[H-GEN] mapping ports using iptables

Sarah Hollings sarah at humanfactors.uq.edu.au
Sun Jun 30 19:05:22 EDT 2002 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

Sandra Milne wrote:
> [ Humbug *General* list - semi-serious discussions about Humbug and     ]
> [ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
> 
> 
> I have a couple of questions about mapping ports using iptables.
> 
> Firstly, is it dangerous? Can mapping a port compromise my system in any 
> way?
> 
> Secondly, if it's not dangerous, can anyone point me to a howto that 
> actually explains not only how this is done, but has examples. I've had 
> a look around for stuff, but I really don't understand what they're 
> talking about half the time. An example that I can modify to suit my own 
> needs would be great.

Apart from Rob's comments, I guess if you're mapping ports you're 
opening ports.  Security would depend on how good Rusty and the gang are 
with their iptables kernel code.

The only useful suggestion I have is to look at rinetd:
    http://www.boutell.com/rinetd/

The setup is very easy:
sez at moebius:~$ cat /etc/rinetd.conf
#
# this is the configuration file for rinetd, the internet redirection server
#
# you may specify global allow and deny rules here
# only ip addresses are matched, hostnames cannot be specified here
# the wildcards you may use are * and ?
#
allow 152.98.217.*
# deny 192.168.2.1?
#
# forwarding rules come here
#
# you may specify allow and deny rules after a specific forwarding rule
# to apply to only that forwarding rule
#
# bindadress    bindport        connectaddress  connectport
xxx.xx.xx.1  80              10.10.10.1      80
xxx.xx.xx.1  22              10.10.10.1        22
xxx.xx.xx.1  443             10.10.10.1      443

xxx.xx.xx.3  137             10.10.10.6      137
xxx.xx.xx.3  138             10.10.10.6      138
xxx.xx.xx.3  139             10.10.10.6      139

xxx.xx.xx.7  22              10.10.10.7      22
# logging information
logfile /var/log/rinetd.log

= cut =================

Now I can ssh in from outside the bastion using xxx.xx.xx.1 to the 
internal box listening on 10.10.10.1

You run rinted and iptables on the same box, and just open the port/s 
that rinetd is forwarding.  I don't know how good the security features 
(allow/deny) are but probably no worse than port-forwarding with 
iptables, and you can do the cute thing of having multiple IP addresses 
like I have (either with aliasing or multiple NIC's).

> 
> thanks,
> 
> Sandra.
> 
> ***---***---***---***---***---***---***
> silne at optushome.com.au
> ICQ: 7632763
> http://members.optushome.com.au/silne
> "Death is certain, life is optional"
> 
> 
> -- 
> * This is list (humbug) general handled by majordomo at lists.humbug.org.au .
> * Postings to this list are only accepted from subscribed addresses of
> * lists 'general' or 'general-post'.  See http://www.humbug.org.au/



-- 
--- Sarah Hollings                 <sarah at humanfactors.uq.edu.au>
--- IT Manager            Ph +61 7 3365 6080  Fax +61 7 3365 6171
  Key Centre for Human Factors and Applied Cognitive Psychology
  The University of Queensland, Saint Lucia, QLD 4072 Australia


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list