Re: port forwarding without using ssh
Hi. On 2009年11月12日 07:53, green wrote: Zhang Weiwu wrote at 2009-11-10 20:36 -0600: Hello. I have a remote server inside a remote office covered by NAT masquerade where port forwarding not possible, and a local server in my local office not covered by NAT masquerade. In order to access the remote office and hosts in that office, I do this: On remote office server, in a screen session I run $ ssh -R local_server On my own office, I try to connect to mapped ports on local_server. The problem of this solution is security. I do not want to grant shell access of local_server to remote_server. What would you recommend me to do in this case? I could try to limit access of the account used by remote server ssh -R, but should I? You might want to check out apf-server and apf-client packages. I use these to provide access between masqueraded systems using an intermediary system. Server runs on the intermediary and client on the system to be connected to. System connected _from_ connects to client through a port on the server. Thank you! Now that I tried it, te apf-client package proved very useful in my case. I followed your advice almost a year later because I was too busy with daily business and kept your email as marked for personal todo for a year or so. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4c8dd155.3040...@realss.com
Re: port forwarding without using ssh
Zhang Weiwu wrote at 2010-09-13 02:23 -0500: Thank you! Now that I tried it, te apf-client package proved very useful in my case. I followed your advice almost a year later because I was too busy with daily business and kept your email as marked for personal todo for a year or so. Excellent! Now we can await global ipv6 as a better solution. signature.asc Description: Digital signature
Re: port forwarding without using ssh
On Wed, Nov 11, 2009 at 10:36, Zhang Weiwu zhangwe...@realss.com wrote: Hello. I have a remote server inside a remote office covered by NAT masquerade where port forwarding not possible, and a local server in my local office not covered by NAT masquerade. In order to access the remote office and hosts in that office, I do this: On remote office server, in a screen session I run $ ssh -R local_server You may want to run ``$ ssh -N -R _local_server'' instead. Please refer to the manpage for further details. On my own office, I try to connect to mapped ports on local_server. The problem of this solution is security. I do not want to grant shell access of local_server to remote_server. What would you recommend me to do in this case? I could try to limit access of the account used by remote server ssh -R, but should I? Regards, Wang Long -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: port forwarding without using ssh
On Wed, Nov 11, 2009 at 10:36:20AM +0800, Zhang Weiwu wrote: The problem of this solution is security. I do not want to grant shell access of local_server to remote_server. What would you recommend me to do in this case? I could try to limit access of the account used by remote server ssh -R, but should I? You don't have to grant the remote server shell access if you don't want to. You can use the port-forward feature of ssh to just create ports without a shell with the -fN flag. Also, the -R and -L flags look the same, but define which end the traffic originates from. So, it's hard to say if you're using -R correctly, or if you should be using -L instead. This is untested, but should work to tunnel SMTP from localserver to remoteserver when the connection is opened from the remoteserver side: remoteserver$ ssh -fN -R25:localhost:25 localserver to make it work securely, though, you need to do a few more things. 1. Add the no-pty option to your authorized_keys file so that no shell is allowed for that key. 2. See whether you can limit the forwarded ports with permitopen in authorized_keys. This may or may not work with -R; the man page says it's for -L only. 3. Consider creating a non-root user for ports that don't require binding to privileged ports. For example, you could tunnel git on port 9418 as some other user rather than root. If you want a real SSH-based VPN, and are willing to pay the encryption overhead, you can investigate SSH + TUN forwardings. See these articles as a starting point: http://www.debian-administration.org/articles/539 https://help.ubuntu.com/community/SSH_VPN http://www.gentoo-wiki.info/HOWTO_VPN_over_SSH_and_tun Hope that helps. -- Oh, look: rocks! -- Doctor Who, Destiny of the Daleks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: port forwarding without using ssh
Zhang Weiwu wrote at 2009-11-10 20:36 -0600: Hello. I have a remote server inside a remote office covered by NAT masquerade where port forwarding not possible, and a local server in my local office not covered by NAT masquerade. In order to access the remote office and hosts in that office, I do this: On remote office server, in a screen session I run $ ssh -R local_server On my own office, I try to connect to mapped ports on local_server. The problem of this solution is security. I do not want to grant shell access of local_server to remote_server. What would you recommend me to do in this case? I could try to limit access of the account used by remote server ssh -R, but should I? You might want to check out apf-server and apf-client packages. I use these to provide access between masqueraded systems using an intermediary system. Server runs on the intermediary and client on the system to be connected to. System connected _from_ connects to client through a port on the server. signature.asc Description: Digital signature
Re: port forwarding without using ssh
On Wed, Nov 11, 2009 at 10:36:20AM +0800, Zhang Weiwu wrote: Hello. I have a remote server inside a remote office covered by NAT masquerade where port forwarding not possible, and a local server in my local office not covered by NAT masquerade. In order to access the remote office and hosts in that office, I do this: On remote office server, in a screen session I run $ ssh -R local_server On my own office, I try to connect to mapped ports on local_server. The problem of this solution is security. I do not want to grant shell access of local_server to remote_server. What would you recommend me to do in this case? I could try to limit access of the account used by remote server ssh -R, but should I? have you thought about openvpn and iptables ? -- A tax cut is really one of the anecdotes to coming out of an economic illness. - George W. Bush 09/18/2000 The Edge With Paula Zahn signature.asc Description: Digital signature
Re: port forwarding without using ssh
Alex Samad wrote: On Wed, Nov 11, 2009 at 10:36:20AM +0800, Zhang Weiwu wrote: The problem of this solution is security. I do not want to grant shell access of local_server to remote_server. What would you recommend me to do in this case? I could try to limit access of the account used by remote server ssh -R, but should I? have you thought about openvpn and iptables? I am a clueless guy in regarding to both. Would be better if you are more specific which feature of the two software are useful, then I can be more specific when RTFM. Knowing it is possible with certain technology makes better use of time as I have too much pressure at the time to deal with all problems that try to make best use of learning time.. Sorry... -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: port forwarding
Burada NAT işlemi yapıldığı için kuralların NAT tablolarına girilmesi gerekiyor. INPUT zinciri içerisinde ayrıca o portu ACCEPT etmenize gerek yok, yani aşağıdaki gibi tek bir komutla trafik yönlendirmesini yapabilirsiniz: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.16.74.128:80 Tabi Virtualbox ile aranızdaki network şekli de önemli, Virtualbox'ta host interface seçilmiş olmalı, sunucunuzdan 172.16.74.128 ip adresine erişebiliyor olmanız lazım. 26 Aralık 2008 Cuma 11:45 tarihinde Su Kaya ozmen...@gmail.com yazdı: Merhaba, Üzerinde debian lenny çalışan bir sunucum var. Fiziksel sunucu üzerinde ise vmware ile sanal makineler çalışmakta. Makineler internete NAT ile ulaşmaktalar. yapmaya çalıştığım şey ise fiziksel makinenin internete bağlanan ayağı olan eth0 arabiriminin 80 portuna gelen istekleri sanal makinelerin bağlandığı vmnet8 arayüzüne bağlı olan 172.16.74.128 ip numaralı sanal makinenin 80 numarlı portuna yönlendirmek. Detay vermem gerekirse; Sistem üzerinde iptable bulunmakta. Bunu gerçekleştirmek için iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to- destination 192.168.1.9:80 iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT komutlarını veriyorum : iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywheretcp dpt:www Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere 172.16.74.128 tcp dpt:www ACCEPT tcp -- anywhere 172.16.74.128 tcp dpt:www Chain OUTPUT (policy ACCEPT) target prot opt source destination ile yukarıdakı çıktıyı alıyorum ancak bir türlü yönlendirme işlemini yapamadım. Acaba neyi eksik veya yanlış yapıyorum? teşekkürler -- Murat Demirten Genel Müdür Yenihayat Bilişim Teknolojileri A.Ş. http://www.yh.com.tr (212) 210 77 36 (PBX)
Re: port forwarding problem. Probably easy if you know how.
Hi, I think is better you use just: # iptables -t nat -A PREROUTING --protocol tcp -d 216.138.195.194 --dport 27012 -j DNAT --to-destination 172.25.1.5:27012 --verbose # iptables -t nat -A PREROUTING --protocol udp -d 216.138.195.194 --dport 27012 -j DNAT --to-destination 172.25.1.5:27012 --verbose # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE I holp your ppp0 have ip 216.138.195.194. Gilberto On Sun, 23 Apr 2006 09:27:21 -0400 [EMAIL PROTECTED] wrote: I'm running sarge on a vintage Pentium as a gateway machine for a home network. My machine was cracked last December and I reinstalled everything from scratch using a sarge netinstall CD. (I checked all scripts I resurrect from the old system, and recompiled all my *own* binaries from original source code. The script I mention below hasn't been molested.) I run the same script for port-forwarding and masquerading that I used before the reinstall. But it doesn't work. Lines like iptables -t nat -A PREROUTING --protocol tcp -d 216.138.195.194 --dport 27012 -j DNAT --to-destination 172.25.1.5:27012 --verbose iptables -t nat -A PREROUTING --protocol udp -d 216.138.195.194 --dport 27012 -j DNAT --to-destination 172.25.1.5:27012 --verbose iptables -t nat -A POSTROUTING --protocol udp -s 172.25.1.5 --sport 27012 -j SNAT --to-source 216.138.195.194:27012 --verbose iptables -t nat -A POSTROUTING --protocol tcp -s 172.25.1.5 --sport 27012 -j SNAT --to-source 216.138.195.194:27012 --verbose have no effect at all (as checked by iptables --list) but the line iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE works like a charm. I suspect there's probably a missing kernel module. But which one? And where do I find it? The docs for iptables way that it will attampt to load any necessary modules, so I presume a simple modprobe isn't enough. Or else that it doesn't try hard enough. -- hendrik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding problem. Probably easy if you know how.
Hi, I think is better you use just: # iptables -t nat -A PREROUTING --protocol tcp -d 216.138.195.194 --dport 27012 -j DNAT --to-destination 172.25.1.5:27012 --verbose # iptables -t nat -A PREROUTING --protocol udp -d 216.138.195.194 --dport 27012 -j DNAT --to-destination 172.25.1.5:27012 --verbose # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE I holp your ppp0 have ip 216.138.195.194. Gilberto On Sun, 23 Apr 2006 09:27:21 -0400 [EMAIL PROTECTED] wrote: I'm running sarge on a vintage Pentium as a gateway machine for a home network. My machine was cracked last December and I reinstalled everything from scratch using a sarge netinstall CD. (I checked all scripts I resurrect from the old system, and recompiled all my *own* binaries from original source code. The script I mention below hasn't been molested.) I run the same script for port-forwarding and masquerading that I used before the reinstall. But it doesn't work. Lines like iptables -t nat -A PREROUTING --protocol tcp -d 216.138.195.194 --dport 27012 -j DNAT --to-destination 172.25.1.5:27012 --verbose iptables -t nat -A PREROUTING --protocol udp -d 216.138.195.194 --dport 27012 -j DNAT --to-destination 172.25.1.5:27012 --verbose iptables -t nat -A POSTROUTING --protocol udp -s 172.25.1.5 --sport 27012 -j SNAT --to-source 216.138.195.194:27012 --verbose iptables -t nat -A POSTROUTING --protocol tcp -s 172.25.1.5 --sport 27012 -j SNAT --to-source 216.138.195.194:27012 --verbose have no effect at all (as checked by iptables --list) but the line iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE works like a charm. I suspect there's probably a missing kernel module. But which one? And where do I find it? The docs for iptables way that it will attampt to load any necessary modules, so I presume a simple modprobe isn't enough. Or else that it doesn't try hard enough. -- hendrik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding problem. Probably easy if you know how.
On Sun, Apr 23, 2006 at 08:36:15PM -0700, charles norwood wrote: On Sun, 2006-04-23 at 14:56 -0400, [EMAIL PROTECTED] wrote: On Sun, Apr 23, 2006 at 09:11:14AM -0500, Forrest Smith wrote: The folks on the Shorewall project have done all this for you: apt-get install shorewall F.S Does shorewall find and install the missing kernel modules. wherever they are? Or does it just use iptables, whose docs say it tries to load them (but it is evidently not succeeding). I *have* the set of iptables commands I need. They *used* to work. They *don't* work now. -- hendrik Here are the modules I load. Pre-routing works on this box kernel is 2.6.8-3-686 iptables is 1.2.11-10 /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc /sbin/modprobe ip_nat_snmp_basic HTH C. Thanks. I'll start trying it out tomorrow (when I not tired and suttering from insomnia) -- hendrik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding problem. Probably easy if you know how.
[EMAIL PROTECTED] wrote:
But it doesn't work.
Lines like
iptables -t nat -A PREROUTING --protocol tcp -d 216.138.195.194 --dport 27012
-j DNAT --to-destination 172.25.1.5:27012 --verbose
iptables -t nat -A PREROUTING --protocol udp -d 216.138.195.194 --dport 27012
-j DNAT --to-destination 172.25.1.5:27012 --verbose
iptables -t nat -A POSTROUTING --protocol udp -s 172.25.1.5 --sport 27012 -j
SNAT --to-source 216.138.195.194:27012 --verbose
iptables -t nat -A POSTROUTING --protocol tcp -s 172.25.1.5 --sport 27012 -j
SNAT --to-source 216.138.195.194:27012 --verbose
have no effect at all (as checked by iptables --list)
You also need some FORWARD rules (don't know if you have them, on not).
E.g:
/sbin/iptables -A FORWARD -p tcp --dport 27012 -d 172.25.1.5 -j ACCEPT
/sbin/iptables -A FORWARD -p udp --dport 27012 -d 172.25.1.5 -j ACCEPT
I suspect there's probably a missing kernel module. But which one?
And where do I find it? The docs for iptables way that it will attampt
to load any necessary modules, so I presume a simple modprobe isn't
enough. Or else that it doesn't try hard enough.
This is a very useful example:
http://tldp.org/HOWTO/IP-Masquerade-HOWTO/stronger-firewall-examples.html#RC.FIREWALL-IPTABLES-STRONGER
Here is what I have in my script:
---
# Enable forwarding
echo 1 /proc/sys/net/ipv4/ip_forward
# Load some required (and a few optional) kernel modules
if [ -z ` $LSMOD | $GREP ip_tables | $AWK {'print $1'} ` ]; then
$MODPROBE ip_tables
fi
if [ -z ` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} ` ]; then
$MODPROBE ip_conntrack
fi
if [ -z ` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} ` ]; then
$MODPROBE ip_conntrack_ftp
fi
if [ -z ` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} ` ]; then
$MODPROBE ip_conntrack_irc
fi
if [ -z ` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} ` ]; then
$MODPROBE iptable_nat
fi
if [ -z ` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} ` ]; then
$MODPROBE ip_nat_ftp
fi
if [ -z ` $LSMOD | $GREP ip_nat_irc | $AWK {'print $1'} ` ]; then
$MODPROBE ip_nat_irc
fi
---
Hope this helps,
--
George Borisov
DXSolutions Ltd
signature.asc
Description: OpenPGP digital signature
Re: port forwarding problem. Probably easy if you know how.
At 1145804173 past the epoch, [EMAIL PROTECTED] wrote: On Sun, Apr 23, 2006 at 09:11:14AM -0500, Forrest Smith wrote: The folks on the Shorewall project have done all this for you: Does shorewall find and install the missing kernel modules. wherever they are? Or does it just use iptables, whose docs say it tries to load them (but it is evidently not succeeding). I *have* the set of iptables commands I need. They *used* to work. They *don't* work now. What makes you think it is a kernel module issue? Usually with iptables, if the relevant kernel module is not loaded and can't be probed automatically, the command you utter will fail to the terminal as you type it, not just silently not work. Or perhaps it has done, and you just haven't provided us with the messages. -- Jon Dowland http://alcopop.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding problem. Probably easy if you know how.
The folks on the Shorewall project have done all this for you: apt-get install shorewall F.S On Sun, Apr 23, 2006 at 09:27:21AM -0400, [EMAIL PROTECTED] wrote: I'm running sarge on a vintage Pentium as a gateway machine for a home network. My machine was cracked last December and I reinstalled everything from scratch using a sarge netinstall CD. (I checked all scripts I resurrect from the old system, and recompiled all my *own* binaries from original source code. The script I mention below hasn't been molested.) I run the same script for port-forwarding and masquerading that I used before the reinstall. But it doesn't work. Lines like iptables -t nat -A PREROUTING --protocol tcp -d 216.138.195.194 --dport 27012 -j DNAT --to-destination 172.25.1.5:27012 --verbose iptables -t nat -A PREROUTING --protocol udp -d 216.138.195.194 --dport 27012 -j DNAT --to-destination 172.25.1.5:27012 --verbose iptables -t nat -A POSTROUTING --protocol udp -s 172.25.1.5 --sport 27012 -j SNAT --to-source 216.138.195.194:27012 --verbose iptables -t nat -A POSTROUTING --protocol tcp -s 172.25.1.5 --sport 27012 -j SNAT --to-source 216.138.195.194:27012 --verbose have no effect at all (as checked by iptables --list) but the line iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE works like a charm. I suspect there's probably a missing kernel module. But which one? And where do I find it? The docs for iptables way that it will attampt to load any necessary modules, so I presume a simple modprobe isn't enough. Or else that it doesn't try hard enough. -- hendrik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Hundreds of years in the future there could be computers looking for life on earth --Coldplay -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding problem. Probably easy if you know how.
On Sun, Apr 23, 2006 at 09:11:14AM -0500, Forrest Smith wrote: The folks on the Shorewall project have done all this for you: apt-get install shorewall F.S Does shorewall find and install the missing kernel modules. wherever they are? Or does it just use iptables, whose docs say it tries to load them (but it is evidently not succeeding). I *have* the set of iptables commands I need. They *used* to work. They *don't* work now. -- hendrik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding problem. Probably easy if you know how.
On Sun, Apr 23, 2006 at 14:56:13 -0400, [EMAIL PROTECTED] wrote: [...] Does shorewall find and install the missing kernel modules. wherever they are? Or does it just use iptables, whose docs say it tries to load them (but it is evidently not succeeding). I *have* the set of iptables commands I need. They *used* to work. They *don't* work now. A brute-force approach to your problem would be to just modprobe every single netfilter module that you have: ls -1 /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter | grep '\.ko$' | sed 's/\.ko$//' | modprobe $(cat) If that works you could find the unused modules with lsmod and remove them until you end up with only the ones which you really need. -- Regards, Florian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding problem. Probably easy if you know how.
On Sun, 2006-04-23 at 14:56 -0400, [EMAIL PROTECTED] wrote: On Sun, Apr 23, 2006 at 09:11:14AM -0500, Forrest Smith wrote: The folks on the Shorewall project have done all this for you: apt-get install shorewall F.S Does shorewall find and install the missing kernel modules. wherever they are? Or does it just use iptables, whose docs say it tries to load them (but it is evidently not succeeding). I *have* the set of iptables commands I need. They *used* to work. They *don't* work now. -- hendrik Here are the modules I load. Pre-routing works on this box kernel is 2.6.8-3-686 iptables is 1.2.11-10 /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc /sbin/modprobe ip_nat_snmp_basic HTH C. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port forwarding Impossible zyxel 650hw-31
On Tue, Oct 25, 2005 at 12:09:31PM +, edoyuar reeri wrote: Bonjour, Voilà ça fait 1 semaine que je galère, j'éssaille de forwarder le port 80 (serveur web) vers une machine de mon LAN ou se trouve mon serveur web. j'ai déclarer la redirection dans le Nat 80 80 192.168.1.4 (il s'agit de la machine en local ou se trouve le serveur web) l'adresse ip local est en statique, j'ai aussi déclarer la règle dans le firewall Wan to lan pour autoriser le trafic du port 80 et le rediriger vers l'ip de ma machine local (192.168.1.4). mais je tombe toujours sur l'interface de configuration web du routeur modem zyxel 650hw. Merci pour votre aide -- Pensez à lire la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench Pensez à rajouter le mot ``spam'' dans vos champs From et Reply-To: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] C'est normal si tu demandes la page de l'intérieur de ton LAN, mon routeur me fait la meme chose, mais si tu demandes à un amis de visualiser http://ton_ip ca devrait fonctionner :) ! signature.asc Description: Digital signature
Re: Port forwarding Impossible zyxel 650hw-31
From: Quentin [EMAIL PROTECTED] To: debian-user-french@lists.debian.org Subject: Re: Port forwarding Impossible zyxel 650hw-31 Date: Tue, 25 Oct 2005 14:25:54 +0200 On Tue, Oct 25, 2005 at 12:09:31PM +, edoyuar reeri wrote: Bonjour, Voilà ça fait 1 semaine que je galère, j'éssaille de forwarder le port 80 (serveur web) vers une machine de mon LAN ou se trouve mon serveur web. j'ai déclarer la redirection dans le Nat 80 80 192.168.1.4 (il s'agit de la machine en local ou se trouve le serveur web) l'adresse ip local est en statique, j'ai aussi déclarer la règle dans le firewall Wan to lan pour autoriser le trafic du port 80 et le rediriger vers l'ip de ma machine local (192.168.1.4). mais je tombe toujours sur l'interface de configuration web du routeur modem zyxel 650hw. Merci pour votre aide -- Pensez à lire la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench Pensez à rajouter le mot ``spam'' dans vos champs From et Reply-To: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] C'est normal si tu demandes la page de l'intérieur de ton LAN, mon routeur me fait la meme chose, mais si tu demandes à un amis de visualiser http://ton_ip ca devrait fonctionner :) ! signature.asc Merci quentin d'avoir répondu, Mais un ami à éssailler et ca fonctionne pas, quand je regarde dans les logs du firewall il le foreward bien vers l'ip qu'il faut, ip de mon ami iplocal(serveur web 192.168.1.4) src port :1773 dest port: 00080 -- Pensez à lire la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench Pensez à rajouter le mot ``spam'' dans vos champs From et Reply-To: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port forwarding Impossible zyxel 650hw-31
Tu as bien forwardé le port 80 extérieur de ton routeur vers ton firewall et désactivé l'administration de ton routeur par l'extérieur je suppose ? On Tue, Oct 25, 2005 at 12:29:00PM +, edoyuar reeri wrote: From: Quentin [EMAIL PROTECTED] To: debian-user-french@lists.debian.org Subject: Re: Port forwarding Impossible zyxel 650hw-31 Date: Tue, 25 Oct 2005 14:25:54 +0200 On Tue, Oct 25, 2005 at 12:09:31PM +, edoyuar reeri wrote: Bonjour, Voilà ça fait 1 semaine que je galère, j'éssaille de forwarder le port 80 (serveur web) vers une machine de mon LAN ou se trouve mon serveur web. j'ai déclarer la redirection dans le Nat 80 80 192.168.1.4 (il s'agit de la machine en local ou se trouve le serveur web) l'adresse ip local est en statique, j'ai aussi déclarer la règle dans le firewall Wan to lan pour autoriser le trafic du port 80 et le rediriger vers l'ip de ma machine local (192.168.1.4). mais je tombe toujours sur l'interface de configuration web du routeur modem zyxel 650hw. Merci pour votre aide -- Pensez à lire la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench Pensez à rajouter le mot ``spam'' dans vos champs From et Reply-To: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] C'est normal si tu demandes la page de l'intérieur de ton LAN, mon routeur me fait la meme chose, mais si tu demandes à un amis de visualiser http://ton_ip ca devrait fonctionner :) ! signature.asc Merci quentin d'avoir répondu, Mais un ami à éssailler et ca fonctionne pas, quand je regarde dans les logs du firewall il le foreward bien vers l'ip qu'il faut, ip de mon ami iplocal(serveur web 192.168.1.4) src port :1773 dest port: 00080 signature.asc Description: Digital signature
Re: Port forwarding Impossible zyxel 650hw-31
Salut au départ oui, puis je l'ai remis mais je l'ai désactiver pour qu'il ne puissent pas accéder à l'administration depuis l'éxterieur. From: Quentin [EMAIL PROTECTED] To: debian-user-french@lists.debian.org Subject: Re: Port forwarding Impossible zyxel 650hw-31 Date: Tue, 25 Oct 2005 14:45:31 +0200 Tu as bien forwardé le port 80 extérieur de ton routeur vers ton firewall et désactivé l'administration de ton routeur par l'extérieur je suppose ? On Tue, Oct 25, 2005 at 12:29:00PM +, edoyuar reeri wrote: From: Quentin [EMAIL PROTECTED] To: debian-user-french@lists.debian.org Subject: Re: Port forwarding Impossible zyxel 650hw-31 Date: Tue, 25 Oct 2005 14:25:54 +0200 On Tue, Oct 25, 2005 at 12:09:31PM +, edoyuar reeri wrote: Bonjour, Voilà ça fait 1 semaine que je galère, j'éssaille de forwarder le port 80 (serveur web) vers une machine de mon LAN ou se trouve mon serveur web. j'ai déclarer la redirection dans le Nat 80 80 192.168.1.4 (il s'agit de la machine en local ou se trouve le serveur web) l'adresse ip local est en statique, j'ai aussi déclarer la règle dans le firewall Wan to lan pour autoriser le trafic du port 80 et le rediriger vers l'ip de ma machine local (192.168.1.4). mais je tombe toujours sur l'interface de configuration web du routeur modem zyxel 650hw. Merci pour votre aide -- Pensez à lire la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench Pensez à rajouter le mot ``spam'' dans vos champs From et Reply-To: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] C'est normal si tu demandes la page de l'intérieur de ton LAN, mon routeur me fait la meme chose, mais si tu demandes à un amis de visualiser http://ton_ip ca devrait fonctionner :) ! signature.asc Merci quentin d'avoir répondu, Mais un ami à éssailler et ca fonctionne pas, quand je regarde dans les logs du firewall il le foreward bien vers l'ip qu'il faut, ip de mon ami iplocal(serveur web 192.168.1.4) src port :1773 dest port: 00080 signature.asc -- Pensez à lire la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench Pensez à rajouter le mot ``spam'' dans vos champs From et Reply-To: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port forwarding Impossible zyxel 650hw-31
Bonjour, Quentin a écrit : On Tue, Oct 25, 2005 at 12:09:31PM +, edoyuar reeri wrote: Bonjour, Voilà ça fait 1 semaine que je galère, j'éssaille de forwarder le port 80 (serveur web) vers une machine de mon LAN ou se trouve mon serveur web. j'ai déclarer la redirection dans le Nat 80 80 192.168.1.4 (il s'agit de la machine en local ou se trouve le serveur web) l'adresse ip local est en statique, j'ai aussi déclarer la règle dans le firewall Wan to lan pour autoriser le trafic du port 80 et le rediriger vers l'ip de ma machine local (192.168.1.4). mais je tombe toujours sur l'interface de configuration web du routeur modem zyxel 650hw. Il faudrait que tu précises un peu: En l'attaquant sur quelle adresse et depuis ou ? -Si tu l'attaques depuis l'interieur sur l'adresse locale du routeur (assez improbable) c'est normal. -Si tu l'attaques depuis l'interieur sur son IP externe c'est normal aussi, c'est un pb inhérent au mécanisme NAT, et c'est possible mais assez complexe à contourner au niveau IP, néanmoins si tu travailles sur des url's tu peux jouer sur la résolution en utilisant un DNS local pour gerer ce pb c'est ce que j'utilise chez moi et cela marche très bien. -Si tu l'attaques depuis l'exterieur sur son IP externe et que tu tombe sur la page de config de ton routeur, cela voudrait dire que ce dernier aurait préséance sur le port forwarding ds ce cas il te suffit de modifier le port d'écoute du serveur web de ton routeur...maintenant si tu obtiens une erreur en essayant depuis l'exterieur, il te faut verifier que la passerelle est correcte sur ton serveur Web, sinon tes paquets pourraient arriver sur ton serveur web, mais pas en repartir faute de passerelle. Merci pour votre aide -- Pensez à lire la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench Pensez à rajouter le mot ``spam'' dans vos champs From et Reply-To: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] C'est normal si tu demandes la page de l'intérieur de ton LAN, mon routeur me fait la meme chose, mais si tu demandes à un amis de visualiser http://ton_ip ca devrait fonctionner :) !
Re: Port forwarding Impossible zyxel 650hw-31
quand il redirige il me met dans les journaux log il affiche default policy match2,02 alors que pour les autres il affiche soit default policy match1,00 ou default policy match2,00 From: edoyuar reeri [EMAIL PROTECTED] To: [EMAIL PROTECTED], debian-user-french@lists.debian.org Subject: Re: Port forwarding Impossible zyxel 650hw-31 Date: Tue, 25 Oct 2005 12:42:15 + Salut au départ oui, puis je l'ai remis mais je l'ai désactiver pour qu'il ne puissent pas accéder à l'administration depuis l'éxterieur. From: Quentin [EMAIL PROTECTED] To: debian-user-french@lists.debian.org Subject: Re: Port forwarding Impossible zyxel 650hw-31 Date: Tue, 25 Oct 2005 14:45:31 +0200 Tu as bien forwardé le port 80 extérieur de ton routeur vers ton firewall et désactivé l'administration de ton routeur par l'extérieur je suppose ? On Tue, Oct 25, 2005 at 12:29:00PM +, edoyuar reeri wrote: From: Quentin [EMAIL PROTECTED] To: debian-user-french@lists.debian.org Subject: Re: Port forwarding Impossible zyxel 650hw-31 Date: Tue, 25 Oct 2005 14:25:54 +0200 On Tue, Oct 25, 2005 at 12:09:31PM +, edoyuar reeri wrote: Bonjour, Voilà ça fait 1 semaine que je galère, j'éssaille de forwarder le port 80 (serveur web) vers une machine de mon LAN ou se trouve mon serveur web. j'ai déclarer la redirection dans le Nat 80 80 192.168.1.4 (il s'agit de la machine en local ou se trouve le serveur web) l'adresse ip local est en statique, j'ai aussi déclarer la règle dans le firewall Wan to lan pour autoriser le trafic du port 80 et le rediriger vers l'ip de ma machine local (192.168.1.4). mais je tombe toujours sur l'interface de configuration web du routeur modem zyxel 650hw. Merci pour votre aide -- Pensez à lire la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench Pensez à rajouter le mot ``spam'' dans vos champs From et Reply-To: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] C'est normal si tu demandes la page de l'intérieur de ton LAN, mon routeur me fait la meme chose, mais si tu demandes à un amis de visualiser http://ton_ip ca devrait fonctionner :) ! signature.asc Merci quentin d'avoir répondu, Mais un ami à éssailler et ca fonctionne pas, quand je regarde dans les logs du firewall il le foreward bien vers l'ip qu'il faut, ip de mon ami iplocal(serveur web 192.168.1.4) src port :1773 dest port: 00080 signature.asc -- Pensez à lire la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench Pensez à rajouter le mot ``spam'' dans vos champs From et Reply-To: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Pensez à lire la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench Pensez à rajouter le mot ``spam'' dans vos champs From et Reply-To: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port forwarding Impossible zyxel 650hw-31
Le mardi 25 octobre 2005 à 13:59 +, edoyuar reeri a écrit : voici mon une image du log firewall quand je forwarde. Pas vraiment utile de masquer ton ip sur la dernière ligne vue qu'elle apparait juste au dessus... Je n'ai pas vraiment cherché à comprendre, mais mon navigateur me rebalance vers 192.168.1.4... N'aurais tu pas fait un rewrite pas commode ? signature.asc Description: This is a digitally signed message part
Re: Port forwarding Impossible zyxel 650hw-31
alut à tous merci de m'avoir répondu, mais j'ai tout fait comme expliqué ici. nat,firewal http://img149.imageshack.us/img149/4260/firewalllog5dv.png http://img149.imageshack.us/my.php?image=nat3hn.png http://img149.imageshack.us/my.php?image=portforward9jd.png http://img149.imageshack.us/my.php?image=wantolan7yd.png -- Pensez à lire la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench Pensez à rajouter le mot ``spam'' dans vos champs From et Reply-To: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port forwarding entre Windows et Linux [Was: aide]
cela fonctionnait pas. car je ne tapais pas sur le serveur local mais exchange !! merci pour l'aide yves !!
Re: Port forwarding entre Windows et Linux [Was: aide]
J'ai lancé le soft putty sous win2000 server sp4 avec les parametres suivants : R 220:localhost:220 et R 143:localhost:143 sur l'ip de mon linux (debian 2.4) la connexion s'est effectuée mais impossible au webmail d'aller lire sur le serveur imp. Yves Rutschle [EMAIL PROTECTED] a écrit dans le message de news: [EMAIL PROTECTED] On Mon, Sep 13, 2004 at 05:48:44PM +0200, arnaud wrote: j'ai lancé la syntaxe ssh (sous win. via putty) mais cela ne fonctionne pas comme prévu Difficile de dire sans plus de détails :p Quelle commande utilises-tu du coté Windows? Quels messages apparaissent? Comment testes-tu? Y. -- Pensez à lire la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench Pensez à rajouter le mot ``spam'' dans vos champs From et Reply-To: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port forwarding entre Windows et Linux [Was: aide]
Si ta debian sert de routeur, il faut que tu ajoutes des regles de forward d'ip dans iptables. Si oui, arrives-tu a naviguer sur le net depuis ton windows ? Il faut également mettre l'option ip_forward à true dans /etc/network/options. Ca signifie quoi exactement : impossible au webmail d'aller lire sur le serveur imp Ton webmail tourne ou ? Ton serveur de courrier est chez toi ou chez un FAI ? Jo arnaud wrote: J'ai lancé le soft putty sous win2000 server sp4 avec les parametres suivants : R 220:localhost:220 et R 143:localhost:143 sur l'ip de mon linux (debian 2.4) la connexion s'est effectuée mais impossible au webmail d'aller lire sur le serveur imp. Yves Rutschle [EMAIL PROTECTED] a écrit dans le message de news: [EMAIL PROTECTED] On Mon, Sep 13, 2004 at 05:48:44PM +0200, arnaud wrote: j'ai lancé la syntaxe ssh (sous win. via putty) mais cela ne fonctionne pas comme prévu Difficile de dire sans plus de détails :p Quelle commande utilises-tu du coté Windows? Quels messages apparaissent? Comment testes-tu? Y. -- Pensez à lire la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench Pensez à rajouter le mot ``spam'' dans vos champs From et Reply-To: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port forwarding entre Windows et Linux [Was: aide]
Si ta debian sert de routeur, il faut que tu ajoutes des regles de forward d'ip dans iptables. Si oui, arrives-tu a naviguer sur le net depuis ton windows ? Il faut également mettre l'option ip_forward à true dans /etc/network/options. le debian n'est pas un routeur, juste un relais smtp et un webmail dans une dmz Ca signifie quoi exactement : impossible au webmail d'aller lire sur le serveur imp Ton webmail tourne ou ? Ton serveur de courrier est chez toi ou chez un FAI ? Le serveur de courrier est dans mon lan (exchange 2000). Si je desactive le fw, le webmail fonctionne tres bien. Pour tester, une fois la connection ssh initiée, mon webmail n'arrive pas a dialoguer avec exchange* voila
Re: Port forwarding entre Windows et Linux [Was: aide]
On Tue, Sep 14, 2004 at 09:41:51AM +0200, arnaud wrote: J'ai lancé le soft putty sous win2000 server sp4 avec les parametres suivants : R 220:localhost:220 et R 143:localhost:143 sur l'ip de mon linux (debian 2.4) la connexion s'est effectuée mais impossible au webmail d'aller lire sur le serveur imp. ^^^ imap? Si tu voulais bien dire imp, j'ai raté qqch (IMP étant un logiciel de Webmail... la phrase précédente suggère que le serveur ima?p tourne sous win2000). - Exchange exporte-t-il bien un service IMAP? (ça n'est pas nécessairement vrai, et il me semble qu'il ne le fait pas par défaut) = essayer en faisant, de la machine Windows, un telnet localhost 143 (ou en écrivant l'adresse IP en clair, je ne sais pas si Windows comprend localhost). (Il me semble que tu dis ailleurs que ça marche sans firewall, donc je suppose que Exchange est configuré correctement) - Si oui, le port forwarding ne marche (sans doute) pas. Qu'est-ce qu'un telnet localhost 143 donne sur la DMZ? (il devrait arriver sur la machine win2000...) (il faut bien entendu dire au Webmail de se connecter au serveur IMAP sur localhost (qui est transporté secretement vers Win2000), pas directement sur Win2000 qui est cachée derrière le firewall). Y. - plombier.
Re: Port forwarding on a NAT firewall
On Fri, 2 Jul 2004 13:43:58 +0100 (BST), Antony [EMAIL PROTECTED] wrote: 1) Set up an email server on the router that relays all mail to the private server.2) Port forward (DNAT) port 25 to the private server. I don't like port forwarding, as it's always seemed like a kind of bodge, but (2) is quicker and easier to setup. Does (2) have any practical negative implications from a security point of view, and does anyone have any general views on which solution is better? Generally speaking, I'd always go for the simplest solution (2). If port forwarding seems like a kind of bodge, NAT is the same kind of bodge. I don't know the security issues, but I'd rather have my router route (and in this case masquerade addresses) and not do much else. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port forwarding on a NAT firewall
On 2004-07-02, Antony penned: Hi all, If I have a router running iptables with NAT for a private IP network, there are two options if I want to have a public email server on the private network... 1) Set up an email server on the router that relays all mail to the private server.2) Port forward (DNAT) port 25 to the private server. I don't like port forwarding, as it's always seemed like a kind of bodge, but (2) is quicker and easier to setup. Does (2) have any practical negative implications from a security point of view, and does anyone have any general views on which solution is better? A I've been using (2) for quite a while now ... except with a hardware router rather than iptables. I can't think of any big negatives; it seems like setting up two email servers just introduce two places to possibly screw up the configuration and drop mail. -- monique -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port Forwarding
am 19.02.2004, um 23:45:00 +0100 mailte Dominique Zurkinden folgendes: Hallo Liste! Bitte in Zukunft Dummlall wie 'winmail.dat' und andere Auswürfe Deiner kranken eMail-Reader-Simulation unterlassen. Port Forwarding gelingt nicht mehr. Für ein Port Forward habe ich echo 1 Wie genau hast Du das festgestellt? /proc/sys/net/ipv4/ip_forward ausgeführt. Hatte bis vor kurzem prima funktioniert. Da iptables nicht verändert wurde, frage ich mich, ob dies mit dem /proc Verzeichnis zu tun hat. Weiss der Geier, was da los ist. Eher nicht. Iptables: iptables -A FORWARD -i eth0 -p tcp --dport port -j ACCEPT iptables -t nat -A PREROUTING -i eth0 -p tcp --dport port -j DNAT Was passiert mit Antwortpaketen? Andreas -- Andreas Kretschmer(Kontakt: siehe Header) Tel. NL Heynitz: 035242/47212 GnuPG-ID 0x3FFF606C http://wwwkeys.de.pgp.net ===Schollglas Unternehmensgruppe=== -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Port forwarding with ipmasq
On Tue, Dec 16, 2003 at 09:06:44PM +0800, Brendan Bache wrote: I'm running debian woody on my gateway with the ipmasq package installed and I need to do some port forwarding. For instance, I need to forward some ports for BitTorrent running on a box on my LAN so I created a file /etc/ipmasq/rules/F10bt.rul ---F10bt.rul--- ipnm_cache ppp0 btPorts=6881 6882 for port in $btPorts; do $IPTABLES -A PREROUTING -t nat -p tcp -d $IPOFIF/$NMOFIF --dport $port -j DNAT --to-destination 10.0.0.2:$port $IPTABLES -A FORWARD -p tcp -d $IPOFIF/$NMOFIF --dport $port -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT done ---/F10bt.rul--- Where ppp0 is my external interface and 10.0.0.2 is the box on the LAN that is running the BitTorrent client. From the gateway I can connect to 10.0.0.2 on port 6881. However if I try using the IP of my external interface then I get connection refused. What's wrong with my rules? I haven't changed anything about the default ipmasq setup other than adding that .rul file and masquerading is working fine, it's just port forwarding that is having problems. Using iptables -L and iptables -t nat -L I can see that these rules are being added to their respective chains without issue. I haven't used the ipmasq package, but maybe some suggestions will get you going in the right direction. - Check the byte counters for these rules and make sure they are incremented. If they are not, maybe you need to adjust the rules (bad port, wrong protocol, etc.) or maybe another rule earlier in the chain is dropping/rejecting the packets. Also, although unlikely, it is possible these packets are being dropped upstream. - Make sure you log all dropped/rejected packets. Run a test and then review your logs. - Run tcpdump on the internal interface of the router. If you don't see traffic leaving your router, something must be wrong with the firewall rules. - Run tcpdump on the interface for the BitTorrent server. - Although obvious, ensure BitTorrent is running and the configuration is correct and permits connections from the client. -- I have always noticed that whenever a radical takes to Imperialism, he catches it in a very acute form. -- Winston Churchill, 1903 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port Forwarding / SSH
Moin Michael! Michael Rother schrieb am Thursday, den 25. September 2003: Moin, ich moechte, dass SSH auf meinem Rechner auch auf Port 80 lauscht. In der Firma komm ich leider ueber 22 nicht raus, aber 80 ist offen. Das muss ja irgendwie moeglich sein... Im SSH Handbuch von O'Reilly hab ich zwar mal nachgeschaut, stosse aber nur auf eine explizite Remote- bzw. Localhost Angabe - und das funktioniert auch nicht so richtig. man sshd_config | grep -i Port Formatiere sshd_config(5) neu, bitte warten... ... PortSpecifies the port number that sshd listens on. The default is -- Ihr seid alle durchgeknallt. -- Olaf Titz zu Mail Wars zwischen P. Mandrella und R. Babel -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Port Forwarding / SSH
Am Do, den 25.09.2003 schrieb Michael Rother um 17:05: Moin, ich moechte, dass SSH auf meinem Rechner auch auf Port 80 lauscht. In der Firma komm ich leider ueber 22 nicht raus, aber 80 ist offen. Das muss ja irgendwie moeglich sein... Im SSH Handbuch von O'Reilly hab ich zwar mal nachgeschaut, stosse aber nur auf eine explizite Remote- bzw. Localhost Angabe - und das funktioniert auch nicht so richtig. Kann mir da von euch vielleicht wer helfen wie ich das am schnellsten realisieren kann? sshd -p 80 Gruss, Michael -- ** ** Carsten Diener ** EDV-Beratung ** ** Telefon: +49 89 81801158 ** ** Fax: +49 89 54802719 ** ** Mobil: +49 162 8453351 ** ** E-Mail: [EMAIL PROTECTED] *** ** E-Mail: [EMAIL PROTECTED] *** ** Web: http://cd.bsun.de ** signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: Port Forwarding / SSH
On Thu, Sep 25, 2003 at 05:05:33PM +0200, Michael Rother wrote: Moin, ich moechte, dass SSH auf meinem Rechner auch auf Port 80 lauscht. In Schon mal in die Manualseite geschaut? sshd -p 80 oder in der config: Port 22 Port 80 der Firma komm ich leider ueber 22 nicht raus, aber 80 ist offen. Das Bist Du Dir sicher? Oder ist's am Ende nur ein Proxy? Best regards from Dresden Viele Gruesse aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de -- internet unix support - a href=http://debian.schlittermann.de/; Debian 3.x CD /a Heiko Schlittermann HS12-RIPE --- pgp: A1 7D F6 7B 69 73 48 35 E1 DE 21 A7 A8 9A 77 92 --- gpg: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B - pgp0.pgp Description: PGP signature
Re: Port Forwarding / SSH
Am Do, den 25.09.2003 schrieb Michael Rother um 17:05: Moin, ich moechte, dass SSH auf meinem Rechner auch auf Port 80 lauscht. In der Firma komm ich leider ueber 22 nicht raus, aber 80 ist offen. Das muss ja irgendwie moeglich sein... Im SSH Handbuch von O'Reilly hab ich zwar mal nachgeschaut, stosse aber nur auf eine explizite Remote- bzw. Localhost Angabe - und das funktioniert auch nicht so richtig. Kann mir da von euch vielleicht wer helfen wie ich das am schnellsten realisieren kann? und forwarden natuerlich sorry, hatte ich vergessen. iptables -t nat- A PREROUTING -i $internetdevice -p tcp --dport 80 -j DNAT --to $internekiste Gruss, Michael -- ** ** Carsten Diener ** EDV-Beratung ** ** Telefon: +49 89 81801158 ** ** Fax: +49 89 54802719 ** ** Mobil: +49 162 8453351 ** ** E-Mail: [EMAIL PROTECTED] *** ** E-Mail: [EMAIL PROTECTED] *** ** Web: http://cd.bsun.de ** signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: Port Forwarding / SSH
Michael Rother wrote: Moin, ich moechte, dass SSH auf meinem Rechner auch auf Port 80 lauscht. man sshd_config ,- | PortSpecifies the port number that sshd listens on. The | default is 22. Multiple options of this type are permitted. | See also ListenAddress. `- Fuer das naechste Mal: Erst manpages lesen, dann andere fragen :) GTi -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Port Forwarding / SSH
am Thu, dem 25.09.2003, um 17:05:33 +0200 mailte Michael Rother folgendes: Moin, ich moechte, dass SSH auf meinem Rechner auch auf Port 80 lauscht. In /etc/ssh/sshd_config : Port 80 der Firma komm ich leider ueber 22 nicht raus, aber 80 ist offen. Das http://jors.net/tunneln.html Andreas -- Diese Message wurde erstellt mit freundlicher Unterstützung eines freilau- fenden Pinguins aus artgerechter Freilandhaltung. Er ist garantiert frei von Micro$oft'schen Viren. (#97922 http://counter.li.org) GPG 7F4584DA Was, Sie wissen nicht, wo Kaufbach ist? Hier: N 51.05082°, E 13.56889° ;-) pgp0.pgp Description: PGP signature
Re: Port Forwarding / SSH
On Thu, Sep 25, 2003 at 05:05:33PM +0200, Michael Rother wrote: ich moechte, dass SSH auf meinem Rechner auch auf Port 80 lauscht. In der Firma komm ich leider ueber 22 nicht raus, aber 80 ist offen. Das muss ja irgendwie moeglich sein... Im SSH Handbuch von O'Reilly hab ich zwar mal nachgeschaut, stosse aber nur auf eine explizite Remote- bzw. Localhost Angabe - und das funktioniert auch nicht so richtig. Kann mir da von euch vielleicht wer helfen wie ich das am schnellsten realisieren kann? man sshd -p port Specifies the port on which the server listens for connections (default 22). Multiple port options are permitted. -- LuMriX - XML Search Engine - http://www.lumrix.net/ -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Port Forwarding / SSH
* Michael Rother [EMAIL PROTECTED] wrote: ich moechte, dass SSH auf meinem Rechner auch auf Port 80 lauscht. In der Firma komm ich leider ueber 22 nicht raus, aber 80 ist offen. Das muss ja irgendwie moeglich sein... Im SSH Handbuch von O'Reilly hab ich zwar mal nachgeschaut, stosse aber nur auf eine explizite Remote- bzw. Localhost Angabe - und das funktioniert auch nicht so richtig. Kann mir da von euch vielleicht wer helfen wie ich das am schnellsten realisieren kann? Bitte den Admin freundlich darum. Es wird seinen Grund haben, warum das nicht freigegeben ist und Austricksen der Firmenfirewall /kann/ üble Folgen für dich haben. Gruß, Marcus -- Nur die halbe Welt ist Teflon und Asbest, der Rest ist brennbar und mitunter angezündet ganz munter anzuschaun. So lichterloh, lichterloh und alles fuer König Feurio! -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Port Forwarding / SSH
On Thu, Sep 25, 2003 at 05:05:33PM +0200, Michael Rother wrote: ich moechte, dass SSH auf meinem Rechner auch auf Port 80 lauscht. In der Firma komm ich leider ueber 22 nicht raus, aber 80 ist offen. Das muss ja irgendwie moeglich sein... Im SSH Handbuch von O'Reilly hab ich zwar mal nachgeschaut, stosse aber nur auf eine explizite Remote- bzw. Localhost Angabe - und das funktioniert auch nicht so richtig. Jetzt habe ich schon angefangen zu hacken, aber noch rechtzeitig im sshconnect.c einen Kommentar gefunden, der auf die HostAlias-Variable verweist. Also: man ssh_config -- und nach HostAlias suchen. Fix mal probiert und in meiner ~/.ssh/config steht jetzt: # -- [ Port 8822 auf xyz ] - [ Port 22 auf epsilon ] # NAT / Port-FW Host epsilon HostKeyAlias epsilon Hostname xyz.schlittermann.de Port 8822 StrictHostKeyChecking no Daß der Host in Wirklichkeit epsilon heißt, hat nichts damit zu tun, daß er in der Konfigurationsdatei local auch Epsilon genannt wird. Mit der o.a. Konfig kann ich jetzt ssh [EMAIL PROTECTED] machen, was mich effektiv mit xyz:8822 verbindet, kurz über den nicht passenen Key informiert und dann die Verbindung zu epsilon:22 hat. Genau was Du wolltest, oder? [Für mich hat es den Effekt, daß ich mir nicht merken muß, welche Host sich hinter welchem Port auf xyz verbirgt, denn dort werden viele SSHs 'relayed' ] Best regards from Dresden Viele Gruesse aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de -- internet unix support - a href=http://debian.schlittermann.de/; Debian 3.x CD /a Heiko Schlittermann HS12-RIPE --- pgp: A1 7D F6 7B 69 73 48 35 E1 DE 21 A7 A8 9A 77 92 --- gpg: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B - pgp0.pgp Description: PGP signature
Re: Port Forwarding / SSH
On Thursday 25 September 2003 17:37, Andreas Kretschmer wrote: am Thu, dem 25.09.2003, um 17:05:33 +0200 mailte Michael Rother folgendes: Moin, ich moechte, dass SSH auf meinem Rechner auch auf Port 80 lauscht. In /etc/ssh/sshd_config : Port 80 der Firma komm ich leider ueber 22 nicht raus, aber 80 ist offen. Das http://jors.net/tunneln.html der freundliche Admin gibt seinen Usern ein Script in die Hand mit dessen Hilfe sich ein ssh-Tunnel aufbauen lässt: ftp://hyaden.dyndns.org/pub/unix/tunnel.tgz ---cut- tunnel builds a ssh tunnel through a gateway to forward one or more tcp ports to the network behind this gateway (the so called intranet). If you don't have a gate to tunnel through you can use an other mode, where tunnel first establish a connection from inside the intranet to a trusted host and tunnel the protocols in a reverse direction. This thrusted host is connected later from elsewhere using the 'casemate' mode in tunnel. ---cut- Ich weiss, trifft Michael Rother's Problem nicht wirklich (hilft eher in ein Intranet zu tunneln, nicht aus dem Intranet raus zu kommen), ich wollte nur mal wieder an das Script erinnern ;-) CU -- |Michael Renner E-mail: [EMAIL PROTECTED] | |D-72072 Tuebingen GermanyICQ: #112280325 | |Germany Don't drink as root! ESC:wq -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: port forwarding question: firewall or ssh?
On Thu, 2003-08-28 at 04:35, Jerome Lacoste wrote: Hi, a friend of mine has problems accessing a mail server from his company but he can access my server. I thought that I could enable port forwarding to solve his problem. E.g. D-S-MS He wants to access the mail server (MS) from his Desktop (D). My Server (S) is in the between. I open a port on my firewall, let's say 12345 and let the user forward the MS:25 port on that port. Note the MS server doesn't have ssh on. Then instead of reading mail from MS:25 he reads it from S:12345. Can I use port forwarding at the firewall level, or should I just use SSH to do so? You can use ssh. The downside to extensive use of ssh is that you could wind up shoving most packets thru port 22. The whole purpose of the firewall is pretty much defeated then, though. Thus, if you wind up tunneling many ports thru 22, it might be better to use a VPN. -- - Ron Johnson, Jr. [EMAIL PROTECTED] Jefferson, LA USA The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning, but without understanding. Justice Louis Brandeis, dissenting, Olmstead v US (1928) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding issues
Hi Peter! You wrote: i'm about to set up port forwarding on a firewall to be able to reach some hosts on the lan from the outside. i wish to use iptables prerouting rules. my question is, is there a way to detect the port forwarding, and/or get info about the host i forward to (ip address mainly) ? supposing that the service i reach is free of bugs. as of my understanding of prerouting, this is not likely. Do you mean something like a log of forwarded connections? That can simply be accomplished with the LOG target of iptables. PS: debian-security is not meant for discussing securing your firewall, but rather for reporting security vulnerabilities in Debian packages. The debian-user mailing list is more appropraite for this kind of questions. -- Kind regards, ++ | Bas Zoetekouw | GPG key: 0644fab7 | || Fingerprint: c1f5 f24c d514 3fec 8bf6 | | [EMAIL PROTECTED], [EMAIL PROTECTED] | a2b1 2bae e41f 0644 fab7 | ++ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding issues
On Tue, Jul 01, 2003 at 04:32:48PM +0200, Bas Zoetekouw wrote: PS: debian-security is not meant for discussing securing your firewall, but rather for reporting security vulnerabilities in Debian packages. The debian-user mailing list is more appropraite for this kind of questions. Or even debian-firewall. -- Jamin W. Collins Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding issues
On 07/01/2003 09:32:48 Bas Zoetekouw wrote: Hi Peter! You wrote: i'm about to set up port forwarding on a firewall to be able to reach some hosts on the lan from the outside. i wish to use iptables prerouting rules. my question is, is there a way to detect the port forwarding, and/or get info about the host i forward to (ip address mainly) ? supposing that the service i reach is free of bugs. as of my understanding of prerouting, this is not likely. Do you mean something like a log of forwarded connections? That can simply be accomplished with the LOG target of iptables. PS: debian-security is not meant for discussing securing your firewall, but rather for reporting security vulnerabilities in Debian packages. The debian-user mailing list is more appropraite for this kind of questions. I would recommend debian-firewall as there is intense discussion there of iptables. Also look at this: http://lists.debian.org/debian-firewall/2003/debian-firewall-200301/msg00030.html Specifically, as Jason McCarty says: If you did have them, they would go in INPUT. However, you already log and drop them. However, a real concern is that someone could easily fill up your logs with junk packets. You can prevent this by putting a limit match (-m limit --limit 2/min for example) in your LOG lines. The problem with that is that you might miss some important packets since the few that are getting logged are unimportant. I don't really know a solution to this conundrum. I just log at 3/min. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding für emule
Hallo, * On Tue, Jun 17, 2003 at 03:09:06PM +0200, Michael Tuschik wrote: On Tue, Jun 17, 2003 at 02:29:28PM +0200, longman wrote: [...] iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4662 -d 213.168.117.179 -j DNAT --to 192.168.0.10:4662 iptables -A FORWARD -p tcp --dport 4662 -d 192.168.0.10 -i ppp0 -o 192.168.0.1 -j ACCEPT Was habe ich falsch gemacht bzw. falsch gemacht? Wenn du so fragst schau mal auf die 2. Chain! Siehst du das dort statt -to nur ein -o gesetzt ist? Oder ist das ein Tippfehler in der mail?? Ich hab den xMule-Port in meiner fw freigegeben und gut. Fragt man die emule/xmule Freaks so sollte man folgendes in die ip-up setzen: iptables -A PREROUTING -t nat -p tcp -d $4 --dport 4662 -j DNAT --to 192.168.0.10:4662 iptables -A PREROUTING -t nat -p udp -d $4 --dport 4672 -j DNAT --to 192.168.0.10 :4672 Auf UDP wird port 4672 genutzt Auf TCP wird port 4662 genutzt Der pppd uebergibt 6 Parameter ($1-6) dem ip-up, $4 ist die ext IP. Gruss, Clemens Wohld PS: Wiso ueberhaupt eMule unter Windows?? Es gibt xMule fuer Linux ;) -- sig_01 Meine signaturen sind Zufalls-sig. und beziehen sich nicht auf den Author der Mail. So macht die sig doch Sinn. Oder? ;-) Bei Fehlern/Ideen bitte eine Mail an mich. Danke. X-page mit mehr Hilfen = [ http://urlz.de/xpage/ ] -- -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: port forwarding fr emule
Hallo, vielen Dank für Eure Hilfe. Da lage ich ja doch nicht so falsch. Aber emule meckert immernoch. Ich weiss auch nicht woran das liegt. Grüße Michael - Original Message - From: Sebastian Heinlein [EMAIL PROTECTED] To: longman [EMAIL PROTECTED]; Debian Mailing Liste German [EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 6:57 AM Subject: Re: port forwarding für emule Am Die, 2003-06-17 um 14.29 schrieb longman: Hallo, auf meiner Windowskiste (192.168.0.10) läuft noch emule. emule nutzt port 4662. Meine Windoskiste hängt an nem Router (192.168.0.1). Das Routing mit Masquerade und NAT funktioniert auch. Nur habe ich nicht so viel Ahnung, wie man Port forwarding (Port 4662) macht. Aus einer Anleitung im Internet müsste das so in etwa funktionieren. Aber emule meckert immernoch Your port 4662 is not reachable. iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4662 -d 213.168.117.179 -j DNAT --to 192.168.0.10:4662 iptables -A FORWARD -p tcp --dport 4662 -d 192.168.0.10 -i ppp0 -o 192.168.0.1 -j ACCEPT Was habe ich falsch gemacht bzw. falsch gemacht? Kann man das -d 213.168.117.179 nicht irgendwie automatisieren? Ich möchte nicht nach jeder Zwangstrennung alle 12 Std. die Befehle, insbesondere ifconfig für die IP von ppp0, erneut eintippen. Grüße Michael iptables -t nat -A PREROUTING -i ppp0 -p tcp \ --dport 4662 -j DNAT --to 192.168.0.10:4662 iptables -A FORWARD -i ppp0 -p tcp --dport 4662 \ -d 192.168.0.10 -j ACCEPT Die Internet-IP kannst Du auch einfach weglassen. Wenn Du schon eMule laufen hast, dann ist das ein Grad an Sicherheit, der vernachlässigbar ist. Sebastian -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: port forwarding fr emule
Hi, Am Mittwoch, 18. Juni 2003 07:41 schrieb longman: Hallo, vielen Dank für Eure Hilfe. Da lage ich ja doch nicht so falsch. Aber emule meckert immernoch. Ich weiss auch nicht woran das liegt. sorry für mein erstes Posting...sollte auch den Thread lesen. ...meine Anmerkungen galten für lmule unter Linux.. sorry..ist noch ein wenig früh... dieter -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: port forwarding fr emule
Hi, Am Mittwoch, 18. Juni 2003 07:41 schrieb longman: Hallo, vielen Dank für Eure Hilfe. Da lage ich ja doch nicht so falsch. Aber emule meckert immernoch. Ich weiss auch nicht woran das liegt. hab die Erfahrung gemacht, das lmule dann meckert, wenn noch beim Start Verbindungen auf dem port 4662 bestehen. Also: mal vor dem Start ein netstat (-tuonp) laufen lassen und schauen, ob noch auf dem Port connected ist. Das kann ein wenig dauern, bis beim Beenden alle Verbindungen geschlossen sind. Erst wenn keine mehr offen sind den lmule starten. So geht es zumindest unter FreeBSD sehr gut. Am besten: dat ding selber kompilieren läuft besser! ciao dieter -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: port forwarding fr emule
On Wednesday 18 June 2003 07:41, longman wrote: Hallo, Moin, vielen Dank für Eure Hilfe. Da lage ich ja doch nicht so falsch. Aber emule meckert immernoch. Ich weiss auch nicht woran das liegt. ich habe eine ähnliche Lösung, und sie funktioniert. Bei mir sehen die entsprechenden Zeilen im /etc/init.d/firewall wie folgt aus: IPT=/sbin/iptables INT=ppp0 . . . $IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE $IPT -A INPUT -i $INT -m state --state RELATED,ESTABLISHED -j ACCEPT # edonkey forward an cassiopeia $IPT -t nat -A PREROUTING -i $INT -p tcp --dport 4661:4663 -j DNAT --to 192.168.2.53 $IPT -t nat -A PREROUTING -i $INT -p udp --dport 4665 -j DNAT --to 192.168.2.53 CU -- +-+ |Michael Renner | | |MPI fuer biologische Kybernetik |Phone: +49-7071-601-638| |Spemannstr.38, D-72076 Tuebingen |FAX: +49-7071-601-616| |[EMAIL PROTECTED] | | +ESC:wq -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: port forwarding für emule
Hi, On Tue, Jun 17, 2003 at 02:29:28PM +0200, longman wrote: [...] iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4662 -d 213.168.117.179 -j DNAT --to 192.168.0.10:4662 iptables -A FORWARD -p tcp --dport 4662 -d 192.168.0.10 -i ppp0 -o 192.168.0.1 -j ACCEPT Was habe ich falsch gemacht bzw. falsch gemacht? Eigentlich nichts. Es fehlen nur beide Regeln nochmal für UDP-Pakete. Also die gleichen Zeilen nochmal und tcp durch udp ersetzen. FORWARD brauchst du allerdings nur, wenn die default-Policy für FORWARD nicht auf ACCEPT steht. Gleiches gilt übrigens auch für INPUT. Kann man das -d 213.168.117.179 nicht irgendwie automatisieren? Ich möchte nicht nach jeder Zwangstrennung alle 12 Std. die Befehle, insbesondere ifconfig für die IP von ppp0, erneut eintippen. Pack das ganze in ein Script unter /etc/ppp/ip-up.d/ Die werden ausgeführt, wenn du eine Internet-Verbindug aufbaust. In der Environment kommt auch die IP-Adresse mit (Name der Variablen hab ich grad nicht im Kopf). Vielleicht hat ja jemand noch nen Tip, wie ich ebendiese Regeln in einem Script unter /etc/ppp/ip-down.d/ wieder entfernen kann. Gruß Micha -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: port forwarding für emule
longman [EMAIL PROTECTED] dixit: Lieber longman, verpruegele Deine Eltern fuer solch einen Vornamen, wenn Du magst, aber fuer die Liste stelle das richtig ein, sonst kriegst Du keine Loesungsvorschlaege mehr. Klar? auf meiner Windowskiste (192.168.0.10) läuft noch emule. emule nutzt port 4662. Ist emule nicht dieses Ding, was die Leitungen dauernd verstopft? Ich kenne das nicht so richtig. Wenn ich allerdings meine Firewalleintraege auswerte, stelle ich fest, dass _vermutlich_ emule die Ports von 4660 bis 4675 freihaben moechte und sich nicht allein mit tcp begnuegt, sondern dazu auch udp haben moechte. Kann man das -d 213.168.117.179 nicht irgendwie automatisieren? Das kannst Du weglassen. Es ist nicht zwingend erforderlich, die Destination-IP mit anzugeben. Es ist sinnvoll. Du kannst den Vorgang automatisieren, indem Du die Firewalleintraege _nach_ Erhalt Deiner IP automatisch neu setzt. Das geht unter /etc/ip-up.d/ Gruss Peter Blancke -- Hoc est enim verbum meum! -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: port forwarding für emule
Am Die, 2003-06-17 um 14.29 schrieb longman: Hallo, auf meiner Windowskiste (192.168.0.10) läuft noch emule. emule nutzt port 4662. Meine Windoskiste hängt an nem Router (192.168.0.1). Das Routing mit Masquerade und NAT funktioniert auch. Nur habe ich nicht so viel Ahnung, wie man Port forwarding (Port 4662) macht. Aus einer Anleitung im Internet müsste das so in etwa funktionieren. Aber emule meckert immernoch Your port 4662 is not reachable. iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4662 -d 213.168.117.179 -j DNAT --to 192.168.0.10:4662 iptables -A FORWARD -p tcp --dport 4662 -d 192.168.0.10 -i ppp0 -o 192.168.0.1 -j ACCEPT Was habe ich falsch gemacht bzw. falsch gemacht? Kann man das -d 213.168.117.179 nicht irgendwie automatisieren? Ich möchte nicht nach jeder Zwangstrennung alle 12 Std. die Befehle, insbesondere ifconfig für die IP von ppp0, erneut eintippen. Grüße Michael iptables -t nat -A PREROUTING -i ppp0 -p tcp \ --dport 4662 -j DNAT --to 192.168.0.10:4662 iptables -A FORWARD -i ppp0 -p tcp --dport 4662 \ -d 192.168.0.10 -j ACCEPT Die Internet-IP kannst Du auch einfach weglassen. Wenn Du schon eMule laufen hast, dann ist das ein Grad an Sicherheit, der vernachlässigbar ist. Sebastian -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: port forwarding permanent
PII 233 [EMAIL PROTECTED] writes: Bonjour J'ai beau tourner la doc dans tous les sens, je ne vois aucun moyen de mettre en place, via la configuration de sshd, un port forwarding, sinon permanent, tout au moins par défaut, effecuté dès le lancement du démon. Je suis obligé d'ouvrir une session à chaque fois, manuellement. Via script, j'imagine que c'est possible, mais en cas de mort, le forwarding n'est plus assuré (parce qu'absent de la config de sshd), et ça m'oblige à stocker une clef privée sur le serveur. Y a-t-il une solution simple qui m'aurait échappé ? Utiliser iptables pour faire ton portforwarding? :) genre: $IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE --dport 8090 -j DNAT --to 192.168.1.2:8090 ++ -- Laurent Coustet http://www.zehome.com/ http://www.debian-fr.org/ o_O
Re: Port forwarding
Wcom escribió:: Gente tengo una duda yo tengo un firewall que hace port forwarding a un servidor que esta en al dmz, y tiene una ip publica (IPpublica = eth0 -- ip lan = eth1). el tema es que quiero generar sub interfaces: IPpublica = eth0 -- ip lan = eth1 IPpublica = eth0.1-- ip lan = eth1 IPpublica = eth0.2-- ip lan = eth1 por que se me agregan 2 servidores mas, el script que uso para el port forwarding es este: $IP -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.0.18:80 pero figura eth0 y creo que iptables no toma sub interfaces Exacto, desde kernels 2.4 los aliases de eth0 matchean en eth0 y así... esto tendria que quedar asi, esta bien me lo corrigen. $IP -A PREROUTING -t nat -p tcp -d 200.55.8.3/24 --dport 80 -j DNAT --to ^ es una sola máquina no una red ! el /24 está de más, sólo deja la dirección, idem para las de abajo. 192.168.0.18:80 $IP -A PREROUTING -t nat -p tcp -d 200.55.8.4/24 --dport 80 -j DNAT --to 192.168.0.19:80 $IP -A PREROUTING -t nat -p tcp -d 200.55.8.5/24 --dport 80 -j DNAT --to 192.168.0.20:80 Por el resto está bien. Slds !!! -- Luciano
Re: Port forwarding
* Cuenta la leyenda que Wcom ([EMAIL PROTECTED]) escribió: Gente tengo una duda yo tengo un firewall que hace port forwarding a un servidor que esta en al dmz, y tiene una ip publica (IPpublica = eth0 -- ip lan = eth1). el tema es que quiero generar sub interfaces: IPpublica = eth0 -- ip lan = eth1 IPpublica = eth0.1-- ip lan = eth1 IPpublica = eth0.2-- ip lan = eth1 por que se me agregan 2 servidores mas, el script que uso para el port forwarding es este: $IP -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.0.18:80 pero figura eth0 y creo que iptables no toma sub interfaces esto tendria que quedar asi, esta bien me lo corrigen. $IP -A PREROUTING -t nat -p tcp -d 200.55.8.3/24 --dport 80 -j DNAT --to 192.168.0.18:80 $IP -A PREROUTING -t nat -p tcp -d 200.55.8.4/24 --dport 80 -j DNAT --to 192.168.0.19:80 $IP -A PREROUTING -t nat -p tcp -d 200.55.8.5/24 --dport 80 -j DNAT --to 192.168.0.20:80 Pregunto de ingenuo, por que no usar un apache proxy para cada host virtual, en lugar de consumir IPs? -- Saludos, Germán
Re: Port Forwarding
Sacher Khoudari wrote on 10.08.2002: Christian Schmidt wrote: Erkundige Dich doch mal bei Eurem Rechenzentrum, ob die irgendwelche Ports gesperrt haben - so etwas ist nicht unueblich. Klar haben die das ;) Nur wie umgehe ich das nun? Als Mitarbeiter in der EDV-Administration an unserem Fachbereich wuerde ich sagen: gar nicht! Vielleicht kannst aber mit einem ssh-Tunnel etwas erreichen... Zu diesem Thema hat das Linux-Magazin in den letzten paar Ausgaben einige recht interessante Artikel gebracht. Gruss, Christian -- Christian Schmidt | Germany | [EMAIL PROTECTED] PGP Key ID: 0x4BB05393 -- Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Port Forwarding
Tach auch! Am Mon, den 05 August 2002, schrieb Rene Lemke: Hallo, Das Rechenzerntrum (oder BelWü, die die in Baden-Würtemberg die Leitungen für die Unis und Schulen zur Verfügung stellen) hat halt leider bestimte Ports gesperrt, u.A. FTP und IMAP. Ist das nicht das komische Land, in dem das Internet zensiert werden soll und die Provider vorauseilend gehorsam sind? Nein, das war/ist in Nordrhein-Festphalen. Genauer in Düsseldorf. Hier gibt es keine (offizielle ?) Zensur, auch wenn uns der Teufel regiert. Dieter, der noch in Baden-Wür_tt_emberg wohnt... -- Registrierter Linux Benutzer #186360 - GnuPG Key-ID: FDE465C9 Bevorzugt verschluesselte eMails. Nichts ist wie es scheint, alles ist erlaubt! msg14801/pgp0.pgp Description: PGP signature
Re: Port Forwarding
On Sat, Aug 10, 2002 at 03:04:57AM +0200, Sacher Khoudari wrote: Christian Schmidt wrote: Erkundige Dich doch mal bei Eurem Rechenzentrum, ob die irgendwelche Ports gesperrt haben - so etwas ist nicht unueblich. Klar haben die das ;) Nur wie umgehe ich das nun? a) In dem Du die Anwendung an einen Port bindest, der nicht gesperrt ist. b) In dem Du die Anwendung über SSH tunnels (man ssh -L port:host:hostport). c) In dem Du die Anwendung über stunnel tunnels. d) In dem Du mittels ipchain|iptable den Port umbiegst. e) In dem Du Deinen Netzadmin überzeugst, dass er den Port frei gibt (wird wohl aber ein 'lart' zur Folge haben). Such Dir was aus. -- Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: port forwarding
On Mon, Jun 03, 2002 at 12:23:58PM -0700, Vineet Kumar wrote: | * Paul Johnson ([EMAIL PROTECTED]) [020603 08:34]: | iptables just confuses me at times. | | I'm trying to figure out how to forward all packets hitting this machine | on one port to a port on another machine inside my network. I'm kinda | stumped. | | $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport $PORT \ | -j DNAT --to-destination $OTHER_IP | | Should do it. The reason I give $EXT_IF up there is I'm assuming that | the machine doing the DNAT is a gateway of some sort. | | If you're trying to get it working for machines within your network, it | won't work: Actually, it will if you do SNAT as well. That makes the replies go through the NAT system as well as the requests (which must already be going through the gateway for the DNAT to happen). An example of doing this is in the netfilter HOWTO. HTH, -D -- Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. Albert Einstein GnuPG key : http://dman.ddts.net/~dman/public_key.gpg pgpJTsntbxEB7.pgp Description: PGP signature
Re: port forwarding
I'M NOT MEMER OF YOUR MAILING LISTS. WHY THIS MAILS COME TO ME? EVERY DAY COME TO ME 200 MAILS FROM YOUR MAILING LISTS. CAN YOU DO SOMETHING WITH IT? THANK YOU. - Original Message - From: Eric G. Miller egm2@jps.net To: debian-user@lists.debian.org Sent: Tuesday, June 04, 2002 3:34 AM Subject: Re: port forwarding On Mon, Jun 03, 2002 at 11:21:28AM -0700, ben wrote: On Monday 03 June 2002 05:01 am, Paul Johnson wrote: hey ballo, for the last couple of days, your posts are showing up as msg.pgp attachments; i.e., the attachments have to be viewed in order to see the msg. Probably a function of the mail reader. Mutt shows them inline... -- Eric G. Miller egm2@jps.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding
On Tue, Jun 04, 2002 at 07:14:31PM +0200, prover wrote: I'M NOT MEMER OF YOUR MAILING LISTS. what's a MEMER? WHY THIS MAILS COME TO ME? EVERY DAY COME TO ME 200 MAILS FROM YOUR MAILING LISTS. CAN YOU DO SOMETHING WITH IT? Do you got dirt in your eyes? Every e-mail from this list has the following message at the bottom: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Well what are you going to do about it? Cheers, -- Rudy Gevaert - [EMAIL PROTECTED] - http://www.zeus.rug.ac.be keyserverID=24DC49C6 - http://www.webworm.org I'm a GNU/Linux advocate. Every action against my beliefs is useless Everything that can be invented has been invented. - Charles H. Duell, Commissioner, U.S. Office of Patents, 1899 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Clueless subscriber (was: Re: port forwarding)
On Tue, Jun 04, 2002 at 07:49:39PM +0200, Rudy Gevaert wrote: On Tue, Jun 04, 2002 at 07:14:31PM +0200, prover wrote: I'M NOT MEMER OF YOUR MAILING LISTS. I got tired of this guy, so I bounce all his 'bounces'. This procmail recipe does it: :0 * ^X-Envelope-Sender: [EMAIL PROTECTED] [EMAIL PROTECTED] They don't appear to return to the list, so if enough of us do so, his ISP might drop him. At least that'll stop it if nothing else will. I have written to the fellow, but he is probably so clueless he wouldn't know how to unsubscribe anyway. -- René Seindal ([EMAIL PROTECTED]) http://www.seindal.dk/rene/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding
On Tue, 4 Jun 2002, Rudy Gevaert wrote: On Tue, Jun 04, 2002 at 07:14:31PM +0200, prover wrote: I'M NOT MEMER OF YOUR MAILING LISTS. what's a MEMER? WHY THIS MAILS COME TO ME? EVERY DAY COME TO ME 200 MAILS FROM YOUR MAILING LISTS. CAN YOU DO SOMETHING WITH IT? Do you got dirt in your eyes? Every e-mail from this list has the following message at the bottom: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Well what are you going to do about it? From the number of posts made, to the various number of groups, I'm guess.. WE HAVE A TROLL I've emailed his universities abuse address, hopefully they will pull his connection until the AOL has drained out of his blood. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding
On Monday 03 June 2002 05:01 am, Paul Johnson wrote: hey ballo, for the last couple of days, your posts are showing up as msg.pgp attachments; i.e., the attachments have to be viewed in order to see the msg. ben -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding
* Paul Johnson ([EMAIL PROTECTED]) [020603 08:34]: iptables just confuses me at times. I'm trying to figure out how to forward all packets hitting this machine on one port to a port on another machine inside my network. I'm kinda stumped. $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport $PORT \ -j DNAT --to-destination $OTHER_IP Should do it. The reason I give $EXT_IF up there is I'm assuming that the machine doing the DNAT is a gateway of some sort. If you're trying to get it working for machines within your network, it won't work: Machine A - just some machine on your network Machine D - the machine doing the DNAT Machine B - the $OTHER_IP listed above When A tries to connect to D on $PORT, the packets are re-sent to B. B sees a connection from A, and tries to respond to A, but A says wtf? I'm not trying to talk to B! and sends an RST, meanwhile waiting, retransmitting, and timing-out trying to connect to D. I works when D is a gateway between the machines because the return packets from B to A go through D where they are un-natted so that A sees them as part of the original connection. Perhaps you already know all this, but your exact setup was unclear in your original post. We can probably tell you exactly what's not working and how to make it better if you give us: a little bit of the network topology you're trying to use. (i.e. D is a gateway on the Internet, B is a machine in my private 192.168 LAN, and I want to DNAT requests coming from other Internet hosts, or something equally brief, but accurate to your setup) What commands you have tried and what results and/or log entries (if any) you have gotten. A bit of info about the rest of your firewall setup. Are you filtering as well? If D is a gateway as above, is all of the necessary traffic being allowed through FORWARD ? good times, Vineet -- Currently seeking opportunities in the SF Bay Area Please see http://www.doorstop.net/resume.shtml pgpLmiWGwvm5K.pgp Description: PGP signature
Re: port forwarding
On Mon, Jun 03, 2002 at 05:01:31AM -0700, Paul Johnson wrote: iptables just confuses me at times. iptables confuses me all the time :)) I'm trying to figure out how to forward all packets hitting this machine on one port to a port on another machine inside my network. I'm kinda stumped. I've been using shorewall, and as a firewall dummy, I think it does a good job. Good documentation. btw, with your message I got: gpg: Can't check signature: public key not found John -- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ http://www.debian.org/ http://www.pdxlinux.org/ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- pgpwkMqRwgIRy.pgp Description: PGP signature
Re: port forwarding
On Mon, Jun 03, 2002 at 11:21:28AM -0700, ben wrote: On Monday 03 June 2002 05:01 am, Paul Johnson wrote: hey ballo, for the last couple of days, your posts are showing up as msg.pgp attachments; i.e., the attachments have to be viewed in order to see the msg. Probably a function of the mail reader. Mutt shows them inline... -- Eric G. Miller egm2@jps.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port-Forwarding
Eckhard Sebastian Maass [EMAIL PROTECTED] wrote: Ich möchte gerne eingehende SSH-Verbindungen auf meinen Router auf einen bestimmten Port (zB 1500) auf einen bestimmten Rechner im internen Netz auf dessen normalen SSH-Port 22 forwarden. Der Router ist Potato mit 2.2.19-Kernel. Hallo, schau Dir mal `ipmasqadm portfw -help` an. Ich denke das wird Dir bei deinem Problem helfen, der Syntax ist auch nicht wirklich Kryptisch. MfG, Raffi -- Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Port-Forwarding
* Eckhard Maass [EMAIL PROTECTED]: * Raffael Himmelreich [EMAIL PROTECTED]: Jetzt läuft ein 'ssh -p 3450 Homer' auf 192.168.11.2 sich einfach tot :-( Hmm, währedn dem ganzen erhalte ich 'icmplogd: source route from [192.168.11.1]' im Log. Das bedeutet sicherlich was, allerdings hat google mir diesmal nicht geholfen. SEcki -- The broad mass of a nation... will more easily fall victim to a big lie than to a small one. -- Adolf Hitler, Mein Kampf -- Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Port forwarding from the ip-up scripts
On 14 Aug 2001 13:17:45 +0100, Ben Tullis wrote: Hello folks. I am having some degree of trouble getting port forwarding to work seamlessly. The firewall is a potato box running ipchains and the default ipmasq scripts. I can manually run: ipmasqadm portfw -a -P tcp -L (current IP address of ppp0) 80 -R 192.168.1.50 80 without any problem, but I have been trying to get it to initialise from the ip-up scripts. Like this #!/bin/sh # This script is /etc/ppp/ip-up.d/fw ipmasqadm portfw -f ipmasqadm -p tcp -L $4 80 -R 192.168.1.50 80 It looks like you are missing a few things in the above line. I THINK it should be: ipmasqadm portfw -a -P tcp -L $4 80 -R 192.168.1.50 80 You have it right on your above line that you manually run. --mike
Re: port forwarding
On Sun, Aug 05, 2001 at 02:36:45PM -0400, Michael P. Soulier wrote: Hey people. I'm trying to set up port forwarding to permit file sharing with napster from behind my firewall. So, looking up a friendly howto, I then entered this: rabbit:~# ipmasqadm portfw -a -P tcp -L 24.114.252.76 6699 -R 192.168.0.2 6699 portfw: setsockopt failed: Invalid argument In my experience, the cryptic Invalid argument error means there's something missing in the kernel that the command requires. I don't know what ipmasqadm needs; if it runs on top of ipchains I think you need at least a 2.2.x kernel. (2.0.x has ipfwadm, 2.2.x has ipchains, and now 2.4.x has iptables (with backward compatibility for the other two)). You might want to read some docs, this kind of thing should be explained. HTH, Mike McGuire
Re: port forwarding
On 06 Aug 2001 12:07:45 -0400, Mike McGuire wrote: On Sun, Aug 05, 2001 at 02:36:45PM -0400, Michael P. Soulier wrote: Hey people. I'm trying to set up port forwarding to permit file sharing with napster from behind my firewall. So, looking up a friendly howto, I then entered this: rabbit:~# ipmasqadm portfw -a -P tcp -L 24.114.252.76 6699 -R 192.168.0.2 6699 portfw: setsockopt failed: Invalid argument In my experience, the cryptic Invalid argument error means there's something missing in the kernel that the command requires. I don't know what ipmasqadm needs; if it runs on top of ipchains I think you need at least a 2.2.x kernel. (2.0.x has ipfwadm, 2.2.x has ipchains, and now 2.4.x has iptables (with backward compatibility for the other two)). You might want to read some docs, this kind of thing should be explained. HTH, Mike McGuire -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding
Sorry about the blank post. Still getting used to evolution. I was wondering if I could see the ipchains -L -v, netstat -M and uname -a output from the machine in question. --mike On 06 Aug 2001 11:18:25 -0500, Michael Heldebrant wrote: On 06 Aug 2001 12:07:45 -0400, Mike McGuire wrote: On Sun, Aug 05, 2001 at 02:36:45PM -0400, Michael P. Soulier wrote: Hey people. I'm trying to set up port forwarding to permit file sharing with napster from behind my firewall. So, looking up a friendly howto, I then entered this: rabbit:~# ipmasqadm portfw -a -P tcp -L 24.114.252.76 6699 -R 192.168.0.2 6699 portfw: setsockopt failed: Invalid argument In my experience, the cryptic Invalid argument error means there's something missing in the kernel that the command requires. I don't know what ipmasqadm needs; if it runs on top of ipchains I think you need at least a 2.2.x kernel. (2.0.x has ipfwadm, 2.2.x has ipchains, and now 2.4.x has iptables (with backward compatibility for the other two)). You might want to read some docs, this kind of thing should be explained. HTH, Mike McGuire -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding
Actually those 2 lines are my full set of firewall rules. Just waiting for someone to show how they can be breached before I go for a more complex setup ;-)
Re: port forwarding
This is appallingly primitive but it works for all services like Napster ICQ and so on. [EMAIL PROTECTED]:~$ cat /etc/init.d/firewall echo 1 /proc/sys/net/ipv4/ip_forward /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -i ppp0 -s 192.168.0.0/24 -j MASQ ipchains is in effect a frontend for netfilter so works on kernels 2.2 amd 2.4 Others may have more sophisticated approaches but if all you need is covered by this, you could use it until you get the clever ones working.
Re: port forwarding
On Mon, Aug 06, 2001 at 12:02:57AM +0100, P Kirk wrote: Actually those 2 lines are my full set of firewall rules. Just waiting for someone to show how they can be breached before I go for a more complex setup ;-) Depends on what you're running I suppose. Some windows boxes might be more secure just because they're running nothing, whereas with Linux you might be running a ton of exploitable daemons. Mike -- Michael P. Soulier [EMAIL PROTECTED] With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead. -- RFC 1925 pgpgpiYNhdndp.pgp Description: PGP signature
Re: port forwarding
On Sun, Aug 05, 2001 at 10:21:10PM +0100, P Kirk wrote: I hate to say this but I have no idea why it works but if you leave the PC turned on all night, come the morning, lots of files have been uploaded. So it works but I don't know why. Well, I have forwarding enabled in much the same way, and it doesn't work for me, but that's probably because I have the port blocked. I'll open the port and see if that works. Slightly OT but why bother with Napster ? KaZaA has the same functionality and works. Appears lawyer proof in that it is a true P2P application. Whatever. I need to learn this for all p2p apps. I have gnutella installed too. Mike -- Michael P. Soulier [EMAIL PROTECTED] With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead. -- RFC 1925 pgp9euCFBFAWI.pgp Description: PGP signature
Re: port forwarding
| /sbin/ipchains -A forward -i ppp0 -s 192.168.0.0/24 -j MASQ | | But doesn't this just masquerade the outgoing connection, and responses? | This won't help if a PTP client tries to initiate a connection with me while | I'm behind the firewall. | I hate to say this but I have no idea why it works but if you leave the PC turned on all night, come the morning, lots of files have been uploaded. So it works but I don't know why. Slightly OT but why bother with Napster ? KaZaA has the same functionality and works. Appears lawyer proof in that it is a true P2P application.
Re: port forwarding
On Sun, Aug 05, 2001 at 09:57:33PM +0100, P Kirk wrote: [EMAIL PROTECTED]:~$ cat /etc/init.d/firewall echo 1 /proc/sys/net/ipv4/ip_forward /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -i ppp0 -s 192.168.0.0/24 -j MASQ But doesn't this just masquerade the outgoing connection, and responses? This won't help if a PTP client tries to initiate a connection with me while I'm behind the firewall. Mike -- Michael P. Soulier [EMAIL PROTECTED] With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead. -- RFC 1925 pgpbqmDxSWmTY.pgp Description: PGP signature
Re: Port forwarding en local
El Tue, Oct 17, 2000 at 11:14:13AM +0200, Jaume Sabater garabateó: Enas. Me gustaria poder hacer que las peticiones recibidas en el puerto X vayan al puerto Y de la misma máquina. He estado mirando y parece que hay el ipfmasqadm permite algo parecido pero según he leído solo sirve para dispositivos distintos (corregidme si me equivoco). ¿Hay alguna forma de hacer lo que quiero hacer sin tener que meter otra máquina en la red? ¿Acaso podria usar lo como dispositivo distinto de la eth0? prueba con redir saludos diego
Re: Port forwarding en local
ipmasqadm te solucionará tus problemas. Redirige , una especie de NAT, el puerto del firewall a una máquina interna de la red. --- Jaume Sabater [EMAIL PROTECTED] escribió: Enas. Me gustaria poder hacer que las peticiones recibidas en el puerto X vayan al puerto Y de la misma máquina. He estado mirando y parece que hay el ipfmasqadm permite algo parecido pero según he leído solo sirve para dispositivos distintos (corregidme si me equivoco). ¿Hay alguna forma de hacer lo que quiero hacer sin tener que meter otra máquina en la red? ¿Acaso podria usar lo como dispositivo distinto de la eth0? NOTA: Tengo potato con el 2.2.15, y no puídor meterme 2.4, es para producción. = Jaume Sabater i Lleal mailto:[EMAIL PROTECTED] = -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null _ Do You Yahoo!? Obtenga su dirección de correo-e gratis @yahoo.com en http://correo.espanol.yahoo.com
Re: Port forwarding en local
Hola Jaume Esto que nos cuentas yo creo que es hasta sencillo con ipchains Cuando se trata de reenvios entre puertos locales y teniendo el soporte para transparent proxy compilado en el nucleo: CONFIG_IP_FIREWALL=y CONFIG_IP_TRANSPARENT_PROXY=y ( Supongo que asi a la que salta ande ) De memoria , con lo que es posible que la lie y me equivoque la sintasix de ipchains seria: ipchains -A input -d ip/mask $PUERTO_A_REDIR -p tcp -j REDIRECT $PUERTO_NUEVO Espero que no me traicione mucho la memoria , pero en cualquier caso te juro que deberia funcionar , si ves que tal comprueba la sintaxis. Un saludo [EMAIL PROTECTED]:~$ cd pub ##Victor Manuel Calzado Mayo [EMAIL PROTECTED]:~$ more beer ##Debian potato ESTABLE!!!
Re: Port Forwarding (reverse masquerading)
Hi Peter! ipmasqadm portfw -a -P tcp -L extIP 80 -R 192.168.1.3 80 extIP is my IP if ya didnt catch on ;) but when I try to connect to the router on port 80 it just hangs there.. saying contacting server.. but if I go straight to 192.168.1.3 it loads very well.. Any ideas on what is causing this? I apologize if this is a repeat subject, I have seen anything on this so I decided to email.. Big thanks in advance.. Umm... I haven't used ipmasqadm or port forwarding, but presumably extIP is your *real* IP, eg the one on the internet? If so are you connecting using the internal ip 192.168.1.1 or whatever? I wouldn't have thought that would work, if its what you're doing. Just a thought. -- Sean Furey, a happy and satisfied Debian user. [EMAIL PROTECTED]
Re: Port forwarding
On Thu, Jan 27, 2000 at 12:37:13PM -0800, aphro wrote: if its simple port redirection you could try rinetd, its a snap to setup, i dont think it performs well under high load though it works great though. Yes, but I think port forwarding woul do a better job for me. It has been no problem so far with port 80. Works well. Apache answers etc. But nothing happens on port 25 and I need mail transfer. I wonder if this has anything to do with the auth lookup. Michael -- Michael Meskes | Go SF 49ers! Th.-Heuss-Str. 61, D-41812 Erkelenz| Go Rhein Fire! Tel.: (+49) 2431/72651 | Use Debian GNU/Linux! Email: Michael@Fam-Meskes.De | Use PostgreSQL!
Re: Port forwarding
Fitsch wrote: Michael Meskes wrote: Could anyone send me a working example of port forwarding? I just tried to get it going to no avail. I test setup has a firewall connecting 172.26.14.0/24 and 172.26.2.0/24 doing nothing but routing. Now i want it to redirect some ports (I tried 23,25,80) from its own 172.26.2.1 address to 172.26.14.7. I tried accomplishing that by adding ipmasqadm portfw -a -P tcp -L 172.26.2.1 80 -R 172.26.14.7 80 With this setup I get a log entry that someone tried to initiate a session on 172.26.14.7 but that session never is fully established since no data arrive on the outside. Also there is no error log on any of the machines. Then I told my firewall to masquerade the internal network. With that I got www going. However, with a respective rule added, smtp and telnet did not work either. They do get a 'connection denied' icmp package back. But my inside test machine does accept both protocols as I can see when directly addressing it. I also tried to the ip command to redirect anotehr address (in my case 172.26.2.2) completely to my internal machine. Using this setup I have the same problem. I get the log that [EMAIL PROTECTED] tries to establish a connection and nothing more. Strangely enough about every 2nd or 3rd try this log shows the correct user instead of unknown. Finally I tried marking packages to port 80 and add a special ip rule for these packages but the result was the same. I think I missed something essential but right now I have no idea what that could be. And yes CONFIG_IP_MASQUERADE_IPPORTFW is defined in the kernel. Thanks in advance for any help. Michael P.S.: PLease CC me on replies. -- Michael Meskes | Go SF 49ers! Th.-Heuss-Str. 61, D-41812 Erkelenz| Go Rhein Fire! Tel.: (+49) 2431/72651 | Use Debian GNU/Linux! Email: Michael@Fam-Meskes.De | Use PostgreSQL! -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null I got ipmasqadm portfw working. Perhaps you try something wrong, or I don't understand your setup. In common Port Forwarding is used to redirect traffic from the outside to an internal host behind your firewall. (e.g. webserver) this internal host may have an adress from the private space. When you specify the IP-Adresses, Source and Destination must be adresses on different machines, not of different nic's in one machine. If you have a strict policy on your firewall you have to allow this traffic, better you create an seperate chain for portforwarded traffic from the outside to the inside. For traffic from the inside to the outside you don't need Port Forwarding, as this is handled by Masquerading or normal routing. If this doesnt match your setup and you want to try anything else, append a -j REJECT -l to every chain to see exactly which packages are denied in /var/log/messages. I'm not an expert in firewalling, but this worked for me. HTH, Fitsch
Re: Port forwarding
On Thu, Jan 27, 2000 at 02:06:01PM +0100, Fitsch wrote: Perhaps you try something wrong, or I don't understand your setup. In common Port Forwarding is used to redirect traffic from the outside to an internal host behind your firewall. (e.g. webserver) this internal host may have an adress from the private space. Yes, that's exactly what I want to do. I tried this with masq. on and out but the problems are the same. When you specify the IP-Adresses, Source and Destination must be adresses on different machines, not of different nic's in one machine. Right. I used as IP addresses the outside address of my firewall and the address of my server in my internal net. If you have a strict policy on your firewall you have to allow this traffic, better you create an seperate chain for portforwarded traffic from the outside to the inside. I even tried with all traffic allowed through. For traffic from the inside to the outside you don't need Port Forwarding, as this is handled by Masquerading or normal routing. Yes, but I also get backward traffic after connecting from the outside. For instance inetd tried to connect to teh auth service to check who is trying to connect. The problem I had with outbound traffic though was with the packets send back in the connection established from the outside. Michael -- Michael Meskes | Go SF 49ers! Th.-Heuss-Str. 61, D-41812 Erkelenz| Go Rhein Fire! Tel.: (+49) 2431/72651 | Use Debian GNU/Linux! Email: Michael@Fam-Meskes.De | Use PostgreSQL!
Re: Port forwarding
if its simple port redirection you could try rinetd, its a snap to setup, i dont think it performs well under high load though it works great though. nate On Thu, 27 Jan 2000, Michael Meskes wrote: meskes On Thu, Jan 27, 2000 at 02:06:01PM +0100, Fitsch wrote: meskes Perhaps you try something wrong, or I don't understand your setup. In meskes common Port Forwarding is used to redirect traffic from the outside to meskes an internal host behind your firewall. (e.g. webserver) this internal meskes host may have an adress from the private space. meskes meskes Yes, that's exactly what I want to do. I tried this with masq. on and out meskes but the problems are the same. meskes meskes When you specify the IP-Adresses, Source and Destination must be meskes adresses on different machines, not of different nic's in one machine. meskes meskes Right. I used as IP addresses the outside address of my firewall and the meskes address of my server in my internal net. meskes meskes If you have a strict policy on your firewall you have to allow this meskes traffic, better you create an seperate chain for portforwarded traffic meskes from the outside to the inside. meskes meskes I even tried with all traffic allowed through. meskes meskes For traffic from the inside to the outside you don't need Port meskes Forwarding, as this is handled by Masquerading or normal routing. meskes meskes Yes, but I also get backward traffic after connecting from the outside. For meskes instance inetd tried to connect to teh auth service to check who is trying meskes to connect. The problem I had with outbound traffic though was with the meskes packets send back in the connection established from the outside. meskes meskes Michael meskes -- meskes Michael Meskes | Go SF 49ers! meskes Th.-Heuss-Str. 61, D-41812 Erkelenz| Go Rhein Fire! meskes Tel.: (+49) 2431/72651 | Use Debian GNU/Linux! meskes Email: Michael@Fam-Meskes.De | Use PostgreSQL! meskes meskes meskes -- meskes Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null meskes [mailto:[EMAIL PROTECTED] ]-- Vice President Network Operations http://www.firetrail.com/ Firetrail Internet Services Limited http://www.aphroland.org/ Everett, WA 425-348-7336http://www.linuxpowered.net/ Powered By:http://comedy.aphroland.org/ Debian 2.1 Linux 2.0.36 SMPhttp://yahoo.aphroland.org/ -[mailto:[EMAIL PROTECTED] ]-- 12:34pm up 161 days, 41 min, 1 user, load average: 1.07, 1.12, 1.09
