can is send multiple ports out through one port on CentOS via iptables?

dahweeds · 11-13-2008, 01:39 PM

Thanks for looking at this post.
I am trying to make Hamachi work seamlessly in a small office.
By the bosses orders I can only allow ports open per machine and all others closed. The problem is that the linux version of Hamachi cannot specify the TCP port. Windows versions are able.

When Hamachi tries to connect to the VPN mediation server, it uses a TCP connection with a variable port. Afterward the tunneling happens on a UDP connection. I can open the port for UDP, but when the linux box tries to get peer information from the mediation server it sends out some request through ###.###.###.###:30000-60000 (guess of dynamic range), but this is blocked by the router on the way back.

At present, I have seen that this contact normally takes place through ports between the guess above so I have set a trigger on the router firewall to allow this short communication. But this is borderline with the boss. The boss really wants all ports shut except for the individual communication port for each VPN host.

My question is Can I use some iptables to force the request from my linux host out to the mediation server through the available port?

Maybe it looks like this:

Code:

               |-30000-|               
               |       |                  |
Linux host     |       |-iptables|-123456-|-Meidation server-|
dynamic request|       | redirect|        |                  | 
               |       |                  |                  |
               |-60000-|                  |                  |
                                          |                 \ /
                                    Router Firewall          |
                                          |                  |
                                          |                  |
linux host     |                          |                  |
recieves info  |---------<---------123456-|--------<---------|

thanks again if you have any ideas.

OdinnBurkni · 11-13-2008, 07:07 PM

Hi there.
I'm not sure I remember this correctly but you should be able to use established related commands. Don't remember exactly how to use it, would have to take a look at my iptables but I hope this will give you an idea.

Regards,
Odinn Burkni

michaelk · 11-13-2008, 08:54 PM

You can configure a static UDP port in linux. The TCP port does not matter.

http://logmeinwiki.com/wiki/Hamachi:...coming_traffic

dahweeds · 11-14-2008, 08:11 AM

Thanks Odinn, I have been trying to understand Iptables for this, but have not had a lot of time. Since my trigger hack is working now, I am trying to manage some other thing at the moment. If you come by any clues in your free time please post.

Thanks too Michealk, I have that UDP according to Hamachi set up and it does work for the data tunnel on the 5.*.*.* ip addresses. But there is one step in Hamachi's communication that goes via TCP. I will show some clips from a 'hamachi start debug session' that may keep the issue cleared up.

Code:

[root@myhost ~]# hamachi start debug
.
**** it will hang here if I turn the firewall on. 
**** this step uses a dynamic port (43352 this time, apparently
**** via TCP which I cannot open on the fire wall.
11 10:57:39.878 [   3] [14527] ses: connecting to 69.25.21.229:12975 ..
11 10:57:39.897 [   4] [14527] ses: io_ready -- 192.168.1.19:43352
.
**** Later, this connection uses the correct port 
**** (specified by UdpPort ##### in .hamachi/config)
.
11 10:57:40.313 [   8] [14527] ses: udp sock -- 192.168.1.19:12345
.
**** The peer will show up with 5.*.*.*:12345 ipaddress from other peers.
**** So with the firewall off, I can connect to the networks. 
.
11 10:57:40.758 [  14] [14527] ses: received network myhamachinetwork

At this point, I turn on the firewall again.
Not long after (about 1 minute) I lose the connections.
Notice the 'io_ready' step. My host has lost the ip.

Code:

11 11:29:39.637 [3351] [14709] ses: connecting to 69.25.21.229:12975 ..
11 11:32:48.645 [3352] [14709] ses: io_ready -- 0.0.0.0:46014
11 11:32:48.645 [3352] [14709] ses: state 3.0 -> 3.1
11 11:32:48.645 [3352] [14709] ses: state 3.1 -> 4.0
11 11:32:48.645 [3352] [14709] ses: sending helo ..
11 11:32:48.645 [3352] [14709] ses: error 2 send 32 33
11 11:32:48.645 [3352] [14709] ses: error 2 send 32 33
11 11:32:48.645 [3352] [14709] ses: go_offline

Now when I open the dynamic TCP range of firewall ports (port forward or trigger) this connection succeeds. So I want to map the range in a way that the io_ready communication will flow out through the one allowable open port.

Thanks again for your help.

By the way, I have used the iptables with

Code:

-A POSTROUTING -o ham0 -j MASQUERADE

enabled and disabled but it does not affect this issue.

OdinnBurkni · 11-16-2008, 04:26 PM

Hello again.
Not sure if it's the right one but you could try this:

Code:

-A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

You might also want to look at this site:
http://www.kalamazoolinux.org/presen...conntrack.html

Regards,
Odinn Burkni