5c8860c12661de08b6aad6d5...@neutralite.org
Re: iptables, virtualbox and port forwarding
I have some VMs with static IPs, and the one on which I > try to make the configuration for testing and learning purpose have an > apache2 server running and up ( I can query on it from my physical computer > ). It is using 2 network interfaces, a NAT one and a bridge one, but for > others I would like to remove the NAT one, since I need them to simulate > the production servers ( which are VMs too, but my company does not control > the system on which they are running. Otherwise it would have be far > easier: I would have read how it does to understand things ) which only > have one interface ( eth0 ). > > Both LANs ( the physical one and the virtual one ) works perfectly, but > now I would like to allow 2 things: > _ VMs to access the physical LAN, so that they could access the apt proxy > I have installed there for installing softwares and updates > _ physical computers accessing VMs through some ports of my computer. For > example, redirecting "172.20.14.XX:80" to "10.10.10.30:80". I will do > that port forwarding for ssh ( port 22 ), http ( port 80 ) and postgresql ( > port 5432 ) connections in a first time. > > Thanks > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a > subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: https://lists.debian.org/fa67f2d6171898de5d691a72d17717 > 3...@neutralite.org > >
Re: iptables, virtualbox and port forwarding
Hello, berenger.mo...@neutralite.org a écrit : > > I am trying to build a virtual network exposing servers accessible from > the LAN. [...] > So I ask for 2 things: > _ help on this particular problem > _ if someone knows about resources to learn and understand how exactly > iptables work, this would help me a lot in the future - Oskar Andreasson's iptables tutorial. - netfilter and iptables articles in Wikipedia. > For my particular problem. > > I have an eth0 interface, the real one, on ip 172.20.14.0/24. > I made a vlan in my /etc/network/interfaces, like this: > ## > auto eth0.1 > iface eth0.1 inet static > address 10.10.10.1 > netmask 255.255.255.0 > vlan-raw-device eth0 > ## What is the purpose of this VLAN ? > In fact, I used the package vlan and some configuration inside > /etc/network/interface of the host to have the host having a virtual > second ethernet connexion, on which the VMs are connected. > In the facts, there are 2 LANs, with the host computer being the > router. A VLAN interface is not a virtual ethernet interface for communicating with VMs. It is a sub-interface which transmits and receives ethernet frames with a given IEEE 802.1Q tag. Usually the VM managers such as virtualbox create their own virtual interface(s) on the host to communicate with the VMs. > On that network, I have some VMs with static IPs, and the one on which > I try to make the configuration for testing and learning purpose have an > apache2 server running and up ( I can query on it from my physical > computer ). It is using 2 network interfaces, a NAT one and a bridge > one, but for others I would like to remove the NAT one, since I need > them to simulate the production servers ( which are VMs too, but my > company does not control the system on which they are running. Otherwise > it would have be far easier: I would have read how it does to understand > things ) which only have one interface ( eth0 ). > > Both LANs ( the physical one and the virtual one ) works perfectly, but > now I would like to allow 2 things: > _ VMs to access the physical LAN, so that they could access the apt > proxy I have installed there for installing softwares and updates - Enable IP forwarding on the host acting as a router. # sysctl -w net.ipv4.ip_forward=1 - Presumably, you need to masquerade forwarded packets from VMs to the physical LAN if the physical hosts or their router doesn't have a route to your virtual LAN. # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > _ physical computers accessing VMs through some ports of my computer. > For example, redirecting "172.20.14.XX:80" to "10.10.10.30:80". I will > do that port forwarding for ssh ( port 22 ), http ( port 80 ) and > postgresql ( port 5432 ) connections in a first time. - You need port forwarding only if the physical hosts or their router doesn't have a route to your virtual LAN. # iptables -t nat -A PREROUTING -i eth0 -d 172.20.14.XX \ -p tcp --dport 80 -j DNAT --to 10.10.10.30 (and so on for each port) > And to add to the fun, I remember having discovered after several hours > last week that the port forwarding rules I built did not allowed the > host computer to access the VM, at least, not when asking on host'IP ( > aka 172.20.14.XX ). - For this you need to do the port forwarding on locally generated packets. # iptables -t nat -A OUTPUT -d 172.20.14.XX -p tcp --dport 80 \ -j DNAT --to 10.10.10.30 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53866aa0.2070...@plouf.fr.eu.org
Re: iptables, virtualbox and port forwarding
On Wed, 28 May 2014 21:25:23 +1000 Chris Angelico wrote: > On Wed, May 28, 2014 at 9:03 PM, Joe wrote: > > The point here is that all modern hardware is capable of IPv6, and > > even if you aren't using it, malware writers may be. And by > > default, a Debian machine is wide open to IPv6, and some of its > > software is listening to it. Run a netstat to see which. > > On the other hand, internet connections generally don't offer IPv6 > without loudly proclaiming it as an advertisable feature, so if your > computer is v6 accessible from the internet, you probably know. > The OP implied living in a network he didn't control completely, which may have a mix of operating systems, and possibly local malware. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140528170520.32db8...@jretrading.com
Re: iptables, virtualbox and port forwarding
On 28/05/14 14:29, Andrei POPESCU wrote: > On Mi, 28 mai 14, 21:39:24, Chris Angelico wrote: >> >> It's off-topic for this list, > > CC: and Reply-To: -offtopic, this time for real :( > Please disregard the other post > Followup to list just puts it straight back there. >> but I would be very curious to know how >> much extra, on average, people would pay in order to get an IPv6 >> netblock. Maybe it really isn't commercially important. > > ISP: You can get a whole network block for just $AMOUNT per $PERIOD > Customer: I just want my internet to work, why would I need a whole > network block? > ISP: We are switching to this new generation internet which means all > customers will receive entire network blocks instead of a single address > Customer: Then, why do I need to pay extra? Customer is quite right. IP v6 doesn't cost the ISP more; why should he charge the customer more? It's just part of the service. Coincidentally, I had experience of this (lack of) thinking earlier this week. I was (still am) in the market for a new VPS supplier. On recommendations (good support, good throughput, etc) I registered with Heart Internet, a small UK VPS supplier. I went through the rigmarole of installing wheezy, and got round to configuring it. I couldn't get IP v6 to work. Contacted support, and the first droid didn't seem to know what IP v6 was all about. After I explained, he told me "we don't support that, and are never likely to". I then cancelled my registration. Another, more clueful support droid then contacted me to say "we're planning it for 2015, and we'll give you 3 months free service if you stay with us". I pointed out that IP v6 has been mainstream for at least a decade, why would they expect me to wait another year. I have lots of "things" connected to the network, and really need that net block. So, they lost a customer. Apart from the IP v6 issue, they seemed well set up, so I'm quite disappointed it didn't work out. Meanwhile, I've wasted a significant amount of time and effort. -- Tony van der Hoff| mailto:t...@vanderhoff.org Buckinghamshire, England | -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5386065b.5090...@vanderhoff.org
Re: iptables, virtualbox and port forwarding
On Mi, 28 mai 14, 21:39:24, Chris Angelico wrote: > > It's off-topic for this list, CC: and Reply-To: -offtopic, this time for real :( Please disregard the other post > but I would be very curious to know how > much extra, on average, people would pay in order to get an IPv6 > netblock. Maybe it really isn't commercially important. ISP: You can get a whole network block for just $AMOUNT per $PERIOD Customer: I just want my internet to work, why would I need a whole network block? ISP: We are switching to this new generation internet which means all customers will receive entire network blocks instead of a single address Customer: Then, why do I need to pay extra? Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic http://nuvreauspam.ro/gpg-transition.txt signature.asc Description: Digital signature
Re: iptables, virtualbox and port forwarding
On Mi, 28 mai 14, 21:39:24, Chris Angelico wrote: > > It's off-topic for this list, CC: and Reply-To: -offtopic > but I would be very curious to know how > much extra, on average, people would pay in order to get an IPv6 > netblock. Maybe it really isn't commercially important. ISP: You can get a whole network block for just $AMOUNT per $PERIOD Customer: I just want my internet to work, why would I need a whole network block? ISP: We are switching to this new generation internet which means all customers will receive entire network blocks instead of a single address Customer: Then, why do I need to pay extra? Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic http://nuvreauspam.ro/gpg-transition.txt signature.asc Description: Digital signature
Re: iptables, virtualbox and port forwarding
On Wed, May 28, 2014 at 9:31 PM, Brad Rogers wrote: > On Wed, 28 May 2014 21:25:23 +1000 > Chris Angelico wrote: > > Hello Chris, > >>still trying to convince his ISPs that IPv6 is worth supporting > > Hard, isn't it? > > Several (many?) ISPs in these parts seem to be doing the equivalent of > sticking their fingers in their ears and humming loudly, when if > customers even mention IPv6. > > In the end, I voted with my wallet. Sadly, the contract is bound up in arrangements covering telephony as well, so it would be quite expensive to change providers. There's only one ISP in this area that has IPv6, and it's even owned by our current ISP, but the parent company is in no rush to deploy v6. They do acknowledge the importance, yes, but it's not considered commercially important. (When will it? I don't know. Even when it's all in the news, like with the IPv4 address exhaustion in Feb 2011, nobody seemed too concerned.) It's off-topic for this list, but I would be very curious to know how much extra, on average, people would pay in order to get an IPv6 netblock. Maybe it really isn't commercially important. ChrisA -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/captjjmrefofgwk+vuheqtdtwqpnld9ow6je7pgh2up3vu_z...@mail.gmail.com
Re: iptables, virtualbox and port forwarding
On Wed, 28 May 2014 21:25:23 +1000 Chris Angelico wrote: Hello Chris, >still trying to convince his ISPs that IPv6 is worth supporting Hard, isn't it? Several (many?) ISPs in these parts seem to be doing the equivalent of sticking their fingers in their ears and humming loudly, when if customers even mention IPv6. In the end, I voted with my wallet. -- Regards _ / ) "The blindingly obvious is / _)radnever immediately apparent" Tell the dinosaurs they just won't survive The History Of The World (Part 1) - The Damned signature.asc Description: PGP signature
Re: iptables, virtualbox and port forwarding
On Wed, May 28, 2014 at 9:03 PM, Joe wrote: > The point here is that all modern hardware is capable of IPv6, and > even if you aren't using it, malware writers may be. And by default, a > Debian machine is wide open to IPv6, and some of its software is > listening to it. Run a netstat to see which. On the other hand, internet connections generally don't offer IPv6 without loudly proclaiming it as an advertisable feature, so if your computer is v6 accessible from the internet, you probably know. ChrisA still trying to convince his ISPs that IPv6 is worth supporting -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/captjjmoy8++ztayqapagybp9u7z-hpr+k9qcowm_saap8rm...@mail.gmail.com
Re: iptables, virtualbox and port forwarding
On Wed, 28 May 2014 11:36:03 +0200 berenger.mo...@neutralite.org wrote: > > I do not think I need ipv6 for now. I'll start with the probably > easier ipv4, and maybe someday I'll experiment with the v6, if I have > the opportunity to work in a v6 LAN. > > The point here is that all modern hardware is capable of IPv6, and even if you aren't using it, malware writers may be. And by default, a Debian machine is wide open to IPv6, and some of its software is listening to it. Run a netstat to see which. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140528120354.3bbc9...@jretrading.com
Re: iptables, virtualbox and port forwarding
Le 28.05.2014 00:13, Joe a écrit : On Tue, 27 May 2014 18:24:41 +0200 berenger.mo...@neutralite.org wrote: Hello list. I am trying to build a virtual network exposing servers accessible from the LAN. I have done a lot of searches on the web and it worked last week, but since then, I have restarted my computer and had the nice surprise to learn that the iptables command does not save it's configuration. I tried to retrieve my configuration, but am failing ( I tried to understand what I did with the history command, but sadly I am always working with tons of terminals and so, I suspect that it is not the correct history... ), and same to find anew the articles which actually make things working. I had some network knowledge in the past, but never really practiced it, so I have lost almost everything. I already have used some firewalls, but those were some Windows ones ( I was not a linux user at that time ) and so I have never played with iptables. So I ask for 2 things: _ help on this particular problem _ if someone knows about resources to learn and understand how exactly iptables work, this would help me a lot in the future Google will provide you with many thousands. The usual question arises as to which of them are up to date, there have been a few small changes in iptables, and some may rely on the sysv init system, which is fast disappearing. Yes, and this is exactly the problem, I have spent a lot of time on search engines, which allowed me to have port forwarding working from 172.20.14.XX:80 to 10.10.10.30:80. Problem is, rules vanished since then, and my memory about the exact configuration or search keywords too. And to add to the fun, I remember having discovered after several hours last week that the port forwarding rules I built did not allowed the host computer to access the VM, at least, not when asking on host'IP ( aka 172.20.14.XX ). So, maybe it did worked before I discovered that particular point. Debian also has the package iptables-persistent, which does just this. Thanks for the hints, they will be useful. For my particular problem. Sorry about this, routing to VMs can offer unexpected challenges, and I haven't used any with any routing complexity for a few years, so I can't help much. The only VM I currently use does NAT. As I recall, broadly, to avoid NAT, the VM must use a bridging network connection (virtualbox does either easily) and the VMs must therefore have IP addresses compatible with the TCP/IP settings of the real NIC, in other words they must be set up as if they are real machines on the same network as the host. I vaguely recall setting up the real NIC as a br0 interface rather than eth0, plus a bit more tweaking. I think. It is some time since I did this, and there is no remaining evidence. [Further disclaimers as required]. It is also possible that the virtualbox system does more to help now. In fact, I used the package vlan and some configuration inside /etc/network/interface of the host to have the host having a virtual second ethernet connexion, on which the VMs are connected. In the facts, there are 2 LANs, with the host computer being the router. Oh, yes, if IPv6 is allowed into your network, there is also an ip6tables, which is completely independent of the v4 system, and by default allows anything anywhere. I currently have no use for v6, so I've just added drop policies to my main ruleset, and that seems to work. -- Joe I do not think I need ipv6 for now. I'll start with the probably easier ipv4, and maybe someday I'll experiment with the v6, if I have the opportunity to work in a v6 LAN. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/ca3ac3669d97085af57ca1dfeae91...@neutralite.org
Re: iptables, virtualbox and port forwarding
On Wed, May 28, 2014 at 8:13 AM, Joe wrote:
> This package is relatively recent, and when I needed to address this
> problem, I had just built a Linux-From-Scratch system, so I took their
> init script skeleton and made a pseudo-daemon, entering a set of
> iptables commands at boot. This is an alternative approach, and may be
> more flexible, but requires work. It allows the use of alternative
> iptables rulesets, written as shell scripts, and therefore allows
> offline editing of the scripts and on-the-fly selection of them.
This is more-or-less the approach I use, too. I have a script that
runs a bunch of iptables commands, setting up the rules the way I want
them. Advantage of that over iptables-save is that I can annotate the
script with comments (eg if an IP block is banned, I can say what the
block represents, why it's banned, and importantly, *when* it was
banned, so I know to review it). Also may be convenient is scripting
ip{,6}tables to use a lot of the same rules; again, it's easy enough
when you have your source code as a bash/Python/Pike/etc script rather
than just a series of commands. Plays nicely with source control, too.
ChrisA
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/CAPTjJmoeACN=syV7KXSG6p2EFckqnCNH1tDhN2bYJb_CmQq=r...@mail.gmail.com
Re: iptables, virtualbox and port forwarding
On Tue, 27 May 2014 18:24:41 +0200 berenger.mo...@neutralite.org wrote: > Hello list. > > I am trying to build a virtual network exposing servers accessible > from the LAN. > I have done a lot of searches on the web and it worked last week, but > since then, I have restarted my computer and had the nice surprise to > learn that the iptables command does not save it's configuration. > I tried to retrieve my configuration, but am failing ( I tried to > understand what I did with the history command, but sadly I am always > working with tons of terminals and so, I suspect that it is not the > correct history... ), and same to find anew the articles which > actually make things working. > > I had some network knowledge in the past, but never really practiced > it, so I have lost almost everything. I already have used some > firewalls, but those were some Windows ones ( I was not a linux user > at that time ) and so I have never played with iptables. > > So I ask for 2 things: > _ help on this particular problem > _ if someone knows about resources to learn and understand how > exactly iptables work, this would help me a lot in the future > Google will provide you with many thousands. The usual question arises as to which of them are up to date, there have been a few small changes in iptables, and some may rely on the sysv init system, which is fast disappearing. As to the particular point you raise here, 'iptables' is a system command which adds (or subtracts or edits) one rule to the kernel firewall ruleset. A set of rules created with this command is not persistent, as you have found. There is a built-in iptables utility, iptables-save, which will save the current ruleset, and a restore command which can be run on boot. Debian also has the package iptables-persistent, which does just this. This package is relatively recent, and when I needed to address this problem, I had just built a Linux-From-Scratch system, so I took their init script skeleton and made a pseudo-daemon, entering a set of iptables commands at boot. This is an alternative approach, and may be more flexible, but requires work. It allows the use of alternative iptables rulesets, written as shell scripts, and therefore allows offline editing of the scripts and on-the-fly selection of them. On my mobile systems, I have two rulesets depending on whether I am in a (fairly) trusted network or a dodgy one, when I use a VPN to my home network and a more restrictive local firewall. There are also programs which will 'help' in setting up an iptables firewall, such as firestarter, but having started out by making my own iptables scripts, I found these programs too limited, and I think as you are doing non-standard things, you might also. I've got used to using iptables logging as a quicker and simpler way of solving (some) networking problems than a packet analyser, and to do this requires complete control over the ordering and construction of rules. > For my particular problem. > Sorry about this, routing to VMs can offer unexpected challenges, and I haven't used any with any routing complexity for a few years, so I can't help much. The only VM I currently use does NAT. As I recall, broadly, to avoid NAT, the VM must use a bridging network connection (virtualbox does either easily) and the VMs must therefore have IP addresses compatible with the TCP/IP settings of the real NIC, in other words they must be set up as if they are real machines on the same network as the host. I vaguely recall setting up the real NIC as a br0 interface rather than eth0, plus a bit more tweaking. I think. It is some time since I did this, and there is no remaining evidence. [Further disclaimers as required]. It is also possible that the virtualbox system does more to help now. Oh, yes, if IPv6 is allowed into your network, there is also an ip6tables, which is completely independent of the v4 system, and by default allows anything anywhere. I currently have no use for v6, so I've just added drop policies to my main ruleset, and that seems to work. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140527231350.7c130...@jretrading.com
iptables, virtualbox and port forwarding
Hello list. I am trying to build a virtual network exposing servers accessible from the LAN. I have done a lot of searches on the web and it worked last week, but since then, I have restarted my computer and had the nice surprise to learn that the iptables command does not save it's configuration. I tried to retrieve my configuration, but am failing ( I tried to understand what I did with the history command, but sadly I am always working with tons of terminals and so, I suspect that it is not the correct history... ), and same to find anew the articles which actually make things working. I had some network knowledge in the past, but never really practiced it, so I have lost almost everything. I already have used some firewalls, but those were some Windows ones ( I was not a linux user at that time ) and so I have never played with iptables. So I ask for 2 things: _ help on this particular problem _ if someone knows about resources to learn and understand how exactly iptables work, this would help me a lot in the future For my particular problem. I have an eth0 interface, the real one, on ip 172.20.14.0/24. I made a vlan in my /etc/network/interfaces, like this: ## auto eth0.1 iface eth0.1 inet static address 10.10.10.1 netmask 255.255.255.0 vlan-raw-device eth0 ## On that network, I have some VMs with static IPs, and the one on which I try to make the configuration for testing and learning purpose have an apache2 server running and up ( I can query on it from my physical computer ). It is using 2 network interfaces, a NAT one and a bridge one, but for others I would like to remove the NAT one, since I need them to simulate the production servers ( which are VMs too, but my company does not control the system on which they are running. Otherwise it would have be far easier: I would have read how it does to understand things ) which only have one interface ( eth0 ). Both LANs ( the physical one and the virtual one ) works perfectly, but now I would like to allow 2 things: _ VMs to access the physical LAN, so that they could access the apt proxy I have installed there for installing softwares and updates _ physical computers accessing VMs through some ports of my computer. For example, redirecting "172.20.14.XX:80" to "10.10.10.30:80". I will do that port forwarding for ssh ( port 22 ), http ( port 80 ) and postgresql ( port 5432 ) connections in a first time. Thanks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/fa67f2d6171898de5d691a72d1771...@neutralite.org
RE: More on port forwarding(ssh, netcat and amule!)
Hello, A port number identifies a process running in your machine, then is implicit that a process must be running and listening on that port. When your netcat try to connect it will probably receives an ICMP packet advertising the "Connection Refused" or an TCP segment with the flags RST set on. Hope this can help you. Pietro. -Original Message- From: robo...@news.nic.it [mailto:robo...@news.nic.it] On Behalf Of houkensjtu Sent: giovedì 11 ottobre 2012 10:53 To: debian-user@lists.debian.org Subject: More on port forwarding(ssh, netcat and amule!) Hi debianer! I post a question about port forwarding yesterday and got quick reply, big thanks! Now I still have sth. not clear and it can be described as: I have a laptop in my home, which is connected to my router. Yesterday, I succeeded in open a ssh port(22) on router, and start ssh server on my laptop. Now I can access my laptop from office by ssh USER@my_home_external_ip. Also, scan port by using netcat from office: nc -vz my_home_external_ip 22 gives me: Connection to my_home_external_ip port [tcp/ssh] succeeded! Today, I tried to open another port on my router, let me call it 1234. And I set amule on my laptop to use port 1234 for both tcp and udp. Fortunatelly, I got a High ID as expected. And then I got confused. I tried to scan port 1234 from my office: nc -vz my_home_external_ip 1234 it says: nc: connect to my_home_external_ip port 1234 (tcp) failed: Connection refused However, after I remote access my laptop, launch amule on it, netcat now can: Connection to my_home_external_ip 1234 port [tcp/*] succeeded! It seems that, not only on the router, but also I should open a specific port on my laptop, otherwise netcat will not be able to connect from outside my home. I wonder why this happens and what is the mechanism behind it. Is it possible to open a port in debian, without launch certain software so I can netcat from outside to my home laptop? Thanks! -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1ba8a1d0-b205-42a1-a9a3-393852fe4...@googlegroups.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/56ab56ead87af24c803fb693654d7a89c87...@adbbexch01.adbitaly.com
Re: More on port forwarding(ssh, netcat and amule!)
On 11/10/12 09:53, houkensjtu wrote: > It seems that, not only on the router, but also I should open a specific port > on my laptop, otherwise netcat will not be able to connect from outside my > home. > > I wonder why this happens and what is the mechanism behind it. > Is it possible to open a port in debian, without launch certain software so I > can netcat from outside to my home laptop? You can have the port open in firewall terms, but if you don't have any software listening on it you will receive "connection refused". -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50768f92.3000...@deathbycomputers.co.uk
More on port forwarding(ssh, netcat and amule!)
Hi debianer! I post a question about port forwarding yesterday and got quick reply, big thanks! Now I still have sth. not clear and it can be described as: I have a laptop in my home, which is connected to my router. Yesterday, I succeeded in open a ssh port(22) on router, and start ssh server on my laptop. Now I can access my laptop from office by ssh USER@my_home_external_ip. Also, scan port by using netcat from office: nc -vz my_home_external_ip 22 gives me: Connection to my_home_external_ip port [tcp/ssh] succeeded! Today, I tried to open another port on my router, let me call it 1234. And I set amule on my laptop to use port 1234 for both tcp and udp. Fortunatelly, I got a High ID as expected. And then I got confused. I tried to scan port 1234 from my office: nc -vz my_home_external_ip 1234 it says: nc: connect to my_home_external_ip port 1234 (tcp) failed: Connection refused However, after I remote access my laptop, launch amule on it, netcat now can: Connection to my_home_external_ip 1234 port [tcp/*] succeeded! It seems that, not only on the router, but also I should open a specific port on my laptop, otherwise netcat will not be able to connect from outside my home. I wonder why this happens and what is the mechanism behind it. Is it possible to open a port in debian, without launch certain software so I can netcat from outside to my home laptop? Thanks! -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1ba8a1d0-b205-42a1-a9a3-393852fe4...@googlegroups.com
Re: newbie question on port forwarding(and ssh, netcat)
2012/10/11 houkensjtu > Thanks Joe, Brian, Murphy > > As I post above, I forgot to say all these experiments were done in my > home on my laptop... > Now I am in my office and re-do all this experiment. > To be short, now all experiment which is done with ip address works well, > while if I do ssh USER@DEBIAN, it will say: > > ssh: Could not resolve hostname debian: Name or service not known > > I am wondering, who(or what device,server) will resolve the hostname? Is > it possible to resolve my laptop's name from my office?? > > 2012年10月11日木曜日 1時00分03秒 UTC+9 houkensjtu: > > Hi debianer! > > > > I am a newbie both of debian and networking... > > > > Recently I am trying to connect my home laptop(I have a router in my > home) from office. I read several articles on port forwarding. And I > succeeded in opening an 22 port on my router, also I started ssh server on > my home laptop. > > > > > > > > (suppose my username at home is USER, and my laptop is called DEBIAN) > > > > > > > > I did several experiment and I got confusing in some of its result. > > > > > > > > 1. ssh USER@DEBIAN > > > > > > > > works well!! > > > > > > > > 2. nc -vz my_home_external_ip 22 > > > > [my_home_external_ip] 22 (ssh) : Connection refused > > > > > > > > I cant understand why is it. Because I have actually succeeded in test 1! > > > > > > > > 3. ssh -l USER my_home_external_ip > > > > ssh: connect to host my_home_external_ip port 22: Connection refused > > > > This also doesnt work! I thought it should be equivalent to test 1, but > things just dont work. > > > > > > > > Any one can explain this? > > > > > > > > > > > > -- > > > > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > > > > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > > > > Archive: > http://lists.debian.org/95c24d80-4052-429d-8658-cf3f447ff...@googlegroups.com > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: > http://lists.debian.org/84255302-35f8-4009-9f05-af25a076d...@googlegroups.com > > Hello. You can use such services as no-ip.com or dyndns.org to create a DNS A-record for your home external IP-address. This DNS record will be resolved everywhere. Also you can modify the 'hosts' file on your work computer (/etc/hosts in Linux and c:\windows]system32\drivers\etc\hosts in windows) and put the name of your home computer there. With second approach you'll be able to resolve the name on your work computer only. -- Best regards, Valery Mamonov.
Re: newbie question on port forwarding(and ssh, netcat)
Thanks Joe, Brian, Murphy As I post above, I forgot to say all these experiments were done in my home on my laptop... Now I am in my office and re-do all this experiment. To be short, now all experiment which is done with ip address works well, while if I do ssh USER@DEBIAN, it will say: ssh: Could not resolve hostname debian: Name or service not known I am wondering, who(or what device,server) will resolve the hostname? Is it possible to resolve my laptop's name from my office?? 2012年10月11日木曜日 1時00分03秒 UTC+9 houkensjtu: > Hi debianer! > > I am a newbie both of debian and networking... > > Recently I am trying to connect my home laptop(I have a router in my home) > from office. I read several articles on port forwarding. And I succeeded in > opening an 22 port on my router, also I started ssh server on my home laptop. > > > > (suppose my username at home is USER, and my laptop is called DEBIAN) > > > > I did several experiment and I got confusing in some of its result. > > > > 1. ssh USER@DEBIAN > > > > works well!! > > > > 2. nc -vz my_home_external_ip 22 > > [my_home_external_ip] 22 (ssh) : Connection refused > > > > I cant understand why is it. Because I have actually succeeded in test 1! > > > > 3. ssh -l USER my_home_external_ip > > ssh: connect to host my_home_external_ip port 22: Connection refused > > This also doesnt work! I thought it should be equivalent to test 1, but > things just dont work. > > > > Any one can explain this? > > > > > > -- > > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > > Archive: > http://lists.debian.org/95c24d80-4052-429d-8658-cf3f447ff...@googlegroups.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/84255302-35f8-4009-9f05-af25a076d...@googlegroups.com
Re: newbie question on port forwarding(and ssh, netcat)
On Wednesday, October 10, 2012 08:19:25 PM houkensjtu wrote: > Thanks for great reply!! > I have to apologize for sth... I forgot to say that all these experiments > were done in home on my laptop...omg So, now I solved the problem with > echo "1">/proc/sys/net/ipv4/ip_forward > > What is this file? Is there any other way to check or configure my laptop > with out writing directly to this file? That is exactly how you tell linux to forward traffic between NICs. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201210102046.03522.neal.p.mur...@alum.wpi.edu
Re: newbie question on port forwarding(and ssh, netcat)
Brian於 2012年10月11日星期四UTC+9上午8時00分04秒寫道: > On Wed 10 Oct 2012 at 08:35:13 -0700, houkensjtu wrote: > > > > > I am a newbie both of debian and networking... Recently I am trying > > > to connect my home laptop(I have a router in my home) from office. I > > > read several articles on port forwarding. And I succeeded in opening > > > an 22 port on my router, also I started ssh server on my home laptop. > > > > > > (suppose my username at home is USER, and my laptop is called DEBIAN) > > > > > > I did several experiment and I got confusing in some of its result. > > > > > > 1. ssh USER@DEBIAN > > > > > > works well!! > > > > We assume this means you were able to log in with your password, so it > > very much looks like you have set up port forwarding to the home machine > > correctly. Would you please say how your office machine resolves the IP > > number for DEBIAN. > > > > > > 2. nc -vz my_home_external_ip 22 > > > [my_home_external_ip] 22 (ssh) : Connection refused > > > > > > I cant understand why is it. Because I have actually succeeded in test > > > 1! > > > > What do get with > > > >ssh USER@my_home_external_ip ? > > > > > 3. ssh -l USER my_home_external_ip > > > ssh: connect to host my_home_external_ip port 22: Connection refused > > > This also doesnt work! I thought it should be equivalent to test 1, > > > but things just dont work. > > > > 'Connection refused' would indicate there is a route to the host but > > there is no daemon running on port 22. > > > > > > > > -- > > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > > Archive: http://lists.debian.org/20121010225534.GJ30872@desktop Thanks for great reply!! I have to apologize for sth... I forgot to say that all these experiments were done in home on my laptop...omg So, now I solved the problem with echo "1">/proc/sys/net/ipv4/ip_forward What is this file? Is there any other way to check or configure my laptop with out writing directly to this file? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/46b9951a-dffd-4f59-aa06-f5e66332f...@googlegroups.com
Re: newbie question on port forwarding(and ssh, netcat)
Hi Joe! Thank you for detailed reply! Actually I found a switch which solved my problem and now all my experiments works perfectly. The command is: echo "1">/proc/sys/net/ipv4/ip_forward but...What is it?! Is there any other way to check and configure my laptop's status without writing directly to this file? ...well I know, linux is all about file... Joe於 2012年10月11日星期四UTC+9上午3時50分02秒寫道: > On Wed, 10 Oct 2012 08:35:13 -0700 (PDT) > > houkensjtu wrote: > > > > > Hi debianer! > > > I am a newbie both of debian and networking... > > > Recently I am trying to connect my home laptop(I have a router in my > > > home) from office. I read several articles on port forwarding. And I > > > succeeded in opening an 22 port on my router, also I started ssh > > > server on my home laptop. > > > > > > (suppose my username at home is USER, and my laptop is called DEBIAN) > > > > > > I did several experiment and I got confusing in some of its result. > > > > > > 1. ssh USER@DEBIAN > > > > > > works well!! > > > > > > 2. nc -vz my_home_external_ip 22 > > > [my_home_external_ip] 22 (ssh) : Connection refused > > > > > > I cant understand why is it. Because I have actually succeeded in > > > test 1! > > > > > > 3. ssh -l USER my_home_external_ip > > > ssh: connect to host my_home_external_ip port 22: Connection refused > > > This also doesnt work! I thought it should be equivalent to test 1, > > > but things just dont work. > > > > > > Any one can explain this? > > > > > > > > > > Not yet. Many commercial networks operate firewalls affecting the > > connections leaving the network so as yet you don't know which end of > > the connection has an issue. > > > > Divide the problem into two parts: the simplest way to check port > > forwarding is to use an external website from home, that way you can > > change things without travelling from your office, and you know the > > other end will have no firewall problems. > > > > A simple and slightly alarming but fairly reliable site is > > http://grc.com. Click on Shields Up!!, scroll down over halfway and > > click the heading Shields Up!, then Proceed, and Continue, then Common > > Ports (you can enter 22 manually, but the Common Ports is a quick test > > and just one click is needed). > > > > You're looking for 22 shown as Open, and probably all others as > > Stealth. Ignore all the dire warnings, this is a site for Windows users > > and they need to be scared. > > > > If 22 is not shown as Open, then you either haven't got the forwarding > > right, or sshd isn't running as you expect. If the router looks right, > > from your laptop try ssh . This isn't the same as > > ssh localhost, as the ssh server treats different interfaces separately. > > > > If all is well at this end, but there is still a problem from your > > office, then you need to ask about outgoing firewalling there. > > > > However you resolve the initial problem, the ssh server is very heavily > > targeted by the bad guys, using password checking bots. A quick and > > dirty security measure is to forward a non-standard high numbered > > external TCP port to :22 (nearly all routers should be able to > > do that) or to forward it to the same port of the laptop, and > > reconfigure the ssh server to listen on that port (the Port xxx line(s) > > in /etc/sshd_config). Remember to restart the ssh server if you need to > > do this. > > > > Six people will now leap in and say that's not going to improve > > security, all the bad guys have to do is run a portscan to find your > > server. However, scanning 65,000 ports of the same IP address across > > the Internet is no small undertaking, and will certainly attract > > attention, and I've never yet seen a bot attempt it. I don't get *any* > > connection attempts to my ssh port, while 22 gets 10-100 a day. > > > > The long-term solution is to disable passwords and use public-private > > key pairs for authentication, which is not really difficult, but is > > not for a complete beginner, and can certainly not be tried until you > > have the system working reliably on passwords. A quick Google for ssh > > public key tutorial turns up a vast number of sites to help with this. > > > > If you need to work from Windows, by the way, the puTTY progra
Re: newbie question on port forwarding(and ssh, netcat)
On Wed 10 Oct 2012 at 19:44:27 +0100, Joe wrote: [Some good advice snipped] > However you resolve the initial problem, the ssh server is very heavily > targeted by the bad guys, using password checking bots. A quick and > dirty security measure is to forward a non-standard high numbered > external TCP port to :22 (nearly all routers should be able to > do that) or to forward it to the same port of the laptop, and > reconfigure the ssh server to listen on that port (the Port xxx line(s) > in /etc/sshd_config). Remember to restart the ssh server if you need to > do this. > > Six people will now leap in and say that's not going to improve > security, all the bad guys have to do is run a portscan to find your > server. However, scanning 65,000 ports of the same IP address across > the Internet is no small undertaking, and will certainly attract > attention, and I've never yet seen a bot attempt it. I don't get *any* > connection attempts to my ssh port, while 22 gets 10-100 a day. What you say about putting sshd of a port other than 22 is undoubtfully correct. It gives peace of mind, a sense of combating the baddies, less cruft in the logs and a reason to proselytise. What it doesn't give is a more secure sshd. Not a single iota of security is gained with the technique you advocate. Five to go. > The long-term solution is to disable passwords and use public-private > key pairs for authentication, which is not really difficult, but is > not for a complete beginner, and can certainly not be tried until you > have the system working reliably on passwords. A quick Google for ssh > public key tutorial turns up a vast number of sites to help with this. If there was a security problem key-based authentification might provide a solution. There isn't, so it doesn't. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121010230100.GK30872@desktop
Re: newbie question on port forwarding(and ssh, netcat)
On Wed 10 Oct 2012 at 08:35:13 -0700, houkensjtu wrote: > I am a newbie both of debian and networking... Recently I am trying > to connect my home laptop(I have a router in my home) from office. I > read several articles on port forwarding. And I succeeded in opening > an 22 port on my router, also I started ssh server on my home laptop. > > (suppose my username at home is USER, and my laptop is called DEBIAN) > > I did several experiment and I got confusing in some of its result. > > 1. ssh USER@DEBIAN > > works well!! We assume this means you were able to log in with your password, so it very much looks like you have set up port forwarding to the home machine correctly. Would you please say how your office machine resolves the IP number for DEBIAN. > > 2. nc -vz my_home_external_ip 22 > [my_home_external_ip] 22 (ssh) : Connection refused > > I cant understand why is it. Because I have actually succeeded in test > 1! What do get with ssh USER@my_home_external_ip ? > 3. ssh -l USER my_home_external_ip > ssh: connect to host my_home_external_ip port 22: Connection refused > This also doesnt work! I thought it should be equivalent to test 1, > but things just dont work. 'Connection refused' would indicate there is a route to the host but there is no daemon running on port 22. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121010225534.GJ30872@desktop
Re: newbie question on port forwarding(and ssh, netcat)
On Wed, 10 Oct 2012 08:35:13 -0700 (PDT) houkensjtu wrote: > Hi debianer! > I am a newbie both of debian and networking... > Recently I am trying to connect my home laptop(I have a router in my > home) from office. I read several articles on port forwarding. And I > succeeded in opening an 22 port on my router, also I started ssh > server on my home laptop. > > (suppose my username at home is USER, and my laptop is called DEBIAN) > > I did several experiment and I got confusing in some of its result. > > 1. ssh USER@DEBIAN > > works well!! > > 2. nc -vz my_home_external_ip 22 > [my_home_external_ip] 22 (ssh) : Connection refused > > I cant understand why is it. Because I have actually succeeded in > test 1! > > 3. ssh -l USER my_home_external_ip > ssh: connect to host my_home_external_ip port 22: Connection refused > This also doesnt work! I thought it should be equivalent to test 1, > but things just dont work. > > Any one can explain this? > > Not yet. Many commercial networks operate firewalls affecting the connections leaving the network so as yet you don't know which end of the connection has an issue. Divide the problem into two parts: the simplest way to check port forwarding is to use an external website from home, that way you can change things without travelling from your office, and you know the other end will have no firewall problems. A simple and slightly alarming but fairly reliable site is http://grc.com. Click on Shields Up!!, scroll down over halfway and click the heading Shields Up!, then Proceed, and Continue, then Common Ports (you can enter 22 manually, but the Common Ports is a quick test and just one click is needed). You're looking for 22 shown as Open, and probably all others as Stealth. Ignore all the dire warnings, this is a site for Windows users and they need to be scared. If 22 is not shown as Open, then you either haven't got the forwarding right, or sshd isn't running as you expect. If the router looks right, from your laptop try ssh . This isn't the same as ssh localhost, as the ssh server treats different interfaces separately. If all is well at this end, but there is still a problem from your office, then you need to ask about outgoing firewalling there. However you resolve the initial problem, the ssh server is very heavily targeted by the bad guys, using password checking bots. A quick and dirty security measure is to forward a non-standard high numbered external TCP port to :22 (nearly all routers should be able to do that) or to forward it to the same port of the laptop, and reconfigure the ssh server to listen on that port (the Port xxx line(s) in /etc/sshd_config). Remember to restart the ssh server if you need to do this. Six people will now leap in and say that's not going to improve security, all the bad guys have to do is run a portscan to find your server. However, scanning 65,000 ports of the same IP address across the Internet is no small undertaking, and will certainly attract attention, and I've never yet seen a bot attempt it. I don't get *any* connection attempts to my ssh port, while 22 gets 10-100 a day. The long-term solution is to disable passwords and use public-private key pairs for authentication, which is not really difficult, but is not for a complete beginner, and can certainly not be tried until you have the system working reliably on passwords. A quick Google for ssh public key tutorial turns up a vast number of sites to help with this. If you need to work from Windows, by the way, the puTTY program is pretty much the industry standard. There is also a Portable Apps version of it, which does not write anything to the Windows machine. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121010194427.02ca4...@jretrading.com
Re: newbie question on port forwarding(and ssh, netcat)
http://www.catb.org/esr/faqs/smart-questions.html A bit of searching the net on port-forwarding oughta give you the answer. You probably forgot to forward port 22 on the router to whichever ip adress your DEBIAN has. Search around for stuff on your router/ISP combo as they're almost always blocked in one way or another. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cadqa9ubjdccjznaufw_va9shij1xfc4kuctc_hn3jkfl8d8...@mail.gmail.com
newbie question on port forwarding(and ssh, netcat)
Hi debianer! I am a newbie both of debian and networking... Recently I am trying to connect my home laptop(I have a router in my home) from office. I read several articles on port forwarding. And I succeeded in opening an 22 port on my router, also I started ssh server on my home laptop. (suppose my username at home is USER, and my laptop is called DEBIAN) I did several experiment and I got confusing in some of its result. 1. ssh USER@DEBIAN works well!! 2. nc -vz my_home_external_ip 22 [my_home_external_ip] 22 (ssh) : Connection refused I cant understand why is it. Because I have actually succeeded in test 1! 3. ssh -l USER my_home_external_ip ssh: connect to host my_home_external_ip port 22: Connection refused This also doesnt work! I thought it should be equivalent to test 1, but things just dont work. Any one can explain this? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/95c24d80-4052-429d-8658-cf3f447ff...@googlegroups.com
vpn ipsec + port forwarding
Dear all, I would like to ask if someone could point me out to a solution for problem that is fooling me from some days. This is my situation: --- NET 192.168.1.0/24 ---/MULTIPLE HOST | ___|___ | LAN 192.168.1.1 | | --- VPN GW | | WAN 192.168.100.7 | |__| | | | ___ | ETH1 192.168.100.2| | --- SERVER --- | | ETH0 10.0.0.1 + TAP0 192.168.2.38| |___| | | __ | *10.0.0.2* | | --- PC --- | |_| On SERVER side I have a port forwarding on tcp 80 to 10.0.0.2, so from eth1 I can reach PC on 192.168.100.2:80 and this is working fine. As a new upgrade to my server I added a vpn connection from SERVER to NET 192.168.1.0 behind VPN GW, this also is working fine and host on 192.168.1.0 net can reach SERVER on 192.168.2.38 and vice versa. The problem is that port forwarding is not working on vpn, so if I try to reach PC from 192.168.1.x to 192.168.2.38:80 it fail. The vpn client used on SERVER is ShrewSoft, he bring up tap0 interface when vpn is established, anyway tcpdump show packet flowing only on eth1 (type ESP). This is my iptables, really stripped down: # Generated by iptables-save v1.4.8 on Wed Mar 28 15:17:11 2012 *mangle :PREROUTING ACCEPT [2107490:2462265619] :INPUT ACCEPT [2006646:2354121292] :FORWARD ACCEPT [100696:108135052] :OUTPUT ACCEPT [1234102:150431085] :POSTROUTING ACCEPT [1334795:258565885] COMMIT # Completed on Wed Mar 28 15:17:11 2012 # Generated by iptables-save v1.4.8 on Wed Mar 28 15:17:11 2012 *nat :PREROUTING ACCEPT [8148:633084] :POSTROUTING ACCEPT [798:50506] :OUTPUT ACCEPT [759:47902] -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.254.254.2:80 COMMIT # Completed on Wed Mar 28 15:17:11 2012 # Generated by iptables-save v1.4.8 on Wed Mar 28 15:17:11 2012 *filter :INPUT ACCEPT [2006634:2354120173] :FORWARD ACCEPT [100696:108135052] :OUTPUT ACCEPT [1234099:150430833] COMMIT # Completed on Wed Mar 28 15:17:11 2012 Any help will be very appreciated Thank you -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAMRjn=Ox1Rzq8fEnvCMs=_=-k_pdbcg4mzz2jtetqtuxfln...@mail.gmail.com
Re: Addressing a machine behind the router without port forwarding or DMZ
Hello, Dotan Cohen a écrit : > > Assuming a LAN with a router and three machines: > 10.0.0.1 Router > 10.0.0.2 Computer1 > 10.0.0.3 Computer2 > 10.0.0.4 Computer3 > > The router sits on an outside IP address of 123.45.67.89. There is no > DMZ or port forwarding assigned on the router to any of the other > machines. > > Is there any way an individual from outside the LAN could access a > resource (Apache for instance, or SSH) on Computer1 assuming that he > knows Computer1's LAN IP address? Yes, if the individual sits just outside the router (no other router between them) and the router allows communication between computer1 and the outside. > Would this this be possible if he > had access to Computer1 and could configure it somehow (without > configuring the router)? Yes, if the router allows communication between computer1 and the outside. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d98c82d.7080...@plouf.fr.eu.org
Re: Addressing a machine behind the router without port forwarding or DMZ
On Sunday 03 April 2011, Dotan Cohen wrote: > Not a Debian-specific question, but I turn to the best brains that I know. > > Assuming a LAN with a router and three machines: > 10.0.0.1 Router > 10.0.0.2 Computer1 > 10.0.0.3 Computer2 > 10.0.0.4 Computer3 > > The router sits on an outside IP address of 123.45.67.89. There is no > DMZ or port forwarding assigned on the router to any of the other > machines. > > Is there any way an individual from outside the LAN could access a > resource (Apache for instance, or SSH) on Computer1 assuming that he > knows Computer1's LAN IP address? Would this this be possible if he > had access to Computer1 and could configure it somehow (without > configuring the router)? If they could install vtun or openvpn (or another tunnel system) then yes they they would have complete access to all three computers without changing anything on the router. David > > Thanks. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201104031619.54415.david.goodeno...@btconnect.com
Re: Addressing a machine behind the router without port forwarding or DMZ
On Apr 3, 2011 8:25 AM, "Dotan Cohen" wrote: > > Not a Debian-specific question, but I turn to the best brains that I know. > > Assuming a LAN with a router and three machines: > 10.0.0.1 Router > 10.0.0.2 Computer1 > 10.0.0.3 Computer2 > 10.0.0.4 Computer3 > > The router sits on an outside IP address of 123.45.67.89. There is no > DMZ or port forwarding assigned on the router to any of the other > machines. > > Is there any way an individual from outside the LAN could access a > resource (Apache for instance, or SSH) on Computer1 assuming that he > knows Computer1's LAN IP address? Would this this be possible if he > had access to Computer1 and could configure it somehow (without > configuring the router)? > Short answer: no Longer answer: You might look into a 'reverse tunnel' which means you'd have to initiate the tunnel and then they could get in. I mean, you could setup something to trigger initiating that tunnel - email with ip, Twitter, etc. The other bad part is this is like shitty con config that don't work through nats. Which means this probably isn't an option (directly). If you have access to a public server, this still works. You could also look into piloting around the connection. You'll have to read up for more info but IIRC, its pretty much increasing the ttl, setting the ip and a few other bits and hoping it gets through. This would be more for initiating a connection and is still likely to fail if both nodes are behind nats.
Re: Addressing a machine behind the router without port forwarding or DMZ
Hi Dotan, On Sun, Apr 03, 2011 at 03:25:29PM +0300, Dotan Cohen wrote: > Not a Debian-specific question, but I turn to the best brains that I know. > > Assuming a LAN with a router and three machines: > 10.0.0.1 Router > 10.0.0.2 Computer1 > 10.0.0.3 Computer2 > 10.0.0.4 Computer3 > > The router sits on an outside IP address of 123.45.67.89. There is no > DMZ or port forwarding assigned on the router to any of the other > machines. > > Is there any way an individual from outside the LAN could access a > resource (Apache for instance, or SSH) on Computer1 assuming that he > knows Computer1's LAN IP address? Would this this be possible if he > had access to Computer1 and could configure it somehow (without > configuring the router)? Not really. No matter what the individual does: it can only contact the router on 123.45.67.89. If the router then throws away the traffic, you're finished. However, there are some tricks -- depending on the way how the router is exactly configured: Assuming the router allows computer1 to communicate to the internet (e.g: computer1 can send data in the internet, and the router forwards the answer back to computer1), than it is possible: You have to "cheat" the router such that the router believes "computer1 wants to connect to the outsider" inѕtead of "outsider wants to connect to computer1". A first example for this concept are protocols like active ftp: There, the CLIENT opens a first connection (the control connection), but the SERVER opens the data-connection: In order to forward active ftp via an router, the router has to listen & understand the first connection, such that it knows to which client the data-connection has to be forwarded. (e.g. the linux iptables-firewall has a special module to support active ftp-forwarding) A full implementation of such a "cheating" is done by Skype. in your example: - computer1 asks an external server, whether someone wants to connect to it. - the individual informs the external server. the external server can send this information to computer1, as the connection "computer1<->external server" was opened by computer1 ==> router allows it. - computer1 sends a packet to the individual. This packet does not contain any usefull data -- but is detected by the router as "computer1 speaks with individual". In addition, the networking details of the packet (ip-adress, port,...) are sent to the external server, which forwards them to the individual. - now, the individual can ANSWER to this packet -- and from the point of view of the router this is a connection opened by computer1 (and NOT a connection opened by the individual) ==> probably allowed. So in fact, when you do something in this lines, the router will not see "individual from outside wants to connect to computer1" -- but: "computer1 wants to connect to outside". Of course, the remaining question is: does the router allow this connection? And you need an external server to initiate the connection: somehow, the individual has to learn the networking details of the initial packet... The "external server" could be e.g. a mail server, which computer1 regularly checks for new mails... Axel -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110403124346.GA4625@axel
Re: Addressing a machine behind the router without port forwarding or DMZ
On Sun, Apr 3, 2011 at 15:35, Steven wrote: > To my knowledge, no, there is not. Only if the traffic is part of an > existing connection created by one of the machines inside your LAN. > Thanks, that is what I suspected. > If he wants access to computer 1, your router would need to be > compromised (or computer 1 using some kind of malware, then computer 1 > could initiate the traffic itself. The malware could be hosted on an > external website you need to visit). > It doesn't need to be malware, that would fall under the idea of configuring Computer1. But it would still require Computer1 to initiate the connection. My current solution is to have Computer1 cron to check an outside URL to see if a connection request is pending, and from where. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/BANLkTi=n5lzgsvpqck9uktpjrw9nju9...@mail.gmail.com
Re: Addressing a machine behind the router without port forwarding or DMZ
On Sun, 2011-04-03 at 15:25 +0300, Dotan Cohen wrote: > Not a Debian-specific question, but I turn to the best brains that I know. > > Assuming a LAN with a router and three machines: > 10.0.0.1 Router > 10.0.0.2 Computer1 > 10.0.0.3 Computer2 > 10.0.0.4 Computer3 > > The router sits on an outside IP address of 123.45.67.89. There is no > DMZ or port forwarding assigned on the router to any of the other > machines. > > Is there any way an individual from outside the LAN could access a > resource (Apache for instance, or SSH) on Computer1 assuming that he > knows Computer1's LAN IP address? Would this this be possible if he > had access to Computer1 and could configure it somehow (without > configuring the router)? > > Thanks. > To my knowledge, no, there is not. Only if the traffic is part of an existing connection created by one of the machines inside your LAN. If he wants access to computer 1, your router would need to be compromised (or computer 1 using some kind of malware, then computer 1 could initiate the traffic itself. The malware could be hosted on an external website you need to visit). Kind regards, Steven signature.asc Description: This is a digitally signed message part
Re: Addressing a machine behind the router without port forwarding or DMZ
On Sun, Apr 3, 2011 at 13:25, Dotan Cohen wrote: > Not a Debian-specific question, but I turn to the best brains that I know. Then OT it. > Is there any way an individual from outside the LAN could access a > resource (Apache for instance, or SSH) on Computer1 assuming that he > knows Computer1's LAN IP address? Would this this be possible if he > had access to Computer1 and could configure it somehow (without > configuring the router)? Without any sort of config, the only apache you could access would be the router's. There has to be some sort of router config. STUN is used for this, but i think it just provides an internal client with the external IP address, for messaging behind firewalls and what not. Maybe it's tweakable? If your internal client initiates a connection, maybe you can start from there. HTH, Nuno -- Mars 2 Stay! http://xkcd.com/801/ /etc -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/banlktino296rjb4reg+5w_s5uwlpgnu...@mail.gmail.com
Addressing a machine behind the router without port forwarding or DMZ
Not a Debian-specific question, but I turn to the best brains that I know. Assuming a LAN with a router and three machines: 10.0.0.1 Router 10.0.0.2 Computer1 10.0.0.3 Computer2 10.0.0.4 Computer3 The router sits on an outside IP address of 123.45.67.89. There is no DMZ or port forwarding assigned on the router to any of the other machines. Is there any way an individual from outside the LAN could access a resource (Apache for instance, or SSH) on Computer1 assuming that he knows Computer1's LAN IP address? Would this this be possible if he had access to Computer1 and could configure it somehow (without configuring the router)? Thanks. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/banlktikem+ca5re7mtp8opqv6qwacdf...@mail.gmail.com
Re: port forwarding without using ssh
Zhang Weiwu wrote at 2010-09-13 02:23 -0500: > Thank you! Now that I tried it, te apf-client package proved very useful > in my case. I followed your advice almost a year later because I was too > busy with daily business and kept your email as "marked for personal > todo" for a year or so. Excellent! Now we can await global ipv6 as a better solution. signature.asc Description: Digital signature
Re: port forwarding without using ssh
Hi. On 2009年11月12日 07:53, green wrote: > Zhang Weiwu wrote at 2009-11-10 20:36 -0600: > >> Hello. I have a remote server inside a remote office covered by NAT >> masquerade where port forwarding not possible, and a local server in my >> local office not covered by NAT masquerade. In order to access the >> remote office and hosts in that office, I do this: >> >> On remote office server, in a screen session I run >> $ ssh -R local_server >> >> On my own office, I try to connect to mapped ports on local_server. >> >> The problem of this solution is security. I do not want to grant shell >> access of local_server to remote_server. What would you recommend me to >> do in this case? I could try to limit access of the account used by >> remote server ssh -R, but should I? >> > You might want to check out apf-server and apf-client packages. I use these > to > provide access between masqueraded systems using an intermediary system. > Server runs on the intermediary and client on the system to be connected to. > System connected _from_ connects to client through a port on the server. > Thank you! Now that I tried it, te apf-client package proved very useful in my case. I followed your advice almost a year later because I was too busy with daily business and kept your email as "marked for personal todo" for a year or so. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4c8dd155.3040...@realss.com
Re: port forwarding without using ssh
Zhang Weiwu wrote at 2009-11-10 20:36 -0600: > Hello. I have a remote server inside a remote office covered by NAT > masquerade where port forwarding not possible, and a local server in my > local office not covered by NAT masquerade. In order to access the > remote office and hosts in that office, I do this: > > On remote office server, in a screen session I run > $ ssh -R local_server > > On my own office, I try to connect to mapped ports on local_server. > > The problem of this solution is security. I do not want to grant shell > access of local_server to remote_server. What would you recommend me to > do in this case? I could try to limit access of the account used by > remote server ssh -R, but should I? You might want to check out apf-server and apf-client packages. I use these to provide access between masqueraded systems using an intermediary system. Server runs on the intermediary and client on the system to be connected to. System connected _from_ connects to client through a port on the server. signature.asc Description: Digital signature
Re: port forwarding without using ssh
On Wed, Nov 11, 2009 at 10:36:20AM +0800, Zhang Weiwu wrote: > The problem of this solution is security. I do not want to grant shell > access of local_server to remote_server. What would you recommend me > to do in this case? I could try to limit access of the account used by > remote server ssh -R, but should I? You don't have to grant the remote server shell access if you don't want to. You can use the port-forward feature of ssh to just create ports without a shell with the -fN flag. Also, the -R and -L flags look the same, but define which end the traffic originates from. So, it's hard to say if you're using -R correctly, or if you should be using -L instead. This is untested, but should work to tunnel SMTP from localserver to remoteserver when the connection is opened from the remoteserver side: remoteserver$ ssh -fN -R25:localhost:25 localserver to make it work securely, though, you need to do a few more things. 1. Add the "no-pty" option to your authorized_keys file so that no shell is allowed for that key. 2. See whether you can limit the forwarded ports with "permitopen" in authorized_keys. This may or may not work with -R; the man page says it's for -L only. 3. Consider creating a non-root user for ports that don't require binding to privileged ports. For example, you could tunnel git on port 9418 as some other user rather than root. If you want a real SSH-based VPN, and are willing to pay the encryption overhead, you can investigate SSH + TUN forwardings. See these articles as a starting point: http://www.debian-administration.org/articles/539 https://help.ubuntu.com/community/SSH_VPN http://www.gentoo-wiki.info/HOWTO_VPN_over_SSH_and_tun Hope that helps. -- "Oh, look: rocks!" -- Doctor Who, "Destiny of the Daleks" -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: port forwarding without using ssh
On Wed, Nov 11, 2009 at 10:36, Zhang Weiwu wrote: > Hello. I have a remote server inside a remote office covered by NAT > masquerade where port forwarding not possible, and a local server in my > local office not covered by NAT masquerade. In order to access the > remote office and hosts in that office, I do this: > > On remote office server, in a screen session I run > $ ssh -R local_server You may want to run ``$ ssh -N -R _local_server'' instead. Please refer to the manpage for further details. > > On my own office, I try to connect to mapped ports on local_server. > > The problem of this solution is security. I do not want to grant shell > access of local_server to remote_server. What would you recommend me to > do in this case? I could try to limit access of the account used by > remote server ssh -R, but should I? > Regards, Wang Long -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: port forwarding without using ssh
Alex Samad wrote: > On Wed, Nov 11, 2009 at 10:36:20AM +0800, Zhang Weiwu wrote: > >> The problem of this solution is security. I do not want to grant shell >> access of local_server to remote_server. What would you recommend me to >> do in this case? I could try to limit access of the account used by >> remote server ssh -R, but should I? >> > > have you thought about openvpn and iptables? > I am a clueless guy in regarding to both. Would be better if you are more specific which feature of the two software are useful, then I can be more specific when RTFM. Knowing it is possible with certain technology makes better use of time as I have too much pressure at the time to deal with all problems that try to make best use of learning time.. Sorry... -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: port forwarding without using ssh
On Wed, Nov 11, 2009 at 10:36:20AM +0800, Zhang Weiwu wrote: > Hello. I have a remote server inside a remote office covered by NAT > masquerade where port forwarding not possible, and a local server in my > local office not covered by NAT masquerade. In order to access the > remote office and hosts in that office, I do this: > > On remote office server, in a screen session I run > $ ssh -R local_server > > On my own office, I try to connect to mapped ports on local_server. > > The problem of this solution is security. I do not want to grant shell > access of local_server to remote_server. What would you recommend me to > do in this case? I could try to limit access of the account used by > remote server ssh -R, but should I? have you thought about openvpn and iptables ? > > -- "A tax cut is really one of the anecdotes to coming out of an economic illness." - George W. Bush 09/18/2000 The Edge With Paula Zahn signature.asc Description: Digital signature
port forwarding without using ssh
Hello. I have a remote server inside a remote office covered by NAT masquerade where port forwarding not possible, and a local server in my local office not covered by NAT masquerade. In order to access the remote office and hosts in that office, I do this: On remote office server, in a screen session I run $ ssh -R local_server On my own office, I try to connect to mapped ports on local_server. The problem of this solution is security. I do not want to grant shell access of local_server to remote_server. What would you recommend me to do in this case? I could try to limit access of the account used by remote server ssh -R, but should I? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: run ssh as service for port forwarding
On Mon, Jun 15, 2009 at 12:16:22AM +0800, Zhang Weiwu wrote: > Hello. We have a great firewall that scans keywords on tcp connections' > raw data, thus I could not use my http proxy server outside of the > firewall because both direct connection to the web server and in-direct > connect to the http proxy are scanned by the firewall. > > My trick is to run 'ssh -L' and configure browser to use http proxy > server that runs on localhost, which forwards to the real http proxy > server. However runs ssh -L several times a day is against basic > principle of using computer: let computer does the repeating task. > autossh helps but it also occupies a console session which I don't like. Are you aware of the -D option of ssh? It creates a socks proxy. Now configure your browser to use that port as sock proxy and, well, things should work :-) > > I thought about wrapping the proxy server with stunnel, but then I could > not configure Firefox to connect to http proxy using https protocol. > Then I think running autossh -L as a system service (not possible > because it doesn't detach from console). > > What would you recommend then? (TOR is already being used but hardly > acceptable for very low bandwidth it offers) We have a package that does something similar with ssh -R . http://rapid-tunneling.wiki.sourceforge.net/ Feel free to borrow the daemonizing part of http://rapid-tunneling.git.sourceforge.net/git/gitweb.cgi?p=rapid-tunneling -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best ICQ# 16849754 || friend -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
run ssh as service for port forwarding
Hello. We have a great firewall that scans keywords on tcp connections' raw data, thus I could not use my http proxy server outside of the firewall because both direct connection to the web server and in-direct connect to the http proxy are scanned by the firewall. My trick is to run 'ssh -L' and configure browser to use http proxy server that runs on localhost, which forwards to the real http proxy server. However runs ssh -L several times a day is against basic principle of using computer: let computer does the repeating task. autossh helps but it also occupies a console session which I don't like. I thought about wrapping the proxy server with stunnel, but then I could not configure Firefox to connect to http proxy using https protocol. Then I think running autossh -L as a system service (not possible because it doesn't detach from console). What would you recommend then? (TOR is already being used but hardly acceptable for very low bandwidth it offers) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: IPTables Port Forwarding
On Wed, 2007-03-07 at 16:24 +0100, Joe Hart wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Giacomo Montagner wrote: > > On 3/3/07, John L Fjellstad <[EMAIL PROTECTED]> wrote: > >> Johnno <[EMAIL PROTECTED]> writes: > >> > >> > Hello > >> > > >> > Need a little bit of help here... eth1 = Internet, eth0 = LAN, will > >> > this work? > >> > > >> > iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to > >> > 192.168.1.50:80 > >> > iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j > >> ACCEPT Hi! I worked it out... I googled around a little, and found this: http://www.debian-administration.org/articles/73 I tried with a virtual machine, my pc and another machine, let me point out the situation: 10.0.0.0 "internet" (of course this is only another dmz) 192.168.0.0 "dmz" http server: 192.168.0.80:80 gateway (my pc): 192.168.0.1 on the dmz (eth0) 10.0.0.10 on "the internet" (eth1) First: echo 1 > /proc/sys/net/ipv4/ip_forward Second: http server must use 192.168.0.1 as default gateway Third: iptables -t nat -I PREROUTING -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 80 -i eth1 -j DNAT --to-destination 192.168.0.80 Once the packets get modified by the PREROUTING chain, they get into FORWARD chain: iptables -I FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT (of course if you have an ACCEPT FORWARD policy this is not needed) I tried also this: iptables -I FORWARD -m state --state NEW,ESTABLISHED,RELATED -d 192.168.0.80 -j ACCEPT but I also had to specify: iptables -I FORWARD -m state --state NEW,ESTABLISHED,RELATED -s 192.168.0.80 -j ACCEPT or the connection failed. Hope this helps. Bye! Giacomo signature.asc Description: This is a digitally signed message part
Re: IPTables Port Forwarding
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Giacomo Montagner wrote: > On 3/3/07, John L Fjellstad <[EMAIL PROTECTED]> wrote: >> Johnno <[EMAIL PROTECTED]> writes: >> >> > Hello >> > >> > Need a little bit of help here... eth1 = Internet, eth0 = LAN, will >> > this work? >> > >> > iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to >> > 192.168.1.50:80 >> > iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j >> ACCEPT >> > >> > Anything on port 80 to goto a internal server on ip 192.168.1.50 >> >> Been awhile since I played with forwarding. One thing to remember >> is to turn on forwarding in the kernel (/proc/sys/net/ipv4/ip_forward, >> if you have ipv6, you need to do something similar). >> >> Also, I'm not sure you need the second rule. I think it gets rerouted >> before it gets to the INPUT chain if you route it in the PREROUTING >> chain. But if you do need the INPUT chain, then the rule should >> probably not have the state directive (otherwise, all packages not set >> to NEW, which is basically all packages after the first one, will be >> dropped or whatever the policy is) > > Hi, > if you have a policy which discards incoming packets from eth1, then you > have to use the INPUT rule, but basically you need to allow also > ESTABLISHED and RELATED connections: > > iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED > --dport 80 -i eth1 -j ACCEPT > > should work. > > But I'm not sure this is enough: when you do DNAT towards your http > server, it will then send answers directly to the client (I assume > packets will go back through your firewall). > Then the client gets an answer from "192.168.1.50", which is not the public > IP the client was connecting to, so I expect it to discard the packet. > You should also do SNAT on returning packets: > > iptables -A POSTROUTING -t nat -i eth0 -s 192.168.1.50 -p tcp --sport > 80 -j SNAT --to-source > > so the client get the answer from your-public-ip > > Please let me know if this helps, it's been a while for me too, since my > last > handmade firewall. > > Cheers! > > Giacomo > > Here's my port forwarding firewall...eth0 is wan, eth1 lan. I'm not positive that it's real secure, but it works, and it's behind yet another firewall built into my router. It runs when the network comes up. - -- #!/bin/sh PATH=/usr/sbin:/sbin:/bin:/usr/bin # # delete all existing rules. # iptables -F iptables -t nat -F iptables -t mangle -F iptables -X # Always accept loopback traffic iptables -A INPUT -i lo -j ACCEPT # Allow established connections, and those not coming from the outside iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED - -j ACCEPT # Allow outgoing connections from the LAN side. iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT # Masquerade. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Don't forward from the outside to the inside. iptables -A FORWARD -i eth0 -o eth0 -j REJECT # Enable routing. echo 1 > /proc/sys/net/ipv4/ip_forward - -- Registerd Linux user #443289 at http://counter.li.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF7tlLiXBCVWpc5J4RAvxlAJ0QH6TqyBLIDFxKExgOITmZhooVCwCgyQli bbuZ7hw89tuGybqc4i2Refg= =rYI/ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IPTables Port Forwarding
On 3/3/07, John L Fjellstad <[EMAIL PROTECTED]> wrote: Johnno <[EMAIL PROTECTED]> writes: > Hello > > Need a little bit of help here... eth1 = Internet, eth0 = LAN, will > this work? > > iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to > 192.168.1.50:80 > iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j ACCEPT > > Anything on port 80 to goto a internal server on ip 192.168.1.50 Been awhile since I played with forwarding. One thing to remember is to turn on forwarding in the kernel (/proc/sys/net/ipv4/ip_forward, if you have ipv6, you need to do something similar). Also, I'm not sure you need the second rule. I think it gets rerouted before it gets to the INPUT chain if you route it in the PREROUTING chain. But if you do need the INPUT chain, then the rule should probably not have the state directive (otherwise, all packages not set to NEW, which is basically all packages after the first one, will be dropped or whatever the policy is) Hi, if you have a policy which discards incoming packets from eth1, then you have to use the INPUT rule, but basically you need to allow also ESTABLISHED and RELATED connections: iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport 80 -i eth1 -j ACCEPT should work. But I'm not sure this is enough: when you do DNAT towards your http server, it will then send answers directly to the client (I assume packets will go back through your firewall). Then the client gets an answer from "192.168.1.50", which is not the public IP the client was connecting to, so I expect it to discard the packet. You should also do SNAT on returning packets: iptables -A POSTROUTING -t nat -i eth0 -s 192.168.1.50 -p tcp --sport 80 -j SNAT --to-source so the client get the answer from your-public-ip Please let me know if this helps, it's been a while for me too, since my last handmade firewall. Cheers! Giacomo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IPTables Port Forwarding
Johnno <[EMAIL PROTECTED]> writes: > Hello > > Need a little bit of help here... eth1 = Internet, eth0 = LAN, will > this work? > > iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to > 192.168.1.50:80 > iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j ACCEPT > > Anything on port 80 to goto a internal server on ip 192.168.1.50 Been awhile since I played with forwarding. One thing to remember is to turn on forwarding in the kernel (/proc/sys/net/ipv4/ip_forward, if you have ipv6, you need to do something similar). Also, I'm not sure you need the second rule. I think it gets rerouted before it gets to the INPUT chain if you route it in the PREROUTING chain. But if you do need the INPUT chain, then the rule should probably not have the state directive (otherwise, all packages not set to NEW, which is basically all packages after the first one, will be dropped or whatever the policy is) -- John L. Fjellstad web: http://www.fjellstad.org/ Quis custodiet ipsos custodes -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
IPTables Port Forwarding
Hello Need a little bit of help here... eth1 = Internet, eth0 = LAN, will this work? iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.50:80 iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j ACCEPT Anything on port 80 to goto a internal server on ip 192.168.1.50 Many Thanks, Johnno -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding problem. Probably easy if you know how.
Hi, I think is better you use just: # iptables -t nat -A PREROUTING --protocol tcp -d 216.138.195.194 --dport 27012 -j DNAT --to-destination 172.25.1.5:27012 --verbose # iptables -t nat -A PREROUTING --protocol udp -d 216.138.195.194 --dport 27012 -j DNAT --to-destination 172.25.1.5:27012 --verbose # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE I holp your ppp0 have ip 216.138.195.194. Gilberto On Sun, 23 Apr 2006 09:27:21 -0400 [EMAIL PROTECTED] wrote: > I'm running sarge on a vintage Pentium as a gateway machine for a home > network. > > My machine was cracked last December and I reinstalled everything > from scratch using a sarge netinstall CD. (I checked all scripts I > resurrect from the old system, and recompiled all my *own* binaries > from original source code. The script I mention below hasn't been > molested.) > > I run the same script for port-forwarding and masquerading that I used > before the reinstall. > > But it doesn't work. > > Lines like > > iptables -t nat -A PREROUTING --protocol tcp -d 216.138.195.194 --dport 27012 > -j DNAT --to-destination 172.25.1.5:27012 --verbose > iptables -t nat -A PREROUTING --protocol udp -d 216.138.195.194 --dport 27012 > -j DNAT --to-destination 172.25.1.5:27012 --verbose > iptables -t nat -A POSTROUTING --protocol udp -s 172.25.1.5 --sport 27012 -j > SNAT --to-source 216.138.195.194:27012 --verbose > iptables -t nat -A POSTROUTING --protocol tcp -s 172.25.1.5 --sport 27012 -j > SNAT --to-source 216.138.195.194:27012 --verbose > > have no effect at all (as checked by iptables --list) > > but the line > > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > works like a charm. > > I suspect there's probably a missing kernel module. But which one? > And where do I find it? The docs for iptables way that it will attampt > to load any necessary modules, so I presume a simple modprobe isn't > enough. Or else that it doesn't try hard enough. > > -- hendrik > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding problem. Probably easy if you know how.
Hi, I think is better you use just: # iptables -t nat -A PREROUTING --protocol tcp -d 216.138.195.194 --dport 27012 -j DNAT --to-destination 172.25.1.5:27012 --verbose # iptables -t nat -A PREROUTING --protocol udp -d 216.138.195.194 --dport 27012 -j DNAT --to-destination 172.25.1.5:27012 --verbose # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE I holp your ppp0 have ip 216.138.195.194. Gilberto On Sun, 23 Apr 2006 09:27:21 -0400 [EMAIL PROTECTED] wrote: > I'm running sarge on a vintage Pentium as a gateway machine for a home > network. > > My machine was cracked last December and I reinstalled everything > from scratch using a sarge netinstall CD. (I checked all scripts I > resurrect from the old system, and recompiled all my *own* binaries > from original source code. The script I mention below hasn't been > molested.) > > I run the same script for port-forwarding and masquerading that I used > before the reinstall. > > But it doesn't work. > > Lines like > > iptables -t nat -A PREROUTING --protocol tcp -d 216.138.195.194 --dport 27012 > -j DNAT --to-destination 172.25.1.5:27012 --verbose > iptables -t nat -A PREROUTING --protocol udp -d 216.138.195.194 --dport 27012 > -j DNAT --to-destination 172.25.1.5:27012 --verbose > iptables -t nat -A POSTROUTING --protocol udp -s 172.25.1.5 --sport 27012 -j > SNAT --to-source 216.138.195.194:27012 --verbose > iptables -t nat -A POSTROUTING --protocol tcp -s 172.25.1.5 --sport 27012 -j > SNAT --to-source 216.138.195.194:27012 --verbose > > have no effect at all (as checked by iptables --list) > > but the line > > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > works like a charm. > > I suspect there's probably a missing kernel module. But which one? > And where do I find it? The docs for iptables way that it will attampt > to load any necessary modules, so I presume a simple modprobe isn't > enough. Or else that it doesn't try hard enough. > > -- hendrik > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding problem. Probably easy if you know how.
At 1145804173 past the epoch, [EMAIL PROTECTED] wrote: > On Sun, Apr 23, 2006 at 09:11:14AM -0500, Forrest Smith > wrote: > > The folks on the Shorewall project have done all this > > for you: > > Does shorewall find and install the missing kernel > modules. wherever they are? Or does it just use iptables, > whose docs say it tries to load them (but it is evidently > not succeeding). > > I *have* the set of iptables commands I need. They *used* > to work. They *don't* work now. What makes you think it is a kernel module issue? Usually with iptables, if the relevant kernel module is not loaded and can't be probed automatically, the command you utter will fail to the terminal as you type it, not just silently not work. Or perhaps it has done, and you just haven't provided us with the messages. -- Jon Dowland http://alcopop.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding problem. Probably easy if you know how.
[EMAIL PROTECTED] wrote:
>
> But it doesn't work.
>
> Lines like
>
> iptables -t nat -A PREROUTING --protocol tcp -d 216.138.195.194 --dport 27012
> -j DNAT --to-destination 172.25.1.5:27012 --verbose
> iptables -t nat -A PREROUTING --protocol udp -d 216.138.195.194 --dport 27012
> -j DNAT --to-destination 172.25.1.5:27012 --verbose
> iptables -t nat -A POSTROUTING --protocol udp -s 172.25.1.5 --sport 27012 -j
> SNAT --to-source 216.138.195.194:27012 --verbose
> iptables -t nat -A POSTROUTING --protocol tcp -s 172.25.1.5 --sport 27012 -j
> SNAT --to-source 216.138.195.194:27012 --verbose
>
> have no effect at all (as checked by iptables --list)
You also need some "FORWARD" rules (don't know if you have them, on not).
E.g:
/sbin/iptables -A FORWARD -p tcp --dport 27012 -d 172.25.1.5 -j ACCEPT
/sbin/iptables -A FORWARD -p udp --dport 27012 -d 172.25.1.5 -j ACCEPT
> I suspect there's probably a missing kernel module. But which one?
> And where do I find it? The docs for iptables way that it will attampt
> to load any necessary modules, so I presume a simple modprobe isn't
> enough. Or else that it doesn't try hard enough.
This is a very useful example:
http://tldp.org/HOWTO/IP-Masquerade-HOWTO/stronger-firewall-examples.html#RC.FIREWALL-IPTABLES-STRONGER
Here is what I have in my script:
---
# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Load some required (and a few optional) kernel modules
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
$MODPROBE ip_tables
fi
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
$MODPROBE ip_conntrack
fi
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
$MODPROBE ip_conntrack_ftp
fi
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
$MODPROBE ip_conntrack_irc
fi
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
$MODPROBE iptable_nat
fi
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
$MODPROBE ip_nat_ftp
fi
if [ -z "` $LSMOD | $GREP ip_nat_irc | $AWK {'print $1'} `" ]; then
$MODPROBE ip_nat_irc
fi
---
Hope this helps,
--
George Borisov
DXSolutions Ltd
signature.asc
Description: OpenPGP digital signature
Re: port forwarding problem. Probably easy if you know how.
On Sun, Apr 23, 2006 at 08:36:15PM -0700, charles norwood wrote: > On Sun, 2006-04-23 at 14:56 -0400, [EMAIL PROTECTED] wrote: > > On Sun, Apr 23, 2006 at 09:11:14AM -0500, Forrest Smith wrote: > > > The folks on the Shorewall project have done all this for you: > > > > > > apt-get install shorewall > > > > > > F.S > > > > Does shorewall find and install the missing kernel modules. wherever > > they are? Or does it just use iptables, whose docs say it tries to > > load them (but it is evidently not succeeding). > > > > I *have* the set of iptables commands I need. > > They *used* to work. > > They *don't* work now. > > > > -- hendrik > > > > > Here are the modules I load. Pre-routing works on this box > kernel is 2.6.8-3-686 > iptables is 1.2.11-10 > > /sbin/modprobe ip_tables > /sbin/modprobe ip_conntrack > /sbin/modprobe ip_conntrack_ftp > /sbin/modprobe iptable_nat > /sbin/modprobe ip_nat_ftp > /sbin/modprobe ip_nat_irc > /sbin/modprobe ip_nat_snmp_basic > HTH > C. Thanks. I'll start trying it out tomorrow (when I not tired and suttering from insomnia) -- hendrik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding problem. Probably easy if you know how.
On Sun, 2006-04-23 at 14:56 -0400, [EMAIL PROTECTED] wrote: > On Sun, Apr 23, 2006 at 09:11:14AM -0500, Forrest Smith wrote: > > The folks on the Shorewall project have done all this for you: > > > > apt-get install shorewall > > > > F.S > > Does shorewall find and install the missing kernel modules. wherever > they are? Or does it just use iptables, whose docs say it tries to > load them (but it is evidently not succeeding). > > I *have* the set of iptables commands I need. > They *used* to work. > They *don't* work now. > > -- hendrik > > Here are the modules I load. Pre-routing works on this box kernel is 2.6.8-3-686 iptables is 1.2.11-10 /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc /sbin/modprobe ip_nat_snmp_basic HTH C. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding problem. Probably easy if you know how.
On Sun, Apr 23, 2006 at 14:56:13 -0400, [EMAIL PROTECTED] wrote: [...] > Does shorewall find and install the missing kernel modules. wherever > they are? Or does it just use iptables, whose docs say it tries to > load them (but it is evidently not succeeding). > > I *have* the set of iptables commands I need. > They *used* to work. > They *don't* work now. A brute-force approach to your problem would be to just modprobe every single netfilter module that you have: ls -1 /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter | grep '\.ko$' | sed 's/\.ko$//' | modprobe $(cat) If that works you could find the unused modules with lsmod and remove them until you end up with only the ones which you really need. -- Regards, Florian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding problem. Probably easy if you know how.
On Sun, Apr 23, 2006 at 09:11:14AM -0500, Forrest Smith wrote: > The folks on the Shorewall project have done all this for you: > > apt-get install shorewall > > F.S Does shorewall find and install the missing kernel modules. wherever they are? Or does it just use iptables, whose docs say it tries to load them (but it is evidently not succeeding). I *have* the set of iptables commands I need. They *used* to work. They *don't* work now. -- hendrik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding problem. Probably easy if you know how.
The folks on the Shorewall project have done all this for you: apt-get install shorewall F.S On Sun, Apr 23, 2006 at 09:27:21AM -0400, [EMAIL PROTECTED] wrote: > I'm running sarge on a vintage Pentium as a gateway machine for a home > network. > > My machine was cracked last December and I reinstalled everything > from scratch using a sarge netinstall CD. (I checked all scripts I > resurrect from the old system, and recompiled all my *own* binaries > from original source code. The script I mention below hasn't been > molested.) > > I run the same script for port-forwarding and masquerading that I used > before the reinstall. > > But it doesn't work. > > Lines like > > iptables -t nat -A PREROUTING --protocol tcp -d 216.138.195.194 --dport 27012 > -j DNAT --to-destination 172.25.1.5:27012 --verbose > iptables -t nat -A PREROUTING --protocol udp -d 216.138.195.194 --dport 27012 > -j DNAT --to-destination 172.25.1.5:27012 --verbose > iptables -t nat -A POSTROUTING --protocol udp -s 172.25.1.5 --sport 27012 -j > SNAT --to-source 216.138.195.194:27012 --verbose > iptables -t nat -A POSTROUTING --protocol tcp -s 172.25.1.5 --sport 27012 -j > SNAT --to-source 216.138.195.194:27012 --verbose > > have no effect at all (as checked by iptables --list) > > but the line > > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > works like a charm. > > I suspect there's probably a missing kernel module. But which one? > And where do I find it? The docs for iptables way that it will attampt > to load any necessary modules, so I presume a simple modprobe isn't > enough. Or else that it doesn't try hard enough. > > -- hendrik > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Hundreds of years in the future there could be computers looking for life on earth --Coldplay -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
port forwarding problem. Probably easy if you know how.
I'm running sarge on a vintage Pentium as a gateway machine for a home network. My machine was cracked last December and I reinstalled everything from scratch using a sarge netinstall CD. (I checked all scripts I resurrect from the old system, and recompiled all my *own* binaries from original source code. The script I mention below hasn't been molested.) I run the same script for port-forwarding and masquerading that I used before the reinstall. But it doesn't work. Lines like iptables -t nat -A PREROUTING --protocol tcp -d 216.138.195.194 --dport 27012 -j DNAT --to-destination 172.25.1.5:27012 --verbose iptables -t nat -A PREROUTING --protocol udp -d 216.138.195.194 --dport 27012 -j DNAT --to-destination 172.25.1.5:27012 --verbose iptables -t nat -A POSTROUTING --protocol udp -s 172.25.1.5 --sport 27012 -j SNAT --to-source 216.138.195.194:27012 --verbose iptables -t nat -A POSTROUTING --protocol tcp -s 172.25.1.5 --sport 27012 -j SNAT --to-source 216.138.195.194:27012 --verbose have no effect at all (as checked by iptables --list) but the line iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE works like a charm. I suspect there's probably a missing kernel module. But which one? And where do I find it? The docs for iptables way that it will attampt to load any necessary modules, so I presume a simple modprobe isn't enough. Or else that it doesn't try hard enough. -- hendrik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How to enable X port forwarding with ssh
On Mon, Jan 23, 2006 at 05:25:39AM -0800, Leonid Grinberg wrote: > Yeah, you need to enable it in /etc/ssh/sshd_config > Then, use ssh -X host.domain -l username > (note: it has to be enabled on both sides, and you actually have to > have X on both sides.) More specifically, you need to ensure that xauth (from the xbase-clients package) is installed on the ssh server. It doesn't require a complete X installation. signature.asc Description: Digital signature
Re: How to enable X port forwarding with ssh
Yeah, you need to enable it in /etc/ssh/sshd_config Then, use ssh -X host.domain -l username (note: it has to be enabled on both sides, and you actually have to have X on both sides.) On 1/23/06, Edward Shornock <[EMAIL PROTECTED]> wrote: > On Mon, Jan 23, 2006 at 01:49:52AM +0100, Juraj Fedel wrote: > > While using ssh on local network (actualy qemu virtual machine) > > I have hard time starting X application on virtual machine and > > let it show window on host X window. Starting > > > > ssh -X > > > > does not help, nor does following content of ~/.ssh/config on local > > computer make any difference: > > > > Host * > > ForwardX11 yes > > > > In both cases I can see this message when passing -v option > > debug1: Requesting X11 forwarding with authentication spoofing. > > and when I try to start xclock I get error: > > > > Error: Can't open display: > > > > So how do I enable X port forwarding? > > Have you added > X11Forwarding yes > to /etc/ssh/sshd_config, then restart the ssh service? That works for > me... > >
Re: How to enable X port forwarding with ssh
On Mon, Jan 23, 2006 at 01:49:52AM +0100, Juraj Fedel wrote: > While using ssh on local network (actualy qemu virtual machine) > I have hard time starting X application on virtual machine and > let it show window on host X window. Starting > > ssh -X > > does not help, nor does following content of ~/.ssh/config on local > computer make any difference: > > Host * > ForwardX11 yes > > In both cases I can see this message when passing -v option > debug1: Requesting X11 forwarding with authentication spoofing. > and when I try to start xclock I get error: > > Error: Can't open display: > > So how do I enable X port forwarding? Have you added X11Forwarding yes to /etc/ssh/sshd_config, then restart the ssh service? That works for me... signature.asc Description: Digital signature
How to enable X port forwarding with ssh
While using ssh on local network (actualy qemu virtual machine) I have hard time starting X application on virtual machine and let it show window on host X window. Starting ssh -X does not help, nor does following content of ~/.ssh/config on local computer make any difference: Host * ForwardX11 yes In both cases I can see this message when passing -v option debug1: Requesting X11 forwarding with authentication spoofing. and when I try to start xclock I get error: Error: Can't open display: So how do I enable X port forwarding? Juraj -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Exim4 + port forwarding
Kumar Appaiah wrote: On Thu, Sep 08, 2005 at 12:52:14PM +0200, Roel Schroeven wrote: Kumar Appaiah wrote: On Wed, Sep 07, 2005 at 06:33:28AM -0700, James Vahn wrote: Kumar Appaiah wrote: Dear list, I have been using fetchmail + procmail + exim4 to handle my mail. I have a setup by which certain messages are received by procmail, and a copy of some is forwarded to another address automatically. Now, recently, due to excessive spread of viruses on the network due to a popular but highly vulnerable mail client on a popular but vulnerable OS (need I say more ;-), port 25 requests have ben blocked for good! That means, exim can't forward my messages anymore. By this I think you are saying that exim on localhost is connecting to other servers directly instead of using a "smart host" - your ISP. Relay your forwarded messages through him. No, let me make it clear. The problem is that all my requests to the smarthost's port 25 are blocked. So, I try to ssh to another computer, forward the port 25 of that SMTP server to port 10025 on my computer, and tell exim to use localhost and port 10025 as the smart host; but exim refuses to relay the mail through localhost, though it is actually a forwarded port. The computer you ssh to is not blocked by the smarthost, I presume? There's something strange in your explanation, and I'm not sure if it is because I misunderstand you or because you did something wrong. You should forward the SMTP's port to your computer, it should be the other way around: forward port 10025 on your computer to port 25 on the SMTP server: ssh [EMAIL PROTECTED] -L 10025:smarthost:25 This is exactly what I am doing. Sorry if I didn't state it properly. Now, how do I tell exim4 to relay my mail through localhost:10025? OK, sorry, I misunderstood. In that case, I can't help you other that with my other suggestion: configure exim to use the other computer as smarthost, if you can find a port that's not filtered by the firewall, and forward from there to port 25 on the real smarthost. -- If I have been able to see further, it was only because I stood on the shoulders of giants. -- Isaac Newton Roel Schroeven -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Exim4 + port forwarding
Kumar Appaiah wrote: > On Wed, Sep 07, 2005 at 06:54:38PM -0700, James Vahn wrote: >> Meaning that this command does not produce a response? >> telnet smarthost 25 > > Exactly. So what happens if you run exim on another port, and then do your port forwarding on that very same computer? e-mail>25>100025>smarthost -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Exim4 + port forwarding
On Thu, Sep 08, 2005 at 12:52:14PM +0200, Roel Schroeven wrote: > Kumar Appaiah wrote: > > >On Wed, Sep 07, 2005 at 06:33:28AM -0700, James Vahn wrote: > > > >>Kumar Appaiah wrote: > >> > >>>Dear list, > >>>I have been using fetchmail + procmail + exim4 to handle my mail. I > >>>have a setup by which certain messages are received by procmail, and a > >>>copy of some is forwarded to another address automatically. > >>> > >>>Now, recently, due to excessive spread of viruses on the network due > >>>to a popular but highly vulnerable mail client on a popular but > >>>vulnerable OS (need I say more ;-), port 25 requests have ben blocked > >>>for good! That means, exim can't forward my messages anymore. > >> > >>By this I think you are saying that exim on localhost is connecting > >>to other servers directly instead of using a "smart host" - your ISP. > >>Relay your forwarded messages through him. > > > > > >No, let me make it clear. > > > >The problem is that all my requests to the smarthost's port 25 are > >blocked. So, I try to ssh to another computer, forward the port 25 of > >that SMTP server to port 10025 on my computer, and tell exim to use > >localhost and port 10025 as the smart host; but exim refuses to > >relay the mail through localhost, though it is actually a forwarded > >port. > > The computer you ssh to is not blocked by the smarthost, I presume? > > There's something strange in your explanation, and I'm not sure if it is > because I misunderstand you or because you did something wrong. You > should forward the SMTP's port to your computer, it should be the other > way around: forward port 10025 on your computer to port 25 on the SMTP > server: > > ssh [EMAIL PROTECTED] -L 10025:smarthost:25 > This is exactly what I am doing. Sorry if I didn't state it properly. Now, how do I tell exim4 to relay my mail through localhost:10025? Thanks. Kumar -- Kumar Appaiah, 462, Jamuna Hostel, Indian Institute of Technology Madras, Chennai - 600 036
Re: Exim4 + port forwarding
Kumar Appaiah wrote: On Wed, Sep 07, 2005 at 06:33:28AM -0700, James Vahn wrote: Kumar Appaiah wrote: Dear list, I have been using fetchmail + procmail + exim4 to handle my mail. I have a setup by which certain messages are received by procmail, and a copy of some is forwarded to another address automatically. Now, recently, due to excessive spread of viruses on the network due to a popular but highly vulnerable mail client on a popular but vulnerable OS (need I say more ;-), port 25 requests have ben blocked for good! That means, exim can't forward my messages anymore. By this I think you are saying that exim on localhost is connecting to other servers directly instead of using a "smart host" - your ISP. Relay your forwarded messages through him. No, let me make it clear. The problem is that all my requests to the smarthost's port 25 are blocked. So, I try to ssh to another computer, forward the port 25 of that SMTP server to port 10025 on my computer, and tell exim to use localhost and port 10025 as the smart host; but exim refuses to relay the mail through localhost, though it is actually a forwarded port. Can you connect to port 25 or 10025 on that remote computer you ssh to? If so, you can use that as smarthost in exim and instruct that computer to forward to the SMTP-server. -- If I have been able to see further, it was only because I stood on the shoulders of giants. -- Isaac Newton Roel Schroeven -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Exim4 + port forwarding
Kumar Appaiah wrote: On Wed, Sep 07, 2005 at 06:33:28AM -0700, James Vahn wrote: Kumar Appaiah wrote: Dear list, I have been using fetchmail + procmail + exim4 to handle my mail. I have a setup by which certain messages are received by procmail, and a copy of some is forwarded to another address automatically. Now, recently, due to excessive spread of viruses on the network due to a popular but highly vulnerable mail client on a popular but vulnerable OS (need I say more ;-), port 25 requests have ben blocked for good! That means, exim can't forward my messages anymore. By this I think you are saying that exim on localhost is connecting to other servers directly instead of using a "smart host" - your ISP. Relay your forwarded messages through him. No, let me make it clear. The problem is that all my requests to the smarthost's port 25 are blocked. So, I try to ssh to another computer, forward the port 25 of that SMTP server to port 10025 on my computer, and tell exim to use localhost and port 10025 as the smart host; but exim refuses to relay the mail through localhost, though it is actually a forwarded port. The computer you ssh to is not blocked by the smarthost, I presume? There's something strange in your explanation, and I'm not sure if it is because I misunderstand you or because you did something wrong. You should forward the SMTP's port to your computer, it should be the other way around: forward port 10025 on your computer to port 25 on the SMTP server: ssh [EMAIL PROTECTED] -L 10025:smarthost:25 -- If I have been able to see further, it was only because I stood on the shoulders of giants. -- Isaac Newton Roel Schroeven -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Exim4 + port forwarding
Kumar Appaiah wrote: > Thanks for patiently anwering my query, hope it's clear now. Now, can > you think of a solution? How attached are you to Exim? Personally when it comes to smarthost relaying I found nullmailer to be a much better alternative. Smaller, specially designed to forward to a smart host, capable of handling different ports and might just be willing to mail to the local machine. -- Steve C. Lamb | I'm your priest, I'm your shrink, I'm your PGP Key: 8B6E99C5 | main connection to the switchboard of souls. ---+- signature.asc Description: OpenPGP digital signature
Re: Exim4 + port forwarding
Kumar Appaiah wrote: > On Wed, Sep 07, 2005 at 07:08:01PM -0700, Steve Lamb wrote: >>Do you control that other machine? What is preventing you from opening up >>another port for Exim (presuming it is running Exim) to listen to? > 1.I do not control the other machine. > 2.How would making exim4 on my machine listen on another port help? It > still doesn't want me to send relay messages to localhost (another > port). The second statement was a continuation of the first. IE, "If you control the remote machine what is preventing you from opening up another port for Exim?" I had the same problem and for a time configured Exim to listen to port 2525 as well as 25. But I controlled the remote machine and was able to do so. -- Steve C. Lamb | I'm your priest, I'm your shrink, I'm your PGP Key: 8B6E99C5 | main connection to the switchboard of souls. ---+- signature.asc Description: PGP signature signature.asc Description: OpenPGP digital signature
Re: Exim4 + port forwarding
James Vahn wrote: > Meaning that this command does not produce a response? James, you're way off base. Look, his ISP has blocked him from outbound port 25 connections. He did not every connect to his ISP's SMTP server. He does not want to connect to his ISP's SMTP server. He wants to connect to *his remote SMTP server* and is now blocked on port 25 from doing so. Telling him to use his ISP's server is not the answer. -- Steve C. Lamb | I'm your priest, I'm your shrink, I'm your PGP Key: 8B6E99C5 | main connection to the switchboard of souls. ---+- signature.asc Description: OpenPGP digital signature
Re: Exim4 + port forwarding
On Wed, Sep 07, 2005 at 06:54:38PM -0700, James Vahn wrote: > Kumar Appaiah wrote: > > The problem is that all my requests to the smarthost's port 25 are > > blocked. > > Meaning that this command does not produce a response? > > telnet smarthost 25 Exactly. But I have ssh access to another computer, where it does give a response. So, I have forwarded mail.isp.com:25 using ssh to localhost:10025. > "smarthost" being something like "mail.isp.com" or (better) their IP > address. Will they give you an MX address? Become your own "smarthost" > and deliver directly, a leaf off of their domain. Out of the question. I am behind a firewall which lets me do internal ssh, and browse the 'net and do FTP via proxy. > > So, I try to ssh to another computer, forward the port 25 of that SMTP > > server to port 10025 on my computer, and tell exim to use localhost and > > port 10025 as the smart host; but exim refuses to relay the mail > > through localhost, though it is actually a forwarded port. > > No no.. don't do that. I think you really want to forward 25 on yours to > 25 on the other. What you have done is make your computer act as their > server, and probably nothing is listening... Use telnet on 25 to see. No! I have got mail.isp.com:25 to localhost:10025. So, *my* machine has their mail server on port 10025. Now, all I want exim4 to do is use localhost:10025 as the smart host, but it frowns at the word *localhost*! Thanks for patiently anwering my query, hope it's clear now. Now, can you think of a solution? Thanks again. Kumar -- Kumar Appaiah, 462, Jamuna Hostel, Indian Institute of Technology Madras, Chennai - 600 036 signature.asc Description: Digital signature
Re: Exim4 + port forwarding
On Wed, Sep 07, 2005 at 07:08:01PM -0700, Steve Lamb wrote: > Kumar Appaiah wrote: > > Because there is no SMTP server running there! The server runs SMTP on > > port 25, which is blocked, and I have a connection to that port 25 > > through my machine's 10025 port. > > Do you control that other machine? What is preventing you from opening up > another port for Exim (presuming it is running Exim) to listen to? 1.I do not control the other machine. 2.How would making exim4 on my machine listen on another port help? It still doesn't want me to send relay messages to localhost (another port). Thanks. Kumar -- Kumar Appaiah, 462, Jamuna Hostel, Indian Institute of Technology Madras, Chennai - 600 036 signature.asc Description: Digital signature
Re: Exim4 + port forwarding
Kumar Appaiah wrote: > The problem is that all my requests to the smarthost's port 25 are > blocked. Meaning that this command does not produce a response? telnet smarthost 25 "smarthost" being something like "mail.isp.com" or (better) their IP address. Will they give you an MX address? Become your own "smarthost" and deliver directly, a leaf off of their domain. > So, I try to ssh to another computer, forward the port 25 of that SMTP > server to port 10025 on my computer, and tell exim to use localhost and > port 10025 as the smart host; but exim refuses to relay the mail > through localhost, though it is actually a forwarded port. No no.. don't do that. I think you really want to forward 25 on yours to 25 on the other. What you have done is make your computer act as their server, and probably nothing is listening... Use telnet on 25 to see. You'd be better off using it as a smarthost. If you forward the port, where would mail sent to [EMAIL PROTECTED] on both machines go? ;-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Exim4 + port forwarding
Kumar Appaiah wrote: > Because there is no SMTP server running there! The server runs SMTP on > port 25, which is blocked, and I have a connection to that port 25 > through my machine's 10025 port. Do you control that other machine? What is preventing you from opening up another port for Exim (presuming it is running Exim) to listen to? -- Steve C. Lamb | I'm your priest, I'm your shrink, I'm your PGP Key: 8B6E99C5 | main connection to the switchboard of souls. ---+- signature.asc Description: OpenPGP digital signature
Re: Exim4 + port forwarding
On Wed, Sep 07, 2005 at 09:28:49PM +0200, Laurent CARON wrote: > Kumar Appaiah a écrit : > >The problem is that all my requests to the smarthost's port 25 are > >blocked. So, I try to ssh to another computer, forward the port 25 of > >that SMTP server to port 10025 on my computer, and tell exim to use > >localhost and port 10025 as the smart host; but exim refuses to > >relay the mail through localhost, though it is actually a forwarded > >port. > > why not relaying directly to port 10025 of your other server? > Because there is no SMTP server running there! The server runs SMTP on port 25, which is blocked, and I have a connection to that port 25 through my machine's 10025 port. Thanks. Kumar -- Kumar Appaiah, 462, Jamuna Hostel, Indian Institute of Technology Madras, Chennai - 600 036 signature.asc Description: Digital signature
Re: Exim4 + port forwarding
Kumar Appaiah a écrit : On Wed, Sep 07, 2005 at 06:33:28AM -0700, James Vahn wrote: Kumar Appaiah wrote: Dear list, I have been using fetchmail + procmail + exim4 to handle my mail. I have a setup by which certain messages are received by procmail, and a copy of some is forwarded to another address automatically. Now, recently, due to excessive spread of viruses on the network due to a popular but highly vulnerable mail client on a popular but vulnerable OS (need I say more ;-), port 25 requests have ben blocked for good! That means, exim can't forward my messages anymore. By this I think you are saying that exim on localhost is connecting to other servers directly instead of using a "smart host" - your ISP. Relay your forwarded messages through him. No, let me make it clear. The problem is that all my requests to the smarthost's port 25 are blocked. So, I try to ssh to another computer, forward the port 25 of that SMTP server to port 10025 on my computer, and tell exim to use localhost and port 10025 as the smart host; but exim refuses to relay the mail through localhost, though it is actually a forwarded port. Any suggestion? Thanks. Kumar why not relaying directly to port 10025 of your other server? -- Vos évangiles, vos bibles, vos corans, vos torahs, vos talmuds, vos puranas, vos avestas, vos tantras, ne sont qu'un ramassis de conneries et de mensonges qui font passer les aventures de Oui-Oui pour des chefs-d'oeuvre. -+- Philippe Charon -+- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Exim4 + port forwarding
On Wed, Sep 07, 2005 at 06:33:28AM -0700, James Vahn wrote: > Kumar Appaiah wrote: > > Dear list, > > I have been using fetchmail + procmail + exim4 to handle my mail. I > > have a setup by which certain messages are received by procmail, and a > > copy of some is forwarded to another address automatically. > > > > Now, recently, due to excessive spread of viruses on the network due > > to a popular but highly vulnerable mail client on a popular but > > vulnerable OS (need I say more ;-), port 25 requests have ben blocked > > for good! That means, exim can't forward my messages anymore. > > By this I think you are saying that exim on localhost is connecting > to other servers directly instead of using a "smart host" - your ISP. > Relay your forwarded messages through him. No, let me make it clear. The problem is that all my requests to the smarthost's port 25 are blocked. So, I try to ssh to another computer, forward the port 25 of that SMTP server to port 10025 on my computer, and tell exim to use localhost and port 10025 as the smart host; but exim refuses to relay the mail through localhost, though it is actually a forwarded port. Any suggestion? Thanks. Kumar -- Kumar Appaiah, 462, Jamuna Hostel, Indian Institute of Technology Madras, Chennai - 600 036 signature.asc Description: Digital signature
Re: Exim4 + port forwarding
Kumar Appaiah wrote: > Dear list, > I have been using fetchmail + procmail + exim4 to handle my mail. I > have a setup by which certain messages are received by procmail, and a > copy of some is forwarded to another address automatically. > > Now, recently, due to excessive spread of viruses on the network due > to a popular but highly vulnerable mail client on a popular but > vulnerable OS (need I say more ;-), port 25 requests have ben blocked > for good! That means, exim can't forward my messages anymore. By this I think you are saying that exim on localhost is connecting to other servers directly instead of using a "smart host" - your ISP. Relay your forwarded messages through him. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Exim4 + port forwarding
Dear list, I have been using fetchmail + procmail + exim4 to handle my mail. I have a setup by which certain messages are received by procmail, and a copy of some is forwarded to another address automatically. Now, recently, due to excessive spread of viruses on the network due to a popular but highly vulnerable mail client on a popular but vulnerable OS (need I say more ;-), port 25 requests have ben blocked for good! That means, exim can't forward my messages anymore. Now, I have access through SSH to a machine close to my SMTP server, so I have managed to get sending work using port forwarding and esmtp. However, if I try to tell exim to relay mail to a smarthost on my own computer (on a port different from 25, of course), exim complains that it won't send the messages to the same machine. How do I tell exim4 that I am actually sending the mail to a different computer through a port, and not trying to cheat it? Thanks. Kumar -- Kumar Appaiah, 462, Jamuna Hostel, Indian Institute of Technology Madras, Chennai - 600 036 signature.asc Description: Digital signature
Re: Persistent port forwarding without ssh
> You could use masquarading (iptables) on the debian machine to forward > some port > on the debian machine to the server and then when you connect ssh to that > port > the connection will be forwarded directly to the server. That's the way I was hoping to do it. As I have absolutely no experience with iptables, I'd be very grateful if somebody could spell out a command that would do this. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Persistent port forwarding without ssh
At Thursday, 09 December 2004, Micha Feigin <[EMAIL PROTECTED]> wrote: >At Thu, 9 Dec 2004 21:49:47 +1100, >Robert S wrote: >> >> I am wanting to set up a VPN using ssh between my office and my home Windows >> PCs, using a debian box at the remote end. The setup is as follows: >> >> HOME (winxp)- - - -- - - - DEBIAN - ---SERVER >> (win2K) >> >> I have managed to connect (using vnc) to SERVER using PuTTY or ssh at the >> home end thus: >> >> 1. log into DEBIAN from HOME using Putty, forward remote port 5900 to local >> port 5901 >> 2. forward port from SERVER to DEBIAN using "ssh -C -g -L 5900: server:5900 >> debian" >> 3. connect vncviewer to local port 5901. >> > >You could use masquarading (iptables) on the debian machine to forward >some port >on the debian machine to the server and then when you connect ssh to that port >the connection will be forwarded directly to the server. > >I think that there is also a way to automatically run a command on ssh >connection. I remember something in a tutorial about setting up cvs with ssh to >allow only running cvs on the server so that the users don't have complete >control. > >> All is fine with this setup. If I do this with samba using port 139 >> however, it fails because I've disabled root ssh logins. >> >> I'd like to set up the above setup where step 2 is replaced by a persistent >> connection that doesn't require a second password entry. In other words, >> I'd like to forward a port on SERVER to a port on DEBIAN. I don't want to >> use a private key file because that would have to be located on DEBIAN, with >> obvious security problems. I assume that this would require something other >> than ssh. >> > >You could use the -R option with ssh to also forward ports in the reverse >direction. > >> Can you do this with iptables - if so - how? stunnel does not seem to do >> it - my syslog on DEBIAN indicates a connection, but nothing happens on the >> HOME end. >> >> >> >> >> -- >> To UNSUBSCRIBE, email to [EMAIL PROTECTED] >> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] debian.org >> >> >> +++ >> This Mail Was Scanned By Mail-seCure System >> at the Tel-Aviv University CC. >> > >-- Have you thought about openVPN? It was pretty easy to get up and running. http://www.zerocrossings.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Persistent port forwarding without ssh
At Thu, 9 Dec 2004 21:49:47 +1100, Robert S wrote: > > I am wanting to set up a VPN using ssh between my office and my home Windows > PCs, using a debian box at the remote end. The setup is as follows: > > HOME (winxp)- - - -- - - - DEBIAN SERVER > (win2K) > > I have managed to connect (using vnc) to SERVER using PuTTY or ssh at the > home end thus: > > 1. log into DEBIAN from HOME using Putty, forward remote port 5900 to local > port 5901 > 2. forward port from SERVER to DEBIAN using "ssh -C -g -L 5900:server:5900 > debian" > 3. connect vncviewer to local port 5901. > You could use masquarading (iptables) on the debian machine to forward some port on the debian machine to the server and then when you connect ssh to that port the connection will be forwarded directly to the server. I think that there is also a way to automatically run a command on ssh connection. I remember something in a tutorial about setting up cvs with ssh to allow only running cvs on the server so that the users don't have complete control. > All is fine with this setup. If I do this with samba using port 139 > however, it fails because I've disabled root ssh logins. > > I'd like to set up the above setup where step 2 is replaced by a persistent > connection that doesn't require a second password entry. In other words, > I'd like to forward a port on SERVER to a port on DEBIAN. I don't want to > use a private key file because that would have to be located on DEBIAN, with > obvious security problems. I assume that this would require something other > than ssh. > You could use the -R option with ssh to also forward ports in the reverse direction. > Can you do this with iptables - if so - how? stunnel does not seem to do > it - my syslog on DEBIAN indicates a connection, but nothing happens on the > HOME end. > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > +++ > This Mail Was Scanned By Mail-seCure System > at the Tel-Aviv University CC. > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Persistent port forwarding without ssh
On Thu, Dec 09, 2004 at 09:49:47PM +1100, Robert S wrote: } I am wanting to set up a VPN using ssh between my office and my home Windows } PCs, using a debian box at the remote end. The setup is as follows: } } HOME (winxp)- - - -- - - - DEBIAN SERVER } (win2K) } } I have managed to connect (using vnc) to SERVER using PuTTY or ssh at the } home end thus: } } 1. log into DEBIAN from HOME using Putty, forward remote port 5900 to local } port 5901 } 2. forward port from SERVER to DEBIAN using "ssh -C -g -L 5900:server:5900 } debian" } 3. connect vncviewer to local port 5901. } } All is fine with this setup. If I do this with samba using port 139 } however, it fails because I've disabled root ssh logins. } } I'd like to set up the above setup where step 2 is replaced by a persistent } connection that doesn't require a second password entry. In other words, } I'd like to forward a port on SERVER to a port on DEBIAN. I don't want to } use a private key file because that would have to be located on DEBIAN, with } obvious security problems. I assume that this would require something other } than ssh. } } Can you do this with iptables - if so - how? stunnel does not seem to do } it - my syslog on DEBIAN indicates a connection, but nothing happens on the } HOME end. I'd do it with socket (not the system call, but the program; apt-get install socket). Replace step 2 with an init script that runs at startup and contains: #!/bin/sh socket -blsfq -B 127.0.0.1 -p "socket -q DEBIAN 5900" 5900 See the socket(1) man page for details on what that command does. Roughly speaking, it listens on port 5900 on localhost (only localhost, so only programs running on the server, e.g. sshd, can connect to it) and, when it gets a connection, forks off a forwarded connection to the Debian box. --Greg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Persistent port forwarding without ssh
I am wanting to set up a VPN using ssh between my office and my home Windows PCs, using a debian box at the remote end. The setup is as follows: HOME (winxp)- - - -- - - - DEBIAN SERVER (win2K) I have managed to connect (using vnc) to SERVER using PuTTY or ssh at the home end thus: 1. log into DEBIAN from HOME using Putty, forward remote port 5900 to local port 5901 2. forward port from SERVER to DEBIAN using "ssh -C -g -L 5900:server:5900 debian" 3. connect vncviewer to local port 5901. All is fine with this setup. If I do this with samba using port 139 however, it fails because I've disabled root ssh logins. I'd like to set up the above setup where step 2 is replaced by a persistent connection that doesn't require a second password entry. In other words, I'd like to forward a port on SERVER to a port on DEBIAN. I don't want to use a private key file because that would have to be located on DEBIAN, with obvious security problems. I assume that this would require something other than ssh. Can you do this with iptables - if so - how? stunnel does not seem to do it - my syslog on DEBIAN indicates a connection, but nothing happens on the HOME end. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh port forwarding errors
Allene Lester Sun Certified System Administrator (Solaris 8 OE) Operating Systems Programmer (TSDC UNIX) Federal Reserve Information Technology 214-922-6436 [EMAIL PROTECTED]
Re: need iptables port forwarding help! (solved)
ok, i solved it. 8)
here's the script i'm using. thanks for everyone's help.
--
Tom Vier <[EMAIL PROTECTED]>
DSA Key ID 0x15741ECE
script:
#!/bin/bash
INTFWIP="10.86.79.10"
INTIF="eth0"
EXTIF="eth1"
EXTIP=" fconfig $EXTIF | awk /$EXTIF/'{next}//{split($0,a,":");\
split(a[2],a," ");print a[1];exit}'"
#echo $EXTIP; exit 0
case "$1" in
start)
iptables -t nat -A PREROUTING -p tcp -d $EXTIP --dport -j DNAT --to-destination
10.86.79.10:22
iptables -I FORWARD 1 -i $EXTIF -o $INTIF -p tcp --dport 22 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
;;
stop)
iptables -t nat -D PREROUTING -p tcp -d $EXTIP --dport -j DNAT --to-destination
10.86.79.10:22
iptables -D FORWARD -i $EXTIF -o $INTIF -p tcp --dport 22 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
;;
restart)
$0 stop
$0 start
;;
*)
exit 1
;;
esac
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: need iptables port forwarding help!
Tom Vier wrote: On Mon, Sep 06, 2004 at 01:43:36PM -0700, Mike Fedyk wrote: Did you copy the apropriate files to /etc/shorewall? What changes did you make? did "shorewall restart" give any errors? no errors. here's a tarball of my config. i didn't add the stuff for dnat. thanks for the help. First of all before I even look at the contents of the files, gunzip the masq.gz file in /etc/shorewall. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
