• "portproxy" in linux

    From Tommi Koivula@2:221/1.1 to All on Sat Sep 26 11:01:32 2015
    Hi All.

    I have a Asus RT-N16 router, I've had it for years running with DD-WRT.

    Lately I updated the firmware to the latest AsusWRT-Merlin because it has support for dual-wan and ipv6 firewall. WAN1 is ADSL and WAN2 is 4G.

    No IPv6 support from the ISP's so I've set up a he.net tunnel in it and the router now has ipv6.

    Yesterday I installed entware and privoxy via opkg. Now I can use the proxy in the router for outgoing traffic from my os/2 ipv4-only computer. :)

    The next task is to forward incoming ipv6 traffic to ipv4. I don't know much about linux, so please help me to tell the box how to forward ipv6 port 24554 to 192.168.1.2.

    Thanks! :)

    'Tommi

    ---
    * Origin: 2001:470:27:a::2 (2:221/1.1)
  • From Markus Reschke@2:240/1661 to Tommi Koivula on Sat Sep 26 10:53:14 2015
    Hello Tommi!

    Sep 26 12:01 2015, Tommi Koivula wrote to All:

    The next task is to forward incoming ipv6 traffic to ipv4. I don't
    know much about linux, so please help me to tell the box how to
    forward ipv6 port 24554 to 192.168.1.2.

    http://www.haproxy.org/

    Regards,
    Markus

    ---
    * Origin: *** theca tabellaria *** (2:240/1661)
  • From Markus Reschke@2:240/1661 to Tommi Koivula on Sat Sep 26 11:08:48 2015
    Hello Tommi!

    Sep 26 11:53 2015, Markus Reschke wrote to Tommi Koivula:

    http://www.haproxy.org/

    Example: http://www.koopman.me/2011/02/haproxy-for-ipv6-translation-to-ipv4-only-websit e/

    The important thing is to set the mode to TCP and to change the required ports. haproxy will work as proxy for any TCP based protocol.

    Regards,
    Markus

    ---
    * Origin: *** theca tabellaria *** (2:240/1661)
  • From Tommi Koivula@2:221/1.1 to Markus Reschke on Sat Sep 26 14:51:04 2015

    26 Sep 15 11:53, you wrote to me:

    The next task is to forward incoming ipv6 traffic to ipv4. I
    don't know much about linux, so please help me to tell the box
    how to forward ipv6 port 24554 to 192.168.1.2.

    http://www.haproxy.org/

    Thanks!

    Haproxy installed and running. :)

    Now I have a problem with the IPv6 firewall. It always blocks the inbound traffic from the tunnel even if I allowed port 24554 from the GUI of AsusWRT. From the router the forwarding works, (telnet 2001:470:27:a::2 24554) .

    'Tommi

    ---
    * Origin: ====================================== (2:221/1.1)
  • From Markus Reschke@2:240/1661 to Tommi Koivula on Sat Sep 26 14:57:24 2015
    Hi Tommi!

    Sep 26 15:51 2015, Tommi Koivula wrote to Markus Reschke:

    Now I have a problem with the IPv6 firewall. It always blocks the
    inbound traffic from the tunnel even if I allowed port 24554 from the
    GUI of AsusWRT. From the router the forwarding works, (telnet 2001:470:27:a::2 24554) .

    If possible, please enable firewall logging and check the log entries for IPv6 binkp. When you find drop/reject messages for binkp, then the next step is to evaluate the firewall rules. If you're lucky the log entries include the chain's name. That's based on how the rule sets are designed.

    Regards,
    Markus

    ---
    * Origin: *** theca tabellaria *** (2:240/1661)
  • From Tommi Koivula@2:221/1.1 to Markus Reschke on Sat Sep 26 17:33:34 2015
    26 Sep 15 15:57, you wrote to me:

    Now I have a problem with the IPv6 firewall. It always blocks the
    inbound traffic from the tunnel even if I allowed port 24554 from
    the GUI of AsusWRT. From the router the forwarding works, (telnet
    2001:470:27:a::2 24554) .

    If possible, please enable firewall logging and check the log entries
    for IPv6 binkp. When you find drop/reject messages for binkp, then the next step is to evaluate the firewall rules. If you're lucky the log entries include the chain's name. That's based on how the rule sets
    are designed.

    One log line of dropped inbound binkp:

    Sep 26 18:33:16 kernel: DROP <4>DROP IN=v6in4 OUT= MAC=00:e6:ba:a0:11:11:00:03:fa:56:9b:ac:08:00:45:00:00:5c:cf:d4:40:00:fa:29:c9:6 0:d8:42:50:5a:5b:9b:63:0b:60:00:00:00 TUNNEL=216.66.80.90->91.155.99.11 <1>SRC=2001:0470:1f15:0cb0:0000:0000:0000:0004 DST=2001:0470:0027:000a:0000:0000:0000:0002 <1>LEN=72 TC=0 HOPLIMIT=59 FLOWLBL=0 PROTO=TCP <1>SPT=57521 DPT=24554 SEQ=457283060 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (0204058C0103030801010402)

    91.155.99.11 is my routers ipv4 address,
    216.66.80.90 is the endpoint of the HE tunnel. 2001:0470:1f15:0cb0:0000:0000:0000:0004 is where from I tried to access binkd at 2001:0470:0027:000a:0000:0000:0000:0002

    Here's the output of ip6tables-save:

    === Cut ===
    # Generated by ip6tables-save v1.3.8 on Sat Sep 26 18:41:06 2015
    *mangle
    :PREROUTING ACCEPT [13580:2593451]
    :INPUT ACCEPT [10638:2352811]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [14587:1570620]
    :POSTROUTING ACCEPT [14587:1570620]
    -A PREROUTING -d ff02::1:ff00:0/104 -i vlan2 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j DROP
    -A PREROUTING -d ff02::1:ff00:0/104 -i vlan3 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j DROP
    -A FORWARD -m state --state NEW -j SKIPLOG
    COMMIT
    # Completed on Sat Sep 26 18:41:06 2015
    # Generated by ip6tables-save v1.3.8 on Sat Sep 26 18:41:06 2015
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [12616:1430065]
    :PControls - [0:0]
    :logaccept - [0:0]
    :logdrop - [0:0]
    -A INPUT -m rt --rt-type 0 -j logdrop
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i lo -m state --state NEW -j ACCEPT
    -A INPUT -i br0 -m state --state NEW -j ACCEPT
    -A INPUT -p ipv6-nonxt -m length --length 40 -j ACCEPT
    -A INPUT -i br0 -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 148 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 149 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 151 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 152 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 153 -j ACCEPT
    -A INPUT -j logdrop
    -A FORWARD -m state --state INVALID -j logdrop
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -m rt --rt-type 0 -j DROP
    -A FORWARD -i br0 -o v6in4 -j ACCEPT
    -A FORWARD -i br0 -o v6in4 -j ACCEPT
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -p ipv6-nonxt -m length --length 40 -j ACCEPT
    -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
    -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
    -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
    -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
    -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
    -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
    -A FORWARD -d 2001:470:27:a::/64 -p tcp -m state --state NEW -m tcp --dport 24554 -j ACCEPT
    -A FORWARD -d 2001:470:28:a::/64 -p tcp -m state --state NEW -m tcp --dport 24554 -j ACCEPT
    -A FORWARD -i v6in4 -o br0 -j ACCEPT
    -A FORWARD -j logdrop
    -A OUTPUT -m rt --rt-type 0 -j logdrop
    -A PControls -j ACCEPT
    -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logaccept -j ACCEPT
    -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logdrop -j DROP
    COMMIT
    # Completed on Sat Sep 26 18:41:06 2015
    === Cut ===

    'Tommi

    ---
    * Origin: ====================================== (2:221/1.1)
  • From Markus Reschke@2:240/1661 to Tommi Koivula on Sat Sep 26 17:12:58 2015
    Hello Tommi!

    Sep 26 18:33 2015, Tommi Koivula wrote to Markus Reschke:

    One log line of dropped inbound binkp:

    Sep 26 18:33:16 kernel: DROP <4>DROP IN=v6in4 OUT=

    6 0:d8:42:50:5a:5b:9b:63:0b:60:00:00:00
    TUNNEL=216.66.80.90->91.155.99.11 <1>SRC=2001:0470:1f15:0cb0:0000:0000:0000:0004 DST=2001:0470:0027:000a:0000:0000:0000:0002 <1>LEN=72 TC=0
    HOPLIMIT=59 FLOWLBL=0 PROTO=TCP <1>SPT=57521 DPT=24554 SEQ=457283060 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (0204058C0103030801010402)

    91.155.99.11 is my routers ipv4 address,
    216.66.80.90 is the endpoint of the HE tunnel. 2001:0470:1f15:0cb0:0000:0000:0000:0004 is where from I tried to
    access binkd at 2001:0470:0027:000a:0000:0000:0000:0002

    I assume that the router is your end of the 6in4 HE.net tunnel and haproxy is runing on that router too. Is that right?

    In this case you would need to insert an INPUT rule before the logdrop:
    ip6tables -t filter -A INPUT -p tcp --destination-port 24554 -j ACCEPT

    Regards,
    Markus

    ---
    * Origin: *** theca tabellaria *** (2:240/1661)
  • From Tommi Koivula@2:221/6 to Markus Reschke on Sat Sep 26 18:47:10 2015
    On 26.9.2015 19:12, Markus Reschke - Tommi Koivula wrote:

    I assume that the router is your end of the 6in4 HE.net tunnel and
    haproxy is runing on that router too. Is that right?

    Yes.

    In this case you would need to insert an INPUT rule before the logdrop:
    ip6tables -t filter -A INPUT -p tcp --destination-port 24554 -j ACCEPT

    I'll try to find a way to do it. ;)

    'Tommi

    --- Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.
    * Origin: *** JamNNTPd @ nntp://fidonews.mine.nu *** Finland *** (2:221/6)
  • From Benny Pedersen@1:261/38.20 to Markus Reschke on Sat Sep 26 18:06:38 2015
    Hello Markus!

    26 Sep 2015 12:08, Markus Reschke wrote to Tommi Koivula:

    Hello Tommi!

    Sep 26 11:53 2015, Markus Reschke wrote to Tommi Koivula:

    http://www.haproxy.org/

    Example: http://www.koopman.me/2011/02/haproxy-for-ipv6-translation-to-ipv4-onl y-websit e/

    The important thing is to set the mode to TCP and to change the
    required ports. haproxy will work as proxy for any TCP based protocol.

    or install xinetd on openWRT, in a service use REDIRECT (incomming only trafik, not outgoing)

    ----- xinetd.manpage begins -----

    redirect Allows a tcp service to be redirected to another host. When xinetd receives a tcp connection on this port it spawns a process
    that establishes a connection to the host and port number specified, and forwards all data between the two hosts. This option is
    useful when your internal machines are not visible to the outside world. Syntax is: redirect = (ip address) (port). You can
    also use a hostname instead of the IP address in this field. The hostname lookup is performed only once, when xinetd is started,
    and the first IP address returned is the one that is used until xinetd is restarted. The "server" attribute is not required when
    this option is specified. If the "server" attribute is specified, this attribute takes priority.

    ----- xinetd.manpage ends -----

    only downside is that if redirected host changes ips one need to reload xinetd :(

    Regards Benny

    ... there can only be one way of life, and it works :)

    --- Msged/LNX 6.2.0 (Linux/4.2.0-gentoo-r1 (i686))
    * Origin: openvpn on its way here (1:261/38.20)
  • From Tommi Koivula@2:221/1.1 to Markus Reschke on Sat Sep 26 19:22:40 2015
    26 Sep 15 19:47, I wrote to Markus Reschke:

    ip6tables -t filter -A INPUT -p tcp --destination-port 24554 -j
    ACCEPT

    I'll try to find a way to do it. ;)

    Done!

    BinkD/2 (2:221/0) should now answer at 2001:470:27:a::2 .

    Finally I need to make sure my settings remain after reboot. ;)

    Thanks Markus!

    'Tommi

    ---
    * Origin: ====================================== (2:221/1.1)
  • From Markus Reschke@2:240/1661 to Tommi Koivula on Sat Sep 26 18:39:02 2015
    Hi Tommi!

    Sep 26 20:22 2015, Tommi Koivula wrote to Markus Reschke:

    BinkD/2 (2:221/0) should now answer at 2001:470:27:a::2 .

    $ telnet 2001:470:27:a::2 24554
    Trying 2001:470:27:a::2...
    Connected to 2001:470:27:a::2.
    Escape character is '^]'.
    .OPT CRAM-MD5-1264e9f89dec8088e16d9c4dc38e28ee
    SYS RBB/2ZYZ Tommi KoivulaLOC Lake Ylo, Finland
    NDL IBN,CM%TIME Sat, 26 Sep 2015 20:38:25 +0300 VER binkd/1.1a-73/OS2 binkp/1.1

    Looks fine!

    Finally I need to make sure my settings remain after reboot. ;)

    A very good idea ;)

    Thanks Markus!

    You're welcome!

    Regards,
    Markus

    ---
    * Origin: *** theca tabellaria *** (2:240/1661)
  • From Benny Pedersen@1:261/38.20 to Tommi Koivula on Sat Sep 26 19:14:32 2015
    Hello Tommi!

    26 Sep 2015 19:47, Tommi Koivula wrote to Markus Reschke:

    I'll try to find a way to do it. ;)

    shorewall.net ask for a OpenWRT port

    even my own AnTMiner have a openWRT router (bitcoins)

    if you want to bridge Wireless IN to EtherNET outgoing i got that reverse to work, it was not designed for that stuppidness but it worked :=)

    so all lefts was for me just to tell that eth0 should have a dhcp SERVER not a dhcp CLIENT

    put a switch on the AnTMiner and you have a router that have wireless UPLINK and Ethernet lan


    Regards Benny

    ... there can only be one way of life, and it works :)

    --- Msged/LNX 6.2.0 (Linux/4.2.0-gentoo-r1 (i686))
    * Origin: openvpn on its way here (1:261/38.20)
  • From Matt Bedynek@1:19/10 to Tommi Koivula on Tue Sep 29 08:23:06 2015
    On Sat, 26 Sep 2015 20:51:04 +0300, Tommi Koivula wrote:

    Now I have a problem with the IPv6 firewall. It always blocks the
    inbound traffic from the tunnel even if I allowed port 24554 from the
    GUI of AsusWRT. From the router the forwarding works, (telnet 2001:470:27:a::2 24554) .

    You're tunnelled traffic is likely a GRE tunnel (ip protocol 41). If
    you permit all traffic to or from the tunnel address for protocol 41
    it should resolve your issues.

    ---
    * Origin: The Byte Museum - news: news.bytemuseum.org (1:19/10)