What is the best way to temporarily setup a port relay. I'm trying to diagnose a problem with Cisco's latest VPN client and need to determine if the problem is port number related.
e.g. VPN client---------23-(Linux box to relay port)-------xx-(Telnet server)
(Keep in mind this is temporary and for debugging purposes)
Thanks,
Frank M. Ramaekers Jr. Systems Programmer MCP, MCP+I, MCSE & RHCE American Income Life Insurance Co. Phone: (254)761-6649 1200 Wooded Acres Dr. Fax: (254)741-5777 Waco, Texas 76710
_____________________________________________________ This message contains information which is privileged and confidential and is solely for the use of the intended recipient. If you are not the intended recipient, be aware that any review, disclosure, copying, distribution, or use of the contents of this message is strictly prohibited. If you have received this in error, please destroy it immediately and notify us at PrivacyAct@ailife.com.
hmm, if I understood you correctly, then this should work just fine (on linux firewall):
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 23 -j DNAT \ --to telnetserverip:port-number /sbin/iptables -I FORWARD -i external_interface -o internal_interface \ -p tcp -d telnetserverip --dport portnumberontelnetserver -j ACCEPT
after a reboot or firewall service restart it's gone again.
-vahur
Frank M. Ramaekers wrote:
What is the best way to temporarily setup a port relay. I'm trying to diagnose a problem with Cisco's latest VPN client and need to determine if the problem is port number related.
e.g. VPN client---------23-(Linux box to relay port)-------xx-(Telnet server)
(Keep in mind this is temporary and for debugging purposes)
On Thu, 2008-04-24 at 17:27 +0300, Vahur Jõesalu wrote:
hmm, if I understood you correctly, then this should work just fine (on linux firewall):
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 23 -j DNAT \ --to telnetserverip:port-number /sbin/iptables -I FORWARD -i external_interface -o internal_interface \ -p tcp -d telnetserverip --dport portnumberontelnetserver -j ACCEPT
after a reboot or firewall service restart it's gone again.
-vahur
Sorry to jump in on someone else's thread, but... How do you do this if the interface you want to use is a virtual? Meaning it's eth0:1 for example? The -i parameter will not let you use that.
Thanks, James
well you can't - to the best of my knowledge. And I cannot see the reason for wanting it. The idea of using -i and -o in FORWARD chain is to specify the direction traffic is allowed to go. It could be that firewall is blocking all outgoing traffic. Omitting -i and -o would allow the internal server to initiate traffic to port 23 anywhere in the internet.
Virtual interface is for assigning additional IP-s to same interface, so any rules regarding interface still apply to the whole of physical network card.
-vahur
James Pifer wrote:
On Thu, 2008-04-24 at 17:27 +0300, Vahur Jõesalu wrote:
hmm, if I understood you correctly, then this should work just fine (on linux firewall):
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 23 -j DNAT \ --to telnetserverip:port-number /sbin/iptables -I FORWARD -i external_interface -o internal_interface \ -p tcp -d telnetserverip --dport portnumberontelnetserver -j ACCEPT
after a reboot or firewall service restart it's gone again.
-vahur
Sorry to jump in on someone else's thread, but... How do you do this if the interface you want to use is a virtual? Meaning it's eth0:1 for example? The -i parameter will not let you use that.
Thanks, James
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
As was implied before, both interfaces are connected internally (IntrA-net) and before I try the relay with VPN, I'm testing it on another internal computer (just to eliminate any VPN potential problems).
Frank M. Ramaekers Jr. Systems Programmer MCP, MCP+I, MCSE & RHCE American Income Life Insurance Co. Phone: (254)761-6649 1200 Wooded Acres Dr. Fax: (254)741-5777 Waco, Texas 76710
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Vahur Jõesalu Sent: Thursday, April 24, 2008 11:28 AM To: CentOS mailing list Subject: Re: [CentOS] TCP/IP Port Relay
well you can't - to the best of my knowledge. And I cannot see the reason for wanting it. The idea of using -i and -o in FORWARD chain is to specify the direction traffic is allowed to go. It could be that firewall is blocking all outgoing traffic. Omitting -i and -o would allow the internal server to initiate traffic to port 23 anywhere in the internet.
Virtual interface is for assigning additional IP-s to same interface, so any rules regarding interface still apply to the whole of physical network card.
-vahur
James Pifer wrote:
On Thu, 2008-04-24 at 17:27 +0300, Vahur Jõesalu wrote:
hmm, if I understood you correctly, then this should work just fine (on linux firewall):
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 23 -j DNAT \ --to telnetserverip:port-number /sbin/iptables -I FORWARD -i external_interface -o internal_interface \ -p tcp -d telnetserverip --dport portnumberontelnetserver -j ACCEPT
after a reboot or firewall service restart it's gone again.
-vahur
Sorry to jump in on someone else's thread, but... How do you do this if the interface you want to use is a virtual? Meaning it's eth0:1 for example? The -i parameter will not let you use that.
Thanks, James
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
_____________________________________________________ This message contains information which is privileged and confidential and is solely for the use of the intended recipient. If you are not the intended recipient, be aware that any review, disclosure, copying, distribution, or use of the contents of this message is strictly prohibited. If you have received this in error, please destroy it immediately and notify us at PrivacyAct@ailife.com.
Yes, I was thinking along those lines, but I thought I'd ask. THANKS!
Frank M. Ramaekers Jr. Systems Programmer MCP, MCP+I, MCSE & RHCE American Income Life Insurance Co. Phone: (254)761-6649 1200 Wooded Acres Dr. Fax: (254)741-5777 Waco, Texas 76710 -----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Vahur Jõesalu Sent: Thursday, April 24, 2008 9:27 AM To: CentOS mailing list Subject: Re: [CentOS] TCP/IP Port Relay
hmm, if I understood you correctly, then this should work just fine (on linux firewall):
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 23 -j DNAT \ --to telnetserverip:port-number /sbin/iptables -I FORWARD -i external_interface -o internal_interface \ -p tcp -d telnetserverip --dport portnumberontelnetserver -j ACCEPT
after a reboot or firewall service restart it's gone again.
-vahur
Frank M. Ramaekers wrote:
What is the best way to temporarily setup a port relay. I'm trying to diagnose a problem with Cisco's latest VPN client and need to determine if the problem is port number related.
e.g. VPN client---------23-(Linux box to relay port)-------xx-(Telnet server)
(Keep in mind this is temporary and for debugging purposes)
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
_____________________________________________________ This message contains information which is privileged and confidential and is solely for the use of the intended recipient. If you are not the intended recipient, be aware that any review, disclosure, copying, distribution, or use of the contents of this message is strictly prohibited. If you have received this in error, please destroy it immediately and notify us at PrivacyAct@ailife.com.
There seems to be a problem with it
Normal (TN3270 traffic originating from the relay host):
10:44:29.667165 IP doylebrunson.ailife.com.46318 > 10.1.9.2.verismart: S 707994026:707994026(0) win 5840 <mss 1460,sackOK,timestamp 1913051656 0,nop,wscale 7> 10:44:29.685075 IP 10.1.9.2.verismart > doylebrunson.ailife.com.46318: S 1665830401:1665830401(0) ack 707994027 win 33396 <mss 1452,nop,wscale 0,nop,nop,timestamp 6736695 1913051656> 10:44:29.685137 IP doylebrunson.ailife.com.46318 > 10.1.9.2.verismart: . ack 1 win 46 <nop,nop,timestamp 1913051674 6736695> 10:44:29.707089 IP 10.1.9.2.verismart > doylebrunson.ailife.com.46318: P 1:4(3) ack 1 win 33396 <nop,nop,timestamp 6736695 1913051656> 10:44:29.707147 IP doylebrunson.ailife.com.46318 > 10.1.9.2.verismart: . ack 4 win 46 <nop,nop,timestamp 1913051696 6736695>
Relayed:
10:44:04.362686 IP it-304.ailife.com.bts-appserver > 10.1.9.2.verismart: S 3483673038:3483673038(0) win 65535 <mss 1460,nop,nop,sackOK> 10:44:07.294923 IP it-304.ailife.com.bts-appserver > 10.1.9.2.verismart: S 3483673038:3483673038(0) win 65535 <mss 1460,nop,nop,sackOK>
...and the client times out (The TN3270 server is running on port 3270/verismart).
Any ideas?
Frank M. Ramaekers Jr. Systems Programmer MCP, MCP+I, MCSE & RHCE American Income Life Insurance Co. Phone: (254)761-6649 1200 Wooded Acres Dr. Fax: (254)741-5777 Waco, Texas 76710
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Vahur Jõesalu Sent: Thursday, April 24, 2008 9:27 AM To: CentOS mailing list Subject: Re: [CentOS] TCP/IP Port Relay
hmm, if I understood you correctly, then this should work just fine (on linux firewall):
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 23 -j DNAT \ --to telnetserverip:port-number /sbin/iptables -I FORWARD -i external_interface -o internal_interface \ -p tcp -d telnetserverip --dport portnumberontelnetserver -j ACCEPT
after a reboot or firewall service restart it's gone again.
-vahur
Frank M. Ramaekers wrote:
What is the best way to temporarily setup a port relay. I'm trying to diagnose a problem with Cisco's latest VPN client and need to determine if the problem is port number related.
e.g. VPN client---------23-(Linux box to relay port)-------xx-(Telnet server)
(Keep in mind this is temporary and for debugging purposes)
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
_____________________________________________________ This message contains information which is privileged and confidential and is solely for the use of the intended recipient. If you are not the intended recipient, be aware that any review, disclosure, copying, distribution, or use of the contents of this message is strictly prohibited. If you have received this in error, please destroy it immediately and notify us at PrivacyAct@ailife.com.
to clarify. your rules that you entered were (I am replacing it-304.ailife.com here with 10.1.1.1, and external_interface with eth0, and internal_interface with eth1 - for claritys sake):
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 23 -j DNAT \ --to 10.1.9.2:3270 /sbin/iptables -I FORWARD -i eth0 -o eth1 \ -p tcp -d 10.1.9.2 --dport 3270 -j ACCEPT
this is normal port forward on linux box. you are forwarding linux box external port 23 to internal server port 3270. Is this what you want? You would need to connect to linux box external IP to port 23 from the 10.1.1.1 machine. You could change the forward rule to allow inbound traffic just from 10.1.1.1 (that's the host on the very left in your original chart): /sbin/iptables -I FORWARD -s 10.1.1.1 -i eth0 -o eth1 \ -p tcp -d 10.1.9.2 --dport 3270 -j ACCEPT
the simplest way to test if port forwarding works is to telnet to port 23 on 10.1.9.2: telnet 10.1.9.2 23 # actually 23 is redundant, since it's the default port of telnet anyway. you should see something like this, indicating successful connection (assuming 10.1.1.1 is linux box): Trying 10.1.9.2... Connected to 10.1.9.2. Escape character is '^]'.
if you get that, then port forwarding works.
if port forwarding is not what you need, then please explain in a little more detail
-vahur
Frank M. Ramaekers wrote:
There seems to be a problem with it
Normal (TN3270 traffic originating from the relay host):
10:44:29.667165 IP doylebrunson.ailife.com.46318 > 10.1.9.2.verismart: S 707994026:707994026(0) win 5840 <mss 1460,sackOK,timestamp 1913051656 0,nop,wscale 7> 10:44:29.685075 IP 10.1.9.2.verismart > doylebrunson.ailife.com.46318: S 1665830401:1665830401(0) ack 707994027 win 33396 <mss 1452,nop,wscale 0,nop,nop,timestamp 6736695 1913051656> 10:44:29.685137 IP doylebrunson.ailife.com.46318 > 10.1.9.2.verismart: . ack 1 win 46 <nop,nop,timestamp 1913051674 6736695> 10:44:29.707089 IP 10.1.9.2.verismart > doylebrunson.ailife.com.46318: P 1:4(3) ack 1 win 33396 <nop,nop,timestamp 6736695 1913051656> 10:44:29.707147 IP doylebrunson.ailife.com.46318 > 10.1.9.2.verismart: . ack 4 win 46 <nop,nop,timestamp 1913051696 6736695>
Relayed:
10:44:04.362686 IP it-304.ailife.com.bts-appserver > 10.1.9.2.verismart: S 3483673038:3483673038(0) win 65535 <mss 1460,nop,nop,sackOK> 10:44:07.294923 IP it-304.ailife.com.bts-appserver > 10.1.9.2.verismart: S 3483673038:3483673038(0) win 65535 <mss 1460,nop,nop,sackOK>
...and the client times out (The TN3270 server is running on port 3270/verismart).
Any ideas?
Frank M. Ramaekers Jr. Systems Programmer MCP, MCP+I, MCSE & RHCE American Income Life Insurance Co. Phone: (254)761-6649 1200 Wooded Acres Dr. Fax: (254)741-5777 Waco, Texas 76710
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Vahur Jõesalu Sent: Thursday, April 24, 2008 9:27 AM To: CentOS mailing list Subject: Re: [CentOS] TCP/IP Port Relay
hmm, if I understood you correctly, then this should work just fine (on linux firewall):
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 23 -j DNAT \ --to telnetserverip:port-number /sbin/iptables -I FORWARD -i external_interface -o internal_interface \ -p tcp -d telnetserverip --dport portnumberontelnetserver -j ACCEPT
after a reboot or firewall service restart it's gone again.
-vahur
Frank M. Ramaekers wrote:
What is the best way to temporarily setup a port relay. I'm trying to diagnose a problem with Cisco's latest VPN client and need to determine if the problem is port number related.
e.g. VPN client---------23-(Linux box to relay port)-------xx-(Telnet server)
(Keep in mind this is temporary and for debugging purposes)
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
This message contains information which is privileged and confidential and is solely for the use of the
intended recipient. If you are not the intended recipient, be aware that any review, disclosure,
copying, distribution, or use of the contents of this message is strictly prohibited. If you have
received this in error, please destroy it immediately and notify us at PrivacyAct@ailife.com. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Oh, sorry....I should have explained. In this initial testing (before getting VPN involved) there is no internal/external only two adapters that are "bonded":
bond0 Link encap:Ethernet HWaddr 00:0D:60:19:7A:9A inet addr:10.2.0.99 Bcast:10.2.255.255 Mask:255.255.0.0 inet6 addr: fe80::20d:60ff:fe19:7a9a/64 Scope:Link UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 RX packets:880123407 errors:0 dropped:0 overruns:0 frame:0 TX packets:1270747604 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3821604891 (3.5 GiB) TX bytes:2078971129 (1.9 GiB)
eth0 Link encap:Ethernet HWaddr 00:0D:60:19:7A:9A inet6 addr: fe80::20d:60ff:fe19:7a9a/64 Scope:Link UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:761346542 errors:0 dropped:0 overruns:0 frame:0 TX packets:1015302673 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4088400437 (3.8 GiB) TX bytes:2764744216 (2.5 GiB) Base address:0x2500 Memory:f8fe0000-f9000000
eth1 Link encap:Ethernet HWaddr 00:0D:60:19:7A:9B inet6 addr: fe80::20d:60ff:fe19:7a9b/64 Scope:Link UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:118776865 errors:0 dropped:0 overruns:0 frame:0 TX packets:255444931 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4028171750 (3.7 GiB) TX bytes:3609194209 (3.3 GiB) Base address:0x2540 Memory:f8fc0000-f8fe0000
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:4910413 errors:0 dropped:0 overruns:0 frame:0 TX packets:4910413 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:908267443 (866.1 MiB) TX bytes:908267443 (866.1 MiB)
Frank M. Ramaekers Jr. Systems Programmer MCP, MCP+I, MCSE & RHCE American Income Life Insurance Co. Phone: (254)761-6649 1200 Wooded Acres Dr. Fax: (254)741-5777 Waco, Texas 76710
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Vahur Jõesalu Sent: Thursday, April 24, 2008 11:28 AM To: CentOS mailing list Subject: Re: [CentOS] TCP/IP Port Relay
to clarify. your rules that you entered were (I am replacing it-304.ailife.com here with 10.1.1.1, and external_interface with eth0, and internal_interface with eth1 - for claritys sake):
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 23 -j DNAT \ --to 10.1.9.2:3270 /sbin/iptables -I FORWARD -i eth0 -o eth1 \ -p tcp -d 10.1.9.2 --dport 3270 -j ACCEPT
this is normal port forward on linux box. you are forwarding linux box external port 23 to internal server port 3270. Is this what you want? You would need to connect to linux box external IP to port 23 from the 10.1.1.1 machine. You could change the forward rule to allow inbound traffic just from 10.1.1.1 (that's the host on the very left in your original chart): /sbin/iptables -I FORWARD -s 10.1.1.1 -i eth0 -o eth1 \ -p tcp -d 10.1.9.2 --dport 3270 -j ACCEPT
the simplest way to test if port forwarding works is to telnet to port 23 on 10.1.9.2: telnet 10.1.9.2 23 # actually 23 is redundant, since it's the default port of telnet anyway. you should see something like this, indicating successful connection (assuming 10.1.1.1 is linux box): Trying 10.1.9.2... Connected to 10.1.9.2. Escape character is '^]'.
if you get that, then port forwarding works.
if port forwarding is not what you need, then please explain in a little more detail
-vahur
Frank M. Ramaekers wrote:
There seems to be a problem with it
Normal (TN3270 traffic originating from the relay host):
10:44:29.667165 IP doylebrunson.ailife.com.46318 > 10.1.9.2.verismart: S 707994026:707994026(0) win 5840 <mss 1460,sackOK,timestamp 1913051656 0,nop,wscale 7> 10:44:29.685075 IP 10.1.9.2.verismart > doylebrunson.ailife.com.46318: S 1665830401:1665830401(0) ack 707994027 win 33396 <mss 1452,nop,wscale 0,nop,nop,timestamp 6736695 1913051656> 10:44:29.685137 IP doylebrunson.ailife.com.46318 > 10.1.9.2.verismart: . ack 1 win 46 <nop,nop,timestamp 1913051674 6736695> 10:44:29.707089 IP 10.1.9.2.verismart > doylebrunson.ailife.com.46318: P 1:4(3) ack 1 win 33396 <nop,nop,timestamp 6736695 1913051656> 10:44:29.707147 IP doylebrunson.ailife.com.46318 > 10.1.9.2.verismart: . ack 4 win 46 <nop,nop,timestamp 1913051696 6736695>
Relayed:
10:44:04.362686 IP it-304.ailife.com.bts-appserver > 10.1.9.2.verismart: S 3483673038:3483673038(0) win 65535 <mss 1460,nop,nop,sackOK> 10:44:07.294923 IP it-304.ailife.com.bts-appserver > 10.1.9.2.verismart: S 3483673038:3483673038(0) win 65535 <mss 1460,nop,nop,sackOK>
...and the client times out (The TN3270 server is running on port 3270/verismart).
Any ideas?
Frank M. Ramaekers Jr. Systems Programmer MCP, MCP+I, MCSE & RHCE American Income Life Insurance Co. Phone: (254)761-6649 1200 Wooded Acres Dr. Fax: (254)741-5777 Waco, Texas 76710
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Vahur Jõesalu Sent: Thursday, April 24, 2008 9:27 AM To: CentOS mailing list Subject: Re: [CentOS] TCP/IP Port Relay
hmm, if I understood you correctly, then this should work just fine (on linux firewall):
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 23 -j DNAT \ --to telnetserverip:port-number /sbin/iptables -I FORWARD -i external_interface -o internal_interface \ -p tcp -d telnetserverip --dport portnumberontelnetserver -j ACCEPT
after a reboot or firewall service restart it's gone again.
-vahur
Frank M. Ramaekers wrote:
What is the best way to temporarily setup a port relay. I'm trying to diagnose a problem with Cisco's latest VPN client and need to determine if the problem is port number related.
e.g. VPN client---------23-(Linux box to relay port)-------xx-(Telnet server)
(Keep in mind this is temporary and for debugging purposes)
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
This message contains information which is privileged and confidential and is solely for the use of the
intended recipient. If you are not the intended recipient, be aware that any review, disclosure,
copying, distribution, or use of the contents of this message is strictly prohibited. If you have
received this in error, please destroy it immediately and notify us at PrivacyAct@ailife.com. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
_____________________________________________________ This message contains information which is privileged and confidential and is solely for the use of the intended recipient. If you are not the intended recipient, be aware that any review, disclosure, copying, distribution, or use of the contents of this message is strictly prohibited. If you have received this in error, please destroy it immediately and notify us at PrivacyAct@ailife.com.
-
Frank M. Ramaekers -
James Pifer -
Vahur Jõesalu