LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-21-2013, 03:40 AM   #1
culin
Member
 
Registered: Sep 2006
Distribution: Fedora Core 10
Posts: 254

Rep: Reputation: 32
iptables SNAT change source port


Hi all,

My setup is as below (am running RHEL 5).

1. Laptop (linux RHEL 5) with 2 eth ports
2. eth0 connected to External world (internet)
3. eth1 connected to another device

On laptop i did,

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Also running a dhcp server on Linux laptop.

Now when i connect a device to eth1 it gets an ip say 192.168.0.10 from dhcp server running on linux laptop and it establishes a vpn tunnel with the External world. Everything is fine till now.

But, when i monitor the port on the destination machine with wireshark am able to see the source port as udp:500.

what i need is, the NAT server should HIDE THE SOURCE PORT udp:500 from the device.

How can i HIDE the source port using iptables

i tried this

iptables -t nat -A POSTROUTING -p udp -o eth0 -j SNAT --to-source 192.168.0.10:4444

But this doesn't seem to HIDE or change the source port visibility on the remote machine.

How can i change the source port using iptables for my setup.

Regards,
Naren
 
Old 03-21-2013, 04:16 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
that's the correct source port for IKE, you don't change it. Why do you care?
 
Old 03-21-2013, 05:31 AM   #3
culin
Member
 
Registered: Sep 2006
Distribution: Fedora Core 10
Posts: 254

Original Poster
Rep: Reputation: 32
Yes i know, but i need to check whether the established tunnel will still be up when the NAT server randomly changes the port !!. But in my case NAT server is not changing the source port (i mean not exactly changing but the source port should not be visible to destination server after NAT'ing ).
 
Old 03-21-2013, 05:36 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
but it won't change the port. It uses 500. port 500 is used for basic un-natted IPSEC, if IKE detects a NAT in place, then the exchange will more to port 4500. SO doing any NAT will mean that the key exchange doesn't use that port for any significant role other than knowing to not use it. What you're askign for doesn't happen, it's really non-issue.
 
Old 03-21-2013, 07:54 AM   #5
culin
Member
 
Registered: Sep 2006
Distribution: Fedora Core 10
Posts: 254

Original Poster
Rep: Reputation: 32
ohh cool !! Thanks for the info So, you mean to say if IKE detects a NAT it will use 4500 by default instead of 500 and there is no other means to change that to some <xxxx> port using anything right ?
 
Old 03-21-2013, 08:27 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
Looking around, I can't find much talk about it, but IKE over UDP 500 works at an intrinsically different way to a standard UDP / TCP application. Basically NAT matters. So with the standard 500 interchange a hash of the IP and port on each peer is compared to the actual IP details on the conenction and if they differ then NAT has been performed and so it then uses a different process where NAT is tolerated on 4500, given that both devices are able to handle the more advanced processes that requires.
 
Old 03-22-2013, 01:40 AM   #7
culin
Member
 
Registered: Sep 2006
Distribution: Fedora Core 10
Posts: 254

Original Poster
Rep: Reputation: 32
Hi Chris,

I was going through IKEv2 RFC. Here is some point


2.11. Address and Port Agility

IKE runs over UDP ports 500 and 4500, and implicitly sets up ESP and
AH associations for the same IP addresses it runs over. The IP
addresses and ports in the outer header are, however, not themselves
cryptographically protected, and IKE is designed to work even through
Network Address Translation (NAT) boxes. An implementation MUST
accept incoming requests even if the source port is not 500 or 4500,
and MUST respond to the address and port from which the request was
received. It MUST specify the address and port at which the request
was received as the source address and port in the response. IKE
functions identically over IPv4 or IPv6.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPtables: SNAT not working batman2277 Linux - Security 8 08-31-2012 03:44 PM
change to snat qwertyjjj Linux - Newbie 1 08-08-2010 11:02 PM
IPTables snat help DukeLeto Linux - Networking 1 10-01-2006 12:49 PM
Use IPTables to change port? arew264 Linux - Networking 7 07-07-2006 01:03 AM
IPTables - DNAT, SNAT, port forwarding FunkFlex Linux - Security 2 01-15-2002 08:18 PM


All times are GMT -5. The time now is 01:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration