08-05-2013
Ports are fields in UDP and TCP packet headers that allow the flow to be divided on a host to 65K different apps. For instance tcp cpnnections could be made from 63K different apps on one host to port 80 web server on the next. Sometimes port numbers imply a protocol, like 80 for http, 25 for smtp, etc. Servers listen on ports and clients get random ports to identify their socket from al others on the host, In IPV4, you have 2^32 hosts and 2^16 ports, so there are 2^96 possible connections. UDP is connectionless, so a "connection" is just a filter on remote host+port and default remote host+port destination on a socket.
IP packets are identified by Host and protocol (such as TCP), and for tcp and udp, by port. Firewalls like iptables key off the host and port. With tcp, you can tell which end is the client (connecting) and which is the server (listening) in the first two packets (syn and syn+ack bits on, respectively). So, you can allow clients inside to connect everywhere outside but not vice-versa. ICMP is an IP sub-protocol that supports IP, TCP, UDP with control and diagnostic messages Some ICMP messages can be toxic if counterfeit.
IPTables also has NAT, the ability to rewrite packets for a new host, port or both going "out", and back to the original host/port for packets coming "in". This is handy if inside hosts are unroutable, like 10.*, or just to hide inside hosts. Some protocols like FTP (which runs on top of, or inside, TCP) put hosts and port numbers in the data stream as well, and some of these NAT knows how to rewrite. All packet rewriting include adjustment of checksums.
This User Gave Thanks to DGPickett For This Post:
10 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
Hi,
I have to install an application that has a built in tftp server. Tftp comes in on port 69. As i am not installing this application as a root user i am running into trouble because only the root user can listen to ports < 1024. So changing the port i listen to to one greater than 1023 isn't... (1 Reply)
Discussion started by: imloaded24_7
1 Replies
2. UNIX for Advanced & Expert Users
Hi
I want to set up port forwarding from one network to another network. I already have this configured on the Linux box using iptables.
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 1521 -j DNAT --to 10.218.146.230
iptables -A FORWARD -p tcp -i eth1 -d 10.218.146.230 -j ACCEPT
... (2 Replies)
Discussion started by: slash_blog
2 Replies
3. Solaris
Hi,
I am looking out a way to forward all UDP traffic coming on ports 3001,3002,3003 and 3004 on server 10.2.45.200
to
corresponding ports of server 10.2.45.197.
I am using Solaris 10.0.
-bash-3.00$ uname -a
SunOS airtelussd2 5.10 Generic_127127-11 sun4u sparc SUNW,Sun-Fire-V445
Is... (6 Replies)
Discussion started by: vikas027
6 Replies
4. IP Networking
Hi Linux/Unix Guru,
I am setting Linux Hopping Station to another different servers.
My current config to connect to another servers is using different port to connect.
e.g
ssh -D 1080 -p 22 username@server1.com
ssh -D 1081 -p 22 username@server2.com
Now what I would like to have... (3 Replies)
Discussion started by: regmaster
3 Replies
5. UNIX for Advanced & Expert Users
Hello,
I have a routeur linksys (192.168.1.1 ) a firewall (192.168.1.55 IN ----> 192.168.2.254 OUT) which using iptable
I want to acces to an equipment (lorex video camera serveur 192.168.2.44) which using an ddns service on the port 9000
So i don t know which redirection a will do on the... (2 Replies)
Discussion started by: tapharule
2 Replies
6. Shell Programming and Scripting
Hi guys, I'm trying to set up an Ubuntu VPN server that will forward an ssh connection automatically as a proxy to two separate LAN hosts.
What I'm looking at doing is making SSH listen on two ports (if that is possible) and get some kind of script, preferably something in bash, that will listen... (2 Replies)
Discussion started by: 3therk1ll
2 Replies
7. IP Networking
hi guys
i have a simple question !
i have two ips . a valid and internal(172.16.11.2)
i want to use port forwarding to forward any request to valid IP port 8001 to internal ip port 80 .
i use this rule :
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -p tcp... (1 Reply)
Discussion started by: mhs
1 Replies
8. UNIX for Advanced & Expert Users
Hi experts,
We have windows machine ( A ) in one network & 2 Linux Servers ( B & C ) in another network. There is a firewall between these 2 networks and SSH (TCP/22) & HTTPS (TCP/443) are allowed from A to B only (but not to C). There is no personal firewall / iptables running on any machine.... (1 Reply)
Discussion started by: magnus29
1 Replies
9. IP Networking
Hello Gurus,
I have configured port forwarding at router.
But after configuration I am not able to connect the computer from outside/Over internet/Remote desktp from other computer.
Could you please advice?
Thanks-
Pokhraj (2 Replies)
Discussion started by: pokhraj_d
2 Replies
10. Red Hat
Hello All,
I would like to ask you very kindly with /etc/sysconfig/iptables file
I have to setup port forwarding on RHEL6 router. Users from public network must be able to ssh to servers in private network behind RHEL6 router. Problem is that servers in private network must be isolated.
My... (2 Replies)
Discussion started by: oidipus
2 Replies
stone(1) General Commands Manual stone(1)
NAME
stone - a simple TCP/IP packet repeater
SYNOPSYS
stone [-d] [-n] [-u max] [-f n] [-l] [-z SSL] st [-- st] ...
OPTIONS
-d Increase the debug level.
-z SSL encryption.
-n IP addresses and service port numbers are shown instead of host names and service names.
-u max max is integer. The program will memorize max sources simultaneously where UDP packets are sent.
-f n n is integer. The program will spawn n child processes.
-l Sends error messages to the syslog instead of stderr.
st is one of the followings; Multiple st can be designated, separated by --.
(1) host:port sport [xhost ...]
(2) host:port shost:sport [xhost ...]
(3) display [xhost ...]
(4) proxy sport [xhost ...]
(5) host:port/http request [hosts ...]
(6) host:port/proxy header [hosts...]
The program repeats the connection on port sport to the other machine host port port. If the machine, on which the program runs, has two
or more interfaces, type (2) can be used to repeat the connection on the specified interface shost.
display [xhost ...]
Abbreviating notation. The program repeats the connection on display number display to the X server designated by the environment
variable DISPLAY.
proxy sport [xhost ...]
Http Proxy. Specify the machine, on which the program runs, and port sport in the http proxy settings of your WWW browser.
host:port/http request [hosts ...]
Repeats packets over http request. request is the request specified in HTTP 1.0. host:port/proxy header [hosts...]
host:port/proxy header [hosts...]
Type (6) repeats http request with header in the top of request headers.
xhost Only machines xhost can connect to the program.
xhost/mask
Only machines on specified networks are permitted to connect to the program. In the case of class C network 192.168.1.0, for exam-
ple, use 192.168.1.0/255.255.255.0.
sport/udp
Repeats UDP packets instead of TCP packets.
port/ssl
Repeats packets with encryption.
sport/ssl
Repeats packets with decryption.
sport/http
Repeats packets over http.
DESCRIPTION
Stone is a TCP/IP packet repeater in the application layer. It repeats TCP and UDP packets from inside to outside of a firewall, or from
outside to inside.
Stone has following features:
1. Stone supports Win32.
Formerly, UNIX machines are used as firewalls, but recently WindowsNT machines are used, too. You can easily run Stone on WindowsNT
and Windows95. Of course, available on Linux, FreeBSD, BSD/OS, SunOS, Solaris, HP-UX and so on.
2. Simple.
Stone's source code is only 2000 lines long (written in C language), so you can minimize the risk of security holes.
3. Stone supports SSLeay.
Using SSLeay developed by Eric Young, Stone can encrypt/decrypt packets.
4. Stone is a http proxy.
Stone can also be a tiny http proxy.
EXAMPLES
outer: a machine in the outside of the firewall
inner: a machine in the inside of the firewall
fwall: the firewall on which the stone is executed
stone 7 outer
Repeats the X protocol to the machine designated by the environmental variable DISPLAY. Run X clients under DISPLAY=inner:7 on outer.
stone outer:telnet 10023
Repeats the telnet protocol to outer.
Run telnet fwall 10023 on inner.
stone outer:domain/udp domain/udp
Repeats the DNS query to outer.
Run nslookup - fwall on inner.
stone outer:ntp/udp ntp/udp
Repeats the NTP to outer.
Run ntpdate fwall on inner.
stone localhost:http 443/ssl
Make WWW server that supports https.
Access https://fwall/ using a WWW browser.
stone localhost:telnet 10023/ssl
Make telnet server that supports SSL.
Run SSLtelnet -z ssl fwall 10023 on inner.
stone proxy 8080
http proxy.
Where fwall is a http proxy (port 8080):
stone fwall:8080/http 10023 'POST http://outer:8023 HTTP/1.0'
stone localhost:telnet 8023/http
Run stones on inner and outer respectively.
Repeats packets over http.
stone fwall:8080/proxy 9080 'Proxy-Authorization: Basic c2VuZ29rdTpoaXJvYWtp'
for browser that does not support proxy authorization.
COPYRIGHT
All rights about this program stone are reserved by the original author, Hiroaki Sengoku. The program is free software; you can redis-
tribute it and/or modify it under the terms of the GNU General Public License (GPL).
NO WARRANTY
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY.
AUTHOR
Hiroaki Sengoku
sengoku@gcd.org
http://www.gcd.org/sengoku/
Version 2.0 stone(1)