Re: Altering a packet's port

["R. DuFresne" <dufresne@xxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


if sshd is there listening on port 8022, do you have rules setup for the 
packets that are returned as well?

Thanks,

Ron DuFresne

On Tue, 22 Mar 2005, R. DuFresne wrote:

> --[PinePGP]--------------------------------------------------[begin]--
>
>
> do you have sshd listening on port 8022 on e.f.g.h?
>
> Thanks,
>
> Ron DuFresne
>
> On Tue, 22 Mar 2005, Nicolas Ross wrote:
>
> > What I'm trying to do isn't working...
> >
> > In my nat table I have :
> >
> > -A PREROUTING -s 192.168.7.0/24 -d e.f.g.h -p tcp \
> > --dport 22 -j DNAT --to-destination e.f.g.h:8022
> >
> > So that when a host on the local subnet open a ssh connection to e.f.g.h, 
> > the
> > destination port is changed to 8022.
> >
> > The connection starts, on e.f.g.h, I see a tcp connection (with netstat), 
> > at
> > SYN_SENT state.
> >
> > On the router, in /proc/net/ip_conntrack, I see :
> >
> > tcp      6 97 SYN_SENT src=192.168.7.191 dst=e.f.g.h sport=2983 dport=8022
> > [UNREPLIED] src=e.f.g.h dst=192.168.7.191 sport=8022 dport=2983 use=1
> >
> > and the ssh connection never establish.
> >
> > On my desktop, if I establish a ssh connection on port 8022, it works ok.
> >
> > What am I missing ?
> >
> > Nicolas
> >
> > ----- Original Message ----- From: "Jason Opperisano" <opie@xxxxxxxxxxx>
> > To: <netfilter@xxxxxxxxxxxxxxxxxxx>
> > Sent: Tuesday, March 22, 2005 6:29 AM
> > Subject: Re: Altering a packet's port
> >
> >
> > > On Mon, 2005-03-21 at 20:27, Nicolas Ross wrote:
> > > > I saw that in the man page, but I need to do this for ALL hosts to
> > > > specific
> > > > subnets, and many hosts. So I'll have to define one rule for EACH host 
> > > > I
> > > > need a redirect (something like 50 to 75) ?
> > >
> > > for loop?
> > >
> > > -j
> > >
> > > --
> > > "How much is your penny candy?
> > > Surprisingly expensive."
> > > --The Simpsons
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>        admin & senior security consultant:  sysinfo.com
>                        http://sysinfo.com
>
> ...Love is the ultimate outlaw.  It just won't adhere to rules.
> The most any of us can do is sign on as it's accomplice.  Instead
> of vowing to honor and obey, maybe we should swear to aid and abet.
> That would mean that security is out of the question.  The words
> "make" and "stay" become inappropriate.  My love for you has no
> strings attached.  I love you for free...
>                        -Tom Robins <Still Life With Woodpecker>
> --[PinePGP]-----------------------------------------------------------
> gpg: Signature made Tue 22 Mar 2005 09:59:51 AM EST using DSA key ID 94B06629
> gpg: Good signature from "dufresne <dufresne@xxxxxxxxxxx>"
> --[PinePGP]----------------------------------------------------[end]--

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCQDXest+vzJSwZikRArVVAKCQrgz7hwUFtTQ9jnlO7x+8G1O/PwCdH4gh
V3FnrKRIg4D7l2kA2bTlRS8=
=sV6Q
-----END PGP SIGNATURE-----