/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Peter A. Castro wrote:
> Dear users of Masquerading under Linux,
> I have a problem/question which I haven't been able to find a solution
> to yet. Well, that's not quite correct. I could write a masq helper
> module to perform this, but I felt there must be a way of doing this
> already, so before I start coding, I wanted to see if there is a solution
> I'm overlooking first.
> The problem has to do with masquerading privileged ports. Specifically
> I'd like to be able to masq, for example, rlogin or rsh (outbound only).
> Now, before people starting beating on me about security and all that, I
> want to say that I fully understand the risks in doing this and I still
> want to do it anyway.
> My setup is typical. A bunch of clients sitting behind a firewall
> going to outside/internet machines. The outside machines only ever see
> the IP for the firewall and the sessions are handled via masquerading.
> Using services such as telnet, ftp and http all work quite well. I have
> filters installed and tested (using ipchains) and proxy services for
> things like email, DNS and other inbound services. Everthing works
> great, as long as the client uses an unpriviledged port to start from and
> the destination service doesn't care (ie: doesn't require the source port
> to be in a privileged port range).
> Using rlogin actually gets to the outside host, but the problem is that
> the masq'd port is no longer in the privileged port range required for
> remote login services. The masq entry looks like this when the
> connection is first established:
>
> % ipchains -n -M -L
> IP masquerading entries
> prot expire source destination ports
> TCP 01:55.57 192.168.1.250 209.133.56.26 1022 (63139) -> 513
>
> As you can see, the original source port from the client is 1022, but the
> masq'ed port is now 63139. The remote shell daemon will see that the
> source port is not in the privileged port range and drop the connection.
>
> I have a custom built kernel (2.2.18) with all the various Masq,
> firewall and routing options built in. As far as I can tell there isn't
> any way of telling the masq code to restrict the masq'ed out bound port
> to a certain range.
> Has anyone found a masquerading solution for this?
> Thanks!
>
> --
> Peter A. Castro <[EMAIL PROTECTED]> or <[EMAIL PROTECTED]>
if you really, really, really want this (and remember, you'd
be the only person in the entire world that does) you'll
have to write a masq module (or install openssh and symlink
rsh/rlogin to it - sorry, i couldn't help it).
you could try switching to linux-2.4 and iptables. it
mangles packets as little as possible so it's quite possible
that a masqueraded connection using privileged ports will
stay privileged when masqueraded (i.e. it only changes the
src ip address and not the src port, if that port isn't part
of an existing connection to the same destination port on
the same external host).
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
