RE: Easy port forwarding question
This is a discussion on RE: Easy port forwarding question within the IPFilter forums, part of the System Security and Security Related category; (1) Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Connection to 127.0.0....
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-14-2006
|
|||
|
|||
RE: Easy port forwarding question
(1)
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Connection to 127.0.0.1 closed by foreign host (2) root@sustd2795-(39): ipnat -slv ; ipfstat -v mapped in 0 out 0 added 0 expired 0 no memory 0 bad nat 0 inuse 0 rules 2 wilds 0 table ffffffff7ffffc10 list 6000265e180 List of active MAP/Redirect filters: rdr bge0 0.0.0.0/0 port 80 -> 127.0.0.1 port 8080 tcp rdr bge0 0.0.0.0/0 port 443 -> 127.0.0.1 port 8443 tcp List of active sessions: List of active host mappings: opts 0x8000040 name /dev/ipf bad packets: in 0 out 0 input packets: blocked 0 passed 0 nomatch 0 counted 0 short 0 output packets: blocked 0 passed 0 nomatch 0 counted 0 short 0 input packets logged: blocked 0 passed 0 output packets logged: blocked 0 passed 0 packets logged: input 0 output 0 log failures: input 0 output 0 fragment state(in): kept 0 lost 0 fragment state(out): kept 0 lost 0 packet state(in): kept 0 lost 0 packet state(out): kept 0 lost 0 ICMP replies: 0 TCP RSTs sent: 0 Invalid source(in): 0 Result cache hits(in): 0 (out): 0 IN Pullups succeeded: 0 failed: 0 OUT Pullups succeeded: 0 failed: 0 Fastroute successes: 0 failures: 0 TCP cksum fails(in): 0 (out): 0 IPF Ticks: 17940 Packet log flags set: (0) none (3) root@sustd2795-(38): snoop -Vr -d bge0 port 80 or port 8080 Using device /dev/bge0 (promiscuous mode) ________________________________ 158.147.71.95 -> 158.147.51.44 ETHER Type=0800 (IP), size = 62 bytes 158.147.71.95 -> 158.147.51.44 IP D=158.147.51.44 S=158.147.71.95 LEN=48, ID=47103, TOS=0x0, TTL=126 158.147.71.95 -> 158.147.51.44 TCP D=80 S=2033 Syn Seq=2372153113 Len=0 Win=64512 Options=<mss 1460,nop,nop,sackOK> 158.147.71.95 -> 158.147.51.44 HTTP C port=2033 ________________________________ 158.147.51.44 -> 158.147.71.95 ETHER Type=0800 (IP), size = 54 bytes 158.147.51.44 -> 158.147.71.95 IP D=158.147.71.95 S=158.147.51.44 LEN=40, ID=55183, TOS=0x0, TTL=64 158.147.51.44 -> 158.147.71.95 TCP D=2033 S=80 Rst Ack=2372153114 Win=0 158.147.51.44 -> 158.147.71.95 HTTP R port=2033 ________________________________ 158.147.71.95 -> 158.147.51.44 ETHER Type=0800 (IP), size = 62 bytes 158.147.71.95 -> 158.147.51.44 IP D=158.147.51.44 S=158.147.71.95 LEN=48, ID=47107, TOS=0x0, TTL=126 158.147.71.95 -> 158.147.51.44 TCP D=80 S=2033 Syn Seq=2372153113 Len=0 Win=64512 Options=<mss 1460,nop,nop,sackOK> 158.147.71.95 -> 158.147.51.44 HTTP C port=2033 ________________________________ 158.147.51.44 -> 158.147.71.95 ETHER Type=0800 (IP), size = 54 bytes 158.147.51.44 -> 158.147.71.95 IP D=158.147.71.95 S=158.147.51.44 LEN=40, ID=55184, TOS=0x0, TTL=64 158.147.51.44 -> 158.147.71.95 TCP D=2033 S=80 Rst Ack=2372153114 Win=0 158.147.51.44 -> 158.147.71.95 HTTP R port=2033 ________________________________ 158.147.71.95 -> 158.147.51.44 ETHER Type=0800 (IP), size = 62 bytes 158.147.71.95 -> 158.147.51.44 IP D=158.147.51.44 S=158.147.71.95 LEN=48, ID=47108, TOS=0x0, TTL=126 158.147.71.95 -> 158.147.51.44 TCP D=80 S=2033 Syn Seq=2372153113 Len=0 Win=64512 Options=<mss 1460,nop,nop,sackOK> 158.147.71.95 -> 158.147.51.44 HTTP C port=2033 ________________________________ 158.147.51.44 -> 158.147.71.95 ETHER Type=0800 (IP), size = 54 bytes 158.147.51.44 -> 158.147.71.95 IP D=158.147.71.95 S=158.147.51.44 LEN=40, ID=55185, TOS=0x0, TTL=64 158.147.51.44 -> 158.147.71.95 TCP D=2033 S=80 Rst Ack=2372153114 Win=0 158.147.51.44 -> 158.147.71.95 HTTP R port=2033 Brad Mann Software Engineer - Information Access Services HARRIS Corporation / GCSD (321) 984-6292 -----Original Message----- From: owner-ipfilter@coombs.anu.edu.au [mailto:owner-ipfilter@coombs.anu.edu.au] On Behalf Of Jim Sandoz Sent: Friday, July 14, 2006 1:39 PM To: ipfilter@coombs.anu.edu.au Subject: Re: Easy port forwarding question brad, ok, someplace to start -- at the beginning. (1) on the ipf machine, what happens when you $ telnet 127.0.0.1 8080 ? (2) as root, what is the output of # ipnat -slv ; ipfstat -v ? (3) as root, type this in your xterm/console/ssh/whatever session: # snoop -Vr -d bge0 port 80 or port 8080 now initiate a browser connection from the remote machine; record the snoop output for us. now repeat step (2). jim Mann, Bradley wrote: > Thanks for the help, > > My ipf.conf file is blank. (Comments only) > > ipnat.conf has a single line: > rdr bge0 0.0.0.0/0 port 80 -> 127.0.0.1 port 8080 > > ifconfig -a outputs the following: > lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv 4,VIRTUAL> mtu > 8232 index 1 > inet 127.0.0.1 netmask ff000000 > bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index > 2 > inet 158.147.51.44 netmask ffffff00 broadcast 158.147.51.255 > ether 0:3:ba:f2:e1:a4 > > Brad Mann > Software Engineer - Information Access Services > HARRIS Corporation / GCSD > (321) 984-6292 > > -----Original Message----- > From: owner-ipfilter@coombs.anu.edu.au > [mailto:owner-ipfilter@coombs.anu.edu.au] On Behalf Of Jim Sandoz > Sent: Friday, July 14, 2006 10:47 AM > To: ipfilter@coombs.anu.edu.au > Subject: Re: Easy port forwarding question > > > brad, > > a) > you should be using bge0. > > b) > did you drill a hole for the rewritten packets in your ipf.conf? > http://www.phildev.net/ipf/IPFques.html#ques11 > > c) > post your ipf.conf, your ipnat.conf, and the output of "ifconfig -a"; > then we can solve your problem in 60 seconds. > http://www.phildev.net/ipf/IPFmail.html#mail3 > > regards, > jim > > > Mann, Bradley wrote: > > >>Thanks for the help. I tried the those settings but they didn't seem > > to > >>work. Perhaps I am not understanding the <IF> part of the command. >>netstat -i shows 2 entries: >> >>lo0 8232 loopback localhost ... >>bge0 1500 machinename machinename ... >> >>I tried using both of these as the value for <IF> but the machine > > still > >>didn't seem to forward the ports. I reloaded the file with the > > following > >>commands: >> >>ipnat -C >>ipnat -f ipnat.conf >> >>Am I missing something? >> >> >>Brad Mann >>Software Engineer - Information Access Services >>HARRIS Corporation / GCSD >>(321) 984-6292 >> >>-----Original Message----- >>From: Flemming Laugaard [mailto:flemming.laugaard@uni-c.dk] >>Sent: Thursday, July 13, 2006 7:46 AM >>To: Mann, Bradley >>Cc: ipfilter@coombs.anu.edu.au >>Subject: Re: Easy port forwarding question >> >> >> >>>>Hello, >>>> >>>>I am extremely new to ipfilter/ipnat, and all I am attempting to >>>>accomplish is to have port 80 on a machine forward to its own port >> >>8080. >> >> >>>>This command will need to be as generic as possible so that it can be >>>>deployed to other locations that have the same configuration but >>>>different IP address. >>>> >>> >>>ipnat: >>>rdr <IF> <SRVIP>/32 port 80 -> 127.0.0.1 port 8080 >>> >>>I can't do it more generic than this. You need to set both IP >> >>adresses. >> >> >>>But that could be solved by scripting :-) >> >> >>You could also try >> >>rdr <IF> 0.0.0.0/0 port 80 -> 127.0.0.1 port 8080 >> >>For redirecting anything going anywhere on <IF> port 80. I haven't > > tried > >>it myself. >> >>Regards >>Flemming Laugaard >> >> > > 
|
Linear Mode
