Re: [expert] port forwarding: what am I doing wrong?

[Pierre Fortin]

On Thu, 23 May 2002 00:03:39 -0700 ajax <[EMAIL PROTECTED]> wrote:

> I'm trying to forward port 23 to one of my internal computers.  My
> gateway has a cable connection on eth1 (dynamic ip) and internal network
> on eth0 (static ip).  I keep getting connection refused.  I can ssh
> directly to port 23 (I moved the port) on 192.168.1.4 internally but my
> gateway doesn't want to forward it  I'm using the following script which
> I modified from the bastille website (its located at
> /etc/Bastille/firewall.d/pre-audit.d/portforward.sh):
> 
> IP_FORWARDS="eth1-0.0.0.0-23-tcp-192.168.1.4-23 
> eth1-0.0.0.0-23-udp-192.168.1.4-23 eth0-0.0.0.0-23-tcp-192.168.1.4-23 
> eth0-0.0.0.0-23-udp-192.168.1.4-23"
> #
> #
> 
>   for fw_rule in ${IP_FORWARDS} ; do
>     # ugly awk hack
>     fw_iface=`echo "$fw_rule" | awk -F\- '{print $1}'`
>     fw_inaddr=`echo "$fw_rule" | awk -F\- '{print $2}'`
>     fw_inport=`echo "$fw_rule" | awk -F\- '{print $3}'`
>     fw_inproto=`echo "$fw_rule" | awk -F\- '{print $4}'`
>     fw_outaddr=`echo "$fw_rule" | awk -F\- '{print $5}'`
>     fw_outport=`echo "$fw_rule" | awk -F\- '{print $6}'`
>     if [ -n "${fw_iface}" ]; then
>       # we have an interface specified
>         ${IPTABLES} -A PREROUTING -t nat -i $fw_iface -d $fw_inaddr \
>           -p tcp --destination-port $fw_inport -j DNAT --to 
> $fw_outaddr:$fw_outport
> 
>         ${IPTABLES} -A PREROUTING -t nat -i $fw_iface -d $fw_inaddr \
>            -p udp --destination-port $fw_inport -j DNAT --to 
> $fw_outaddr:$fw_outport
> 
> 
>     else
>       # apply forward to all interfaces
>         ${IPTABLES} -A PREROUTING -t nat -d $fw_inaddr \
>           -p tcp --destination-port $fw_inport -j DNAT --to 
> $fw_outaddr:$fw_outport
> 
> 
>            ${IPTABLES} -A PREROUTING -t nat -d $fw_inaddr \
>              -p udp --destination-port $fw_inport -j DNAT --to 
> $fw_outaddr:$fw_outport
> 
>     fi
>   done

A quick glance shows one major difference from what I use in my
honeyport** script...  Here's a clue:

iptables -t nat -${ACTION} PREROUTING -s ${ATTACKER} -p tcp --dport \
  ${ATTACKER_PORT} -j DNAT --to-destination ${MY_IP}:${HONEYPORT}
iptables -t nat -${ACTION} POSTROUTING -s ${MY_IP} -d ${ATTACKER} -p tcp \
  --sport ${HONEYPORT} -j SNAT --to-source :${ATTACKER_PORT}

Note the use of POSTROUTING and SNAT for the other direction...  

** honeyport redirects an attacker to a sticky tarpit server port

HTH,
Pierre


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com