/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Dear users of Masquerading under Linux,
I have a problem/question which I haven't been able to find a solution
to yet. Well, that's not quite correct. I could write a masq helper
module to perform this, but I felt there must be a way of doing this
already, so before I start coding, I wanted to see if there is a solution
I'm overlooking first.
The problem has to do with masquerading privileged ports. Specifically
I'd like to be able to masq, for example, rlogin or rsh (outbound only).
Now, before people starting beating on me about security and all that, I
want to say that I fully understand the risks in doing this and I still
want to do it anyway.
My setup is typical. A bunch of clients sitting behind a firewall
going to outside/internet machines. The outside machines only ever see
the IP for the firewall and the sessions are handled via masquerading.
Using services such as telnet, ftp and http all work quite well. I have
filters installed and tested (using ipchains) and proxy services for
things like email, DNS and other inbound services. Everthing works
great, as long as the client uses an unpriviledged port to start from and
the destination service doesn't care (ie: doesn't require the source port
to be in a privileged port range).
Using rlogin actually gets to the outside host, but the problem is that
the masq'd port is no longer in the privileged port range required for
remote login services. The masq entry looks like this when the
connection is first established:
% ipchains -n -M -L
IP masquerading entries
prot expire source destination ports
TCP 01:55.57 192.168.1.250 209.133.56.26 1022 (63139) -> 513
As you can see, the original source port from the client is 1022, but the
masq'ed port is now 63139. The remote shell daemon will see that the
source port is not in the privileged port range and drop the connection.
I have a custom built kernel (2.2.18) with all the various Masq,
firewall and routing options built in. As far as I can tell there isn't
any way of telling the masq code to restrict the masq'ed out bound port
to a certain range.
Has anyone found a masquerading solution for this?
Thanks!
--
Peter A. Castro <[EMAIL PROTECTED]> or <[EMAIL PROTECTED]>
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
