PDA

View Full Version : does port mapping work in reverse?




Lokrado
Aug 11, 2010, 04:38 PM
does portmapping work in reverse?
say i have an AEBS and i change port 1 from the external to port 2 on the internal network, would my outgoing traffic from my internal network on port 2 be forwarded to port 1 on the external network?

the same goes for on a mac - is there a command i can do to make portmapping on device, in reverse aswell.

say i wanted to make an L2TP server running on os x server run on port 23, i would need to map on the AEBS and on the client.
or is there a different way i could do this?



CaliJ177
Aug 11, 2010, 11:25 PM
Hope I understood your question correctly. Here goes!

Normally, yes, port mapping does work both ways.

If your client is on the internal network you need make sure the client knows to connect to the servers internal IP using port 23.

If your client is on the internet you need to make sure client knows to connect to your external IP using the whatever port you map to the servers on port 23.

The port mapping on the router only needs to be done if you want to connect to the server from the internet.

Lokrado
Aug 12, 2010, 03:00 AM
right, how do i do portmapping on the mac?

belvdr
Aug 12, 2010, 06:38 AM
right, how do i do portmapping on the mac?

In the application or its configuration files.

Lokrado
Aug 12, 2010, 08:06 AM
In the application or its configuration files.

the application would be system preferences and the configuration files are inaccessible, anything else you wanna add while talking about L2TP which uses UDP 1701 and is not ment to be changed.

aka, i'm looking for a terminal command/utility

belvdr
Aug 12, 2010, 08:37 AM
the application would be system preferences and the configuration files are inaccessible, anything else you wanna add while talking about L2TP which uses UDP 1701 and is not ment to be changed.

aka, i'm looking for a terminal command/utility

If it's not meant to be changed, then why would you change it? All of OS X's configuration files are accessible.

You're description above is confusing when you say moving port 1 to port 2. It's not clear what you're trying to do.

timbloom
Aug 12, 2010, 09:34 AM
does portmapping work in reverse?
say i have an AEBS and i change port 1 from the external to port 2 on the internal network, would my outgoing traffic from my internal network on port 2 be forwarded to port 1 on the external network?

the same goes for on a mac - is there a command i can do to make portmapping on device, in reverse aswell.

say i wanted to make an L2TP server running on os x server run on port 23, i would need to map on the AEBS and on the client.
or is there a different way i could do this?

We could probably help you best if you could explain exactly what you're intending to do, and why you can't do it on standard ports. I don't typically suggest running any services on non-standard ports if you can help it.

Lokrado
Aug 12, 2010, 10:16 AM
We could probably help you best if you could explain exactly what you're intending to do, and why you can't do it on standard ports. I don't typically suggest running any services on non-standard ports if you can help it.

usually when people want to run something standardized on non standardized ports their either a) behind a firewall they do not control or b) behind a proxy they do not control. Both alike that of a schools, an IPS's or corporates. :D

now to receive the non standardized connection with standardized software on a network I do not control, I would need an in-machine port mapping app or terminal utility. I do not want to configure the apps as i use these standardized protocols normally in other places, hence the port mapping, or port changing if you will.

I found this, but it seems to attempt to modify the routers settings which i do not have access to.
http://www.codingmonkeys.de/portmap/

and if i can access and read/modify the system preferences and/or VPN client config file ill eat my hat and freak out due to security issues.....

Alrescha
Aug 12, 2010, 11:20 AM
I would need an in-machine port mapping app or terminal utility. I do not want to configure the apps as i use these standardized protocols normally in other places, hence the port mapping, or port changing if you will.


The firewall used by OS X (IPFW) will do port mapping for you. If you google for that plus OS X you will find many examples of how to do it and you can select the method that most suits you.


and if i can access and read/modify the system preferences and/or VPN client config file ill eat my hat and freak out due to security issues.....

If you are the administrator of the box, you can modify anything and everything in it. Anything else would be silly.

A.

Lokrado
Aug 12, 2010, 01:00 PM
The firewall used by OS X (IPFW) will do port mapping for you. If you google for that plus OS X you will find many examples of how to do it and you can select the method that most suits you.

so something like this?

25100 allow udp from any 67 to any dst-port 68 in

would forward port 67 to 68 on udp inbound? - what about outbound? What does the DST mean?

If you are the administrator of the box, you can modify anything and everything in it. Anything else would be silly.

right but in a say firewire disk mode scenario?

CaliJ177
Aug 12, 2010, 01:34 PM
so something like this?

25100 allow udp from any 67 to any dst-port 68 in

would forward port 67 to 68 on udp inbound? - what about outbound? What does the DST mean?


Thats only adds a firewall rule. Simply put it means the firewall will allow UPD traffic from any source IP on port 67 to travel to any destination IP on port 68 through the inbound traffic flow on the firewall.

It won't do the actual port translation.

What you want is a static nat statement. It's been a long time since I have had to mess with the IPFW stuff so can't remember the syntax but lookup the natd and divert commands.

Still not sure why you want to do this on your client computer. You shouldn't need to mess with the firewall and nat rules just to get your client software to connect to a service on a non-standerd port.

Lokrado
Aug 12, 2010, 02:07 PM
Still not sure why you want to do this on your client computer. You shouldn't need to mess with the firewall and nat rules just to get your client software to connect to a service on a non-standerd port.

well how would you do it then? i'm specifically wanting to use the build in VPN client, and i dont see any option to change ports.

Alrescha
Aug 12, 2010, 02:37 PM
25100 allow udp from any 67 to any dst-port 68 in

would forward port 67 to 68 on udp inbound? - what about outbound? What does the DST mean?


Unless you have the firewall turned on, it's already allowing all traffic anyway. All you would need is something like this:

sudo ipfw add 100 forward 127.0.0.1,22 ip from any to any 33 in

The syntax is a bit funny, but this means 'send any inbound traffic for port 33 to localhost port 22'. Note, you do *not* need any natd/divert statements as suggested by the previous poster since you aren't doing any NAT.

A.

Lokrado
Aug 12, 2010, 03:23 PM
Unless you have the firewall turned on, it's already allowing all traffic anyway. All you would need is something like this:

sudo ipfw add 100 forward 127.0.0.1,22 ip from any to any 33 in

The syntax is a bit funny, but this means 'send any inbound traffic for port 33 to localhost port 22'. Note, you do *not* need any natd/divert statements as suggested by the previous poster since you aren't doing any NAT.

A.

Thank You! Makes sense!
what would happen to the traffic going out of local port 22? would it get sent thru port 33?

Alrescha
Aug 12, 2010, 11:50 PM
what would happen to the traffic going out of local port 22? would it get sent thru port 33?

Outbound traffic that is a response to inbound traffic to port 33 would be sent from port 33. If some other machine talks directly to port 22, the return traffic would be sent from port 22.

A.

timbloom
Aug 13, 2010, 12:40 AM
Unless you have the firewall turned on, it's already allowing all traffic anyway. All you would need is something like this:

sudo ipfw add 100 forward 127.0.0.1,22 ip from any to any 33 in

The syntax is a bit funny, but this means 'send any inbound traffic for port 33 to localhost port 22'. Note, you do *not* need any natd/divert statements as suggested by the previous poster since you aren't doing any NAT.

A.

This should work, but you'd need the rule on both the server, and then reverse the ports on the client if you plan to not set any app or service to non-standard ports.

You've stated this is on a network you don't have control over. There may be legal issues involved here, as you're actually granting yourself non-authorized remote access to the network (more serious than you may think). To be safe I'd verify that you have permission to do this. I don't know your particular situation, but this is just to warn you that if it's a work machine you could put your job on the line. Though, if their network operators are competent, your attempt to circumvent may be futile as other ports are likely to be under the same restrictions. Also, many companies have VPNs already that you can use.

If it's just another restrictive ISP, you're usually pretty safe to run stuff on nonstandard ports, but it may violate your terms of use. But also sometimes just a quick call to them may get your traffic unblocked on the port you are wanting to use. I personally purchase a block of static IPs from my ISP and they allow me to run any service I wish (with the exception of illegal content, spam/malware, and pornography IIRC) for an extra $15 a month.

Lokrado
Aug 13, 2010, 02:37 AM
This should work, but you'd need the rule on both the server, and then reverse the ports on the client if you plan to not set any app or service to non-standard ports.

which is what i plan to do.

Though, if their network operators are competent, your attempt to circumvent may be futile as other ports are likely to be under the same restrictions.

i know which ports i'm able to use.

Also, many companies have VPNs already that you can use.

yeah these have either PPTP, L2TP which both run on standardized ports or openVPN which on mac has no support for 64bit kernel, atleast not in a properly functioning way, i know the tuntap drivers are updated.