Re: [Shorewall-users] DNAT Port Changing
> On 01/03/2018 12:55 PM, Colony.three via Shorewall-users wrote: > >> I have a router which is a KVM VM running CentOS7. Then I have a >> LibreSwan gateway, which is another VM in the LAN, also running CentOS7. >> There are 100,0 bots out there trying to get in to any and all >> ports, ready and armed with the right known vulns and 0-days for the >> normal ports, so I'd like to change ipsec 500 to something else. >> (changing 4500 is inadvisable for kernel reasons) >> Libreswan can't change listening ports so am I on the right track in the >> router doing it like this? >> DNAT net loc:192.168.1.15:500udp63500 >> (the ipsec gateway is 192.168.1.15, and the outside interface of the >> router is eth0) >> Reason I ask is in the docs, that 63500 column is labeled DPORT, >> whereas it's the source port from the router's PoV. ... although it's >> the destination port from the initiator's PoV. > > There is an SPORT column between DPORT and ORIGDEST. If it is actually > the source port, then you need '-' in the DEST column and 63500 in the > SPORT column. > > -Tom Oh, Ok thanks. DNAT net loc:192.168.1.15:500udp- 63500-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] DNAT Port Changing
On 01/03/2018 12:55 PM, Colony.three via Shorewall-users wrote: > I have a router which is a KVM VM running CentOS7. Then I have a > LibreSwan gateway, which is another VM in the LAN, also running CentOS7. > > There are 100,0 bots out there trying to get in to any and all > ports, ready and armed with the right known vulns and 0-days for the > normal ports, so I'd like to change ipsec 500 to something else. > (changing 4500 is inadvisable for kernel reasons) > > Libreswan can't change listening ports so am I on the right track in the > router doing it like this? > DNAT net loc:192.168.1.15:500 udp 63500 > (the ipsec gateway is 192.168.1.15, and the outside interface of the > router is eth0) > > Reason I ask is in the docs, that 63500 column is labeled DPORT, > whereas it's the source port from the router's PoV. ... although it's > the destination port from the initiator's PoV. There is an SPORT column between DPORT and ORIGDEST. If it is actually the source port, then you need '-' in the DEST column and 63500 in the SPORT column. -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] DNAT Port Changing
I have a router which is a KVM VM running CentOS7. Then I have a LibreSwan gateway, which is another VM in the LAN, also running CentOS7. There are 100,0 bots out there trying to get in to any and all ports, ready and armed with the right known vulns and 0-days for the normal ports, so I'd like to change ipsec 500 to something else. (changing 4500 is inadvisable for kernel reasons) Libreswan can't change listening ports so am I on the right track in the router doing it like this? DNAT net loc:192.168.1.15:500udp63500 (the ipsec gateway is 192.168.1.15, and the outside interface of the router is eth0) Reason I ask is in the docs, that 63500 column is labeled DPORT, whereas it's the source port from the router's PoV. ... although it's the destination port from the initiator's PoV.-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
