Hi,
I need to setup rsh via nat working.
Don't ask me why I use use unsafe protocol, and old kernel
2.6.13. I just need make them working.
I downloaded patch-o-matic, applied ip_conntrack_rsh patch to
kernel 2.6.13, rebuilt kernel , rebuilt iptables 1.3.3.
After reboot, I call "modprobe ip_conntrack_rsh". I applied
iptables rules from the netfilter webpage:
http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra
-rsh
I can see that conntrack is working, rsh stderr connection
initiated by rsh server is added to /proc/net/ip_conntrack_expected.
The problem is that the rsh stderr stream is not NAT'ed, and
connection fails.
Here is some trace from gateway:
eth2 - public interface of gateway.
10.0.236.90 - public IP of gateway
10.0.238.89 - IP of rsh server
192.168.40.51 - IP of rsh client
gateway:/ # tethereal -i eth2 host 10.0.236.90 and host 10.0.238.89
Capturing on eth2
0.000000 10.0.236.90 -> 10.0.238.89 TCP 1023 > shell [SYN] Seq=0
Ack=0 Win=5840 Len=0 MSS=1460 TSV=1927039256 TSER=0 WS=0
0.003846 10.0.238.89 -> 10.0.236.90 TCP shell > 1023 [SYN, ACK]
Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=24463859 TSER=1927039256 WS=0
0.004107 10.0.236.90 -> 10.0.238.89 TCP 1023 > shell [ACK] Seq=1
Ack=1 Win=5840 Len=0 TSV=1927039261 TSER=24463859
0.004130 10.0.236.90 -> 10.0.238.89 RSH 1021\000
0.004180 10.0.238.89 -> 10.0.236.90 TCP shell > 1023 [ACK] Seq=1
Ack=6 Win=5792 Len=0 TSV=24463864 TSER=1927039261
0.005926 10.0.238.89 -> 10.0.236.90 TCP 1019 > 1021 [SYN] Seq=0
Ack=0 Win=5840 Len=0 MSS=1460 TSV=24463866 TSER=0 WS=0
0.005979 10.0.236.90 -> 10.0.238.89 TCP 1021 > 1019 [RST, ACK] Seq=0
Ack=0 Win=0 Len=0
0.006175 10.0.238.89 -> 10.0.236.90 TCP shell > 1023 [FIN, ACK]
Seq=1 Ack=6 Win=5792 Len=0 TSV=24463866 TSER=1927039261
0.006414 10.0.236.90 -> 10.0.238.89 TCP 1023 > shell [FIN, ACK]
Seq=6 Ack=2 Win=5840 Len=0 TSV=1927039263 TSER=24463866
0.006477 10.0.238.89 -> 10.0.236.90 TCP shell > 1023 [ACK] Seq=2
Ack=7 Win=5792 Len=0 TSV=24463866 TSER=1927039263
cat /proc/net/ip_conntrack
tcp 6 117 TIME_WAIT src=192.168.40.51 dst=10.0.238.89 sport=1023
dport=514 src=10.0.238.89 dst=10.0.236.90 sport=514 dport=1023 [ASSURED]
mark=0 use=1
cat /proc/net/ip_conntrack_expect ( cought by filtering out rsh server
initial connection of stderr stream)
1 proto=6 src=10.0.238.89 dst=10.0.236.90 sport=0 dport=1021
My questions are:
- how can I setup rsh connection via nat ?
- is it a problem with missing/incorrect iptables rules, or I
need ip_nat_rsh module?
- does ip_nat_rsh module exist?
I'll be gratefull for your help.
Regards,
Krzysztof
I need to setup rsh via nat working.
Don't ask me why I use use unsafe protocol, and old kernel
2.6.13. I just need make them working.
I downloaded patch-o-matic, applied ip_conntrack_rsh patch to
kernel 2.6.13, rebuilt kernel , rebuilt iptables 1.3.3.
After reboot, I call "modprobe ip_conntrack_rsh". I applied
iptables rules from the netfilter webpage:
http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra
-rsh
I can see that conntrack is working, rsh stderr connection
initiated by rsh server is added to /proc/net/ip_conntrack_expected.
The problem is that the rsh stderr stream is not NAT'ed, and
connection fails.
Here is some trace from gateway:
eth2 - public interface of gateway.
10.0.236.90 - public IP of gateway
10.0.238.89 - IP of rsh server
192.168.40.51 - IP of rsh client
gateway:/ # tethereal -i eth2 host 10.0.236.90 and host 10.0.238.89
Capturing on eth2
0.000000 10.0.236.90 -> 10.0.238.89 TCP 1023 > shell [SYN] Seq=0
Ack=0 Win=5840 Len=0 MSS=1460 TSV=1927039256 TSER=0 WS=0
0.003846 10.0.238.89 -> 10.0.236.90 TCP shell > 1023 [SYN, ACK]
Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=24463859 TSER=1927039256 WS=0
0.004107 10.0.236.90 -> 10.0.238.89 TCP 1023 > shell [ACK] Seq=1
Ack=1 Win=5840 Len=0 TSV=1927039261 TSER=24463859
0.004130 10.0.236.90 -> 10.0.238.89 RSH 1021\000
0.004180 10.0.238.89 -> 10.0.236.90 TCP shell > 1023 [ACK] Seq=1
Ack=6 Win=5792 Len=0 TSV=24463864 TSER=1927039261
0.005926 10.0.238.89 -> 10.0.236.90 TCP 1019 > 1021 [SYN] Seq=0
Ack=0 Win=5840 Len=0 MSS=1460 TSV=24463866 TSER=0 WS=0
0.005979 10.0.236.90 -> 10.0.238.89 TCP 1021 > 1019 [RST, ACK] Seq=0
Ack=0 Win=0 Len=0
0.006175 10.0.238.89 -> 10.0.236.90 TCP shell > 1023 [FIN, ACK]
Seq=1 Ack=6 Win=5792 Len=0 TSV=24463866 TSER=1927039261
0.006414 10.0.236.90 -> 10.0.238.89 TCP 1023 > shell [FIN, ACK]
Seq=6 Ack=2 Win=5840 Len=0 TSV=1927039263 TSER=24463866
0.006477 10.0.238.89 -> 10.0.236.90 TCP shell > 1023 [ACK] Seq=2
Ack=7 Win=5792 Len=0 TSV=24463866 TSER=1927039263
cat /proc/net/ip_conntrack
tcp 6 117 TIME_WAIT src=192.168.40.51 dst=10.0.238.89 sport=1023
dport=514 src=10.0.238.89 dst=10.0.236.90 sport=514 dport=1023 [ASSURED]
mark=0 use=1
cat /proc/net/ip_conntrack_expect ( cought by filtering out rsh server
initial connection of stderr stream)
1 proto=6 src=10.0.238.89 dst=10.0.236.90 sport=0 dport=1021
My questions are:
- how can I setup rsh connection via nat ?
- is it a problem with missing/incorrect iptables rules, or I
need ip_nat_rsh module?
- does ip_nat_rsh module exist?
I'll be gratefull for your help.
Regards,
Krzysztof