Ip_conntrack_rsh - how to make nat working?

"Mitus, Krzysztof \(Krzysztof\)" <mitus@xxxxxxxxxxxxxxxxxx> · Mon, 9 Jul 2007 23:03:00 +0200

Hi,
	I need to setup rsh via nat working.
	Don't ask me why I use use unsafe protocol, and old kernel
2.6.13. I just need make them working.

	I downloaded patch-o-matic, applied ip_conntrack_rsh patch to
kernel 2.6.13, rebuilt kernel , rebuilt iptables 1.3.3. 

	After reboot, I call "modprobe ip_conntrack_rsh".  I applied
iptables rules from the netfilter webpage:

http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra
-rsh

	I can see that conntrack is working, rsh stderr connection
initiated by rsh server is added to /proc/net/ip_conntrack_expected.
	The problem is that the rsh stderr stream is not NAT'ed, and
connection fails.

	Here is some trace from gateway:

	eth2 - public interface of gateway.
	10.0.236.90 - public IP of gateway
	10.0.238.89 - IP of rsh server
	192.168.40.51 - IP of rsh client

gateway:/ # tethereal -i eth2 host 10.0.236.90 and host 10.0.238.89
Capturing on eth2
  0.000000  10.0.236.90 -> 10.0.238.89  TCP 1023 > shell [SYN] Seq=0
Ack=0 Win=5840 Len=0 MSS=1460 TSV=1927039256 TSER=0 WS=0
  0.003846  10.0.238.89 -> 10.0.236.90  TCP shell > 1023 [SYN, ACK]
Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=24463859 TSER=1927039256 WS=0
  0.004107  10.0.236.90 -> 10.0.238.89  TCP 1023 > shell [ACK] Seq=1
Ack=1 Win=5840 Len=0 TSV=1927039261 TSER=24463859
  0.004130  10.0.236.90 -> 10.0.238.89  RSH 1021\000
  0.004180  10.0.238.89 -> 10.0.236.90  TCP shell > 1023 [ACK] Seq=1
Ack=6 Win=5792 Len=0 TSV=24463864 TSER=1927039261
  0.005926  10.0.238.89 -> 10.0.236.90  TCP 1019 > 1021 [SYN] Seq=0
Ack=0 Win=5840 Len=0 MSS=1460 TSV=24463866 TSER=0 WS=0
  0.005979  10.0.236.90 -> 10.0.238.89  TCP 1021 > 1019 [RST, ACK] Seq=0
Ack=0 Win=0 Len=0
  0.006175  10.0.238.89 -> 10.0.236.90  TCP shell > 1023 [FIN, ACK]
Seq=1 Ack=6 Win=5792 Len=0 TSV=24463866 TSER=1927039261
  0.006414  10.0.236.90 -> 10.0.238.89  TCP 1023 > shell [FIN, ACK]
Seq=6 Ack=2 Win=5840 Len=0 TSV=1927039263 TSER=24463866
  0.006477  10.0.238.89 -> 10.0.236.90  TCP shell > 1023 [ACK] Seq=2
Ack=7 Win=5792 Len=0 TSV=24463866 TSER=1927039263

 cat /proc/net/ip_conntrack
tcp      6 117 TIME_WAIT src=192.168.40.51 dst=10.0.238.89 sport=1023
dport=514 src=10.0.238.89 dst=10.0.236.90 sport=514 dport=1023 [ASSURED]
mark=0 use=1

 cat /proc/net/ip_conntrack_expect ( cought by filtering out rsh server
initial connection of stderr stream)
1 proto=6 src=10.0.238.89 dst=10.0.236.90 sport=0 dport=1021

My questions are:
	- how can I setup rsh connection via nat ?
	- is it a problem with missing/incorrect iptables rules, or I
need ip_nat_rsh module? 
	- does ip_nat_rsh module exist? 

I'll be gratefull for your help.

Regards,
Krzysztof