LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-03-2007, 06:21 AM   #1
serge
Member
 
Registered: Apr 2007
Posts: 45

Rep: Reputation: 15
Packet based port forwarding


The other day I was brainstorming about my next server improvement.

I conjured the idea to redirect connections not based on their destination socket, bur instead on the packet contents.

For example:
I have a SSH, FTP and HTTP server in my network.

I want to be able to connect through port 80 to either one of these.

So when I start a ssh client, I connect to port 80 and end up having an ssh connection with my ssh-server. When someone enters my website address in their browser they get their page as expected.

This way i can limit the amount of ports I open in my router.

It seems to me that this is do-able, yet I could not find a feasible solution.

I suspect it should be possible with a combination of ether iptables and squid, unfortunately I have no idea where to start.

Thanks in advance.

Last edited by serge; 05-07-2007 at 10:08 AM.
 
Old 05-03-2007, 06:46 AM   #2
Centinul
Member
 
Registered: Jun 2005
Distribution: Gentoo
Posts: 552

Rep: Reputation: 30
So basically what you are saying is that you want multiple servers (FTP / SSH / HTTP) listening on the same port?

My intuition tells me that this isn't possible. If you have three services listening on the same port how would the service know which packets it should "listen" to and which no to?

Just curious....
 
Old 05-03-2007, 02:28 PM   #3
serge
Member
 
Registered: Apr 2007
Posts: 45

Original Poster
Rep: Reputation: 15
I know that any service can only listen on one exclusive port.

For example:

SSH 8022
HTTP 8080
FTP 8021
Intermediate 80


So when I navigate Opera to [external IP], It connectso to my router, which forwards to my server, where there is an intermediate service which inspects the packets and forwards to the HTTP service.

Hopely this more clearly explains what I mean

Last edited by serge; 05-07-2007 at 10:12 AM.
 
Old 05-05-2007, 04:04 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
that's not going to be possible using port forwarding as the tcp session is estalbished via a generic three way handshake before any protocol specific data is passed. that said, where i work we use linux based F5 load balancers which include tcp / udp proxies which proxy the connections instead of forwarding them, which could allow a middle point of inspection.

this looks like a reasonable background behind the problems you're facing and such, http://www.commsdesign.com/showArtic...cleID=16501983 but isn't an answer to the actual question. technically it's possible, but i'm not aware of a tool for the job. may well depend just how good a googler you are, picking the perfect keywords.

another angle might be looking at running a socks proxy, but then you need a socks client to reach it each time, which isn't what you're looking for really.

also... http://dag.wieers.com/howto/ssh-http-tunneling/

Last edited by acid_kewpie; 05-05-2007 at 04:12 AM.
 
Old 05-05-2007, 04:30 AM   #5
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677
I don't know what the intermediate service would be, but if ftp is for a private connection, you could use sftp instead. Then ssh and sftp would be using the same port.
 
Old 05-07-2007, 03:36 AM   #6
serge
Member
 
Registered: Apr 2007
Posts: 45

Original Poster
Rep: Reputation: 15
It isn'really an option to open multiple ports.

I need to connect from one network to the other, since I can only connect through port 80, I want the server on the other network to listen for all services on just one port, if and how this is possible through, perhaps it would be possible to use apache name based virtual hosting for redirection. so connecting to ssh.domain.tld:80 would forward to ssh, ftp.domain.tld:80 would forward to ftp and www.domain.tld:80 would forward to http
 
Old 05-07-2007, 04:56 AM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
well that dag like would let you connect through apache to ssh, and so if thatś sftp two, youe 3 meachanisms on one port...
 
Old 05-07-2007, 07:12 AM   #8
serge
Member
 
Registered: Apr 2007
Posts: 45

Original Poster
Rep: Reputation: 15
Unfortunately there is a downside to this solution.

FTP doesn't send a HOST header, so it always connects to the IP and only uses the hostname to look it up. For SSH I found ajaxterm as a (temporary) solution.

At this time the only challenge is FTP.
Perhaps a solution would be to proxy all non-namebased request to the ftp server

Last edited by serge; 05-07-2007 at 07:42 AM.
 
Old 05-07-2007, 08:14 AM   #9
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
well what about sftp as discussed above?
 
Old 05-07-2007, 08:30 AM   #10
serge
Member
 
Registered: Apr 2007
Posts: 45

Original Poster
Rep: Reputation: 15
Well, SFTP might be an option (still looking into it), since it is a secure version of ftp I don't know it it is 'compatible' with namebased virtual hosting. Altough at this point I have found a workaround for SSH (I don't know if it SSH is normally compatible), I am unsure if my idea is at all possible or if I have reached the technical borders of TCP/IP and the higher layer protocols.

Best if I look into the possibilities (although I do not like the idea of reading RFCs)

Thanks all for the help so far (it is greatly appreciated)

I'll keep posting with developments here
 
Old 05-07-2007, 08:37 AM   #11
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
well ftp / ssh won't send HOST headers themselves, and i'm honestly a little vague on that howto, but essentially is a way to wrap the ssh / ftp / whatever traffic session into https which does have that information before the HTTPS connect.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Domain-based Port Forwarding? cparker15 Linux - Networking 5 05-27-2007 02:59 PM
Packet and Port forwarding umeshbabu Linux - Networking 1 08-22-2005 12:43 AM
packet fragmentation in packet forwarding code cranium2004 Linux - Networking 0 05-16-2005 05:05 AM
Port Forwarding Based on the Source linuxboy69 Linux - Networking 2 01-06-2004 05:44 PM
port forwarding and packet forwarding syrtsardo Linux - Newbie 2 07-03-2003 11:37 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:59 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration