c*n
2 楼
I want to hijack all the traffic going to $EXTERNAL_BOX_IP:22 to be going to
the 22 port of my local box instead,
I tried the following but it doesn't work
sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport 22 -j
DNAT --to-destination 127.0.0.0
sudo iptables -t nat -A INPUT -s 127.0.0.0 -p tcp --dport 22 -j SNAT --
to-source $EXTERNAL_BOX_IP
any ideas?
Thanks a lot
the 22 port of my local box instead,
I tried the following but it doesn't work
sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport 22 -j
DNAT --to-destination 127.0.0.0
sudo iptables -t nat -A INPUT -s 127.0.0.0 -p tcp --dport 22 -j SNAT --
to-source $EXTERNAL_BOX_IP
any ideas?
Thanks a lot
i*s
3 楼
【 以下文字转载自 BuildingWeb 讨论区 】
发信人: interns (ruby), 信区: BuildingWeb
标 题: 请推荐一个开源,适合学习的,网站(比如论坛网站,卖东西的网站)项目
发信站: BBS 未名空间站 (Tue Aug 27 16:31:11 2013, 美东)
请推荐一个开源,适合学习的,网站(比如论坛网站,卖东西的网站)项目
想跟着学习。
觉得找到合适的开源项目,是学习IT的最佳捷径。
发信人: interns (ruby), 信区: BuildingWeb
标 题: 请推荐一个开源,适合学习的,网站(比如论坛网站,卖东西的网站)项目
发信站: BBS 未名空间站 (Tue Aug 27 16:31:11 2013, 美东)
请推荐一个开源,适合学习的,网站(比如论坛网站,卖东西的网站)项目
想跟着学习。
觉得找到合适的开源项目,是学习IT的最佳捷径。
c*n
5 楼
figured out, need one more line
sudo iptables -t nat -A POSTROUTING -d 127.0.0.0 -p tcp --dport 22 -j
SNAT --to-source 127.0.0.0
to
【在 c******n 的大作中提到】
: I want to hijack all the traffic going to $EXTERNAL_BOX_IP:22 to be going to
: the 22 port of my local box instead,
: I tried the following but it doesn't work
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport 22 -j
: DNAT --to-destination 127.0.0.0
: sudo iptables -t nat -A INPUT -s 127.0.0.0 -p tcp --dport 22 -j SNAT --
: to-source $EXTERNAL_BOX_IP
: any ideas?
: Thanks a lot
sudo iptables -t nat -A POSTROUTING -d 127.0.0.0 -p tcp --dport 22 -j
SNAT --to-source 127.0.0.0
to
【在 c******n 的大作中提到】
: I want to hijack all the traffic going to $EXTERNAL_BOX_IP:22 to be going to
: the 22 port of my local box instead,
: I tried the following but it doesn't work
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport 22 -j
: DNAT --to-destination 127.0.0.0
: sudo iptables -t nat -A INPUT -s 127.0.0.0 -p tcp --dport 22 -j SNAT --
: to-source $EXTERNAL_BOX_IP
: any ideas?
: Thanks a lot
j*a
9 楼
read this bible:
http://www.frozentux.net/documents/iptables-tutorial/
to
【在 c******n 的大作中提到】
: I want to hijack all the traffic going to $EXTERNAL_BOX_IP:22 to be going to
: the 22 port of my local box instead,
: I tried the following but it doesn't work
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport 22 -j
: DNAT --to-destination 127.0.0.0
: sudo iptables -t nat -A INPUT -s 127.0.0.0 -p tcp --dport 22 -j SNAT --
: to-source $EXTERNAL_BOX_IP
: any ideas?
: Thanks a lot
http://www.frozentux.net/documents/iptables-tutorial/
to
【在 c******n 的大作中提到】
: I want to hijack all the traffic going to $EXTERNAL_BOX_IP:22 to be going to
: the 22 port of my local box instead,
: I tried the following but it doesn't work
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport 22 -j
: DNAT --to-destination 127.0.0.0
: sudo iptables -t nat -A INPUT -s 127.0.0.0 -p tcp --dport 22 -j SNAT --
: to-source $EXTERNAL_BOX_IP
: any ideas?
: Thanks a lot
B*M
10 楼
没有stop是很烦。最近几天好几次睡觉前还大红,醒来变大绿。要是能设stop,起码还
能止赢一下。
能止赢一下。
z*r
11 楼
it should be
sudo iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_BOX_IP --dport 22 -j
DNAT --to-destionation 127.0.0.1
to
【在 c******n 的大作中提到】
: I want to hijack all the traffic going to $EXTERNAL_BOX_IP:22 to be going to
: the 22 port of my local box instead,
: I tried the following but it doesn't work
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport 22 -j
: DNAT --to-destination 127.0.0.0
: sudo iptables -t nat -A INPUT -s 127.0.0.0 -p tcp --dport 22 -j SNAT --
: to-source $EXTERNAL_BOX_IP
: any ideas?
: Thanks a lot
sudo iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_BOX_IP --dport 22 -j
DNAT --to-destionation 127.0.0.1
to
【在 c******n 的大作中提到】
: I want to hijack all the traffic going to $EXTERNAL_BOX_IP:22 to be going to
: the 22 port of my local box instead,
: I tried the following but it doesn't work
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport 22 -j
: DNAT --to-destination 127.0.0.0
: sudo iptables -t nat -A INPUT -s 127.0.0.0 -p tcp --dport 22 -j SNAT --
: to-source $EXTERNAL_BOX_IP
: any ideas?
: Thanks a lot
l*u
12 楼
你是试图做FORWARDING?
to
【在 c******n 的大作中提到】
: I want to hijack all the traffic going to $EXTERNAL_BOX_IP:22 to be going to
: the 22 port of my local box instead,
: I tried the following but it doesn't work
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport 22 -j
: DNAT --to-destination 127.0.0.0
: sudo iptables -t nat -A INPUT -s 127.0.0.0 -p tcp --dport 22 -j SNAT --
: to-source $EXTERNAL_BOX_IP
: any ideas?
: Thanks a lot
to
【在 c******n 的大作中提到】
: I want to hijack all the traffic going to $EXTERNAL_BOX_IP:22 to be going to
: the 22 port of my local box instead,
: I tried the following but it doesn't work
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport 22 -j
: DNAT --to-destination 127.0.0.0
: sudo iptables -t nat -A INPUT -s 127.0.0.0 -p tcp --dport 22 -j SNAT --
: to-source $EXTERNAL_BOX_IP
: any ideas?
: Thanks a lot
c*n
13 楼
i don't think so, PREROUTING is for incoming messages,
here the messages are generated by my local process ( ssh client )
I got it working in another post.
but here it is
sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
DNAT --to-destination 127.0.0.1
sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
j
【在 z**r 的大作中提到】
: it should be
: sudo iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_BOX_IP --dport 22 -j
: DNAT --to-destionation 127.0.0.1
:
: to
here the messages are generated by my local process ( ssh client )
I got it working in another post.
but here it is
sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
DNAT --to-destination 127.0.0.1
sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
j
【在 z**r 的大作中提到】
: it should be
: sudo iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_BOX_IP --dport 22 -j
: DNAT --to-destionation 127.0.0.1
:
: to
c*n
14 楼
but here's what I dont' understand:
I checked the packets in wireshark.
the first packet sent out by client is REAL_IP_OF_CLIENT_BOX to 127.0.0.1
I thought according to the tutorial http://www.frozentux.net/iptables-tutorial/images/tables_traverse.jpg
after DNAT changes the dest IP, it goes through another routing decision, so
at this step it should be set to the lo interface, so MASQUERADE should set
its source to be 127.0.0.1 ???
also wireshark shows that the return ip is $EXTERNAL_BOX_IP to REAL_IP_OF_
CLIENT_BOX, this is fine. but how is my application able to receive this
packet in its TCP connection? my sshd is listening on localhost only, but
the packet is addressed to REAL_IP_OF_CLIENT_BOX
my ssh client opens a TCP connection to $EXTERNAL_BOX_IP, so the tcp
connection expects to
-j
【在 c******n 的大作中提到】
: i don't think so, PREROUTING is for incoming messages,
: here the messages are generated by my local process ( ssh client )
: I got it working in another post.
: but here it is
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
: DNAT --to-destination 127.0.0.1
: sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
:
: j
I checked the packets in wireshark.
the first packet sent out by client is REAL_IP_OF_CLIENT_BOX to 127.0.0.1
I thought according to the tutorial http://www.frozentux.net/iptables-tutorial/images/tables_traverse.jpg
after DNAT changes the dest IP, it goes through another routing decision, so
at this step it should be set to the lo interface, so MASQUERADE should set
its source to be 127.0.0.1 ???
also wireshark shows that the return ip is $EXTERNAL_BOX_IP to REAL_IP_OF_
CLIENT_BOX, this is fine. but how is my application able to receive this
packet in its TCP connection? my sshd is listening on localhost only, but
the packet is addressed to REAL_IP_OF_CLIENT_BOX
my ssh client opens a TCP connection to $EXTERNAL_BOX_IP, so the tcp
connection expects to
-j
【在 c******n 的大作中提到】
: i don't think so, PREROUTING is for incoming messages,
: here the messages are generated by my local process ( ssh client )
: I got it working in another post.
: but here it is
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
: DNAT --to-destination 127.0.0.1
: sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
:
: j
l*u
15 楼
不管你想做什么,只要有那个127.0.0.1就不应该OK。
so
set
PORT
【在 c******n 的大作中提到】
: but here's what I dont' understand:
: I checked the packets in wireshark.
: the first packet sent out by client is REAL_IP_OF_CLIENT_BOX to 127.0.0.1
: I thought according to the tutorial http://www.frozentux.net/iptables-tutorial/images/tables_traverse.jpg
: after DNAT changes the dest IP, it goes through another routing decision, so
: at this step it should be set to the lo interface, so MASQUERADE should set
: its source to be 127.0.0.1 ???
: also wireshark shows that the return ip is $EXTERNAL_BOX_IP to REAL_IP_OF_
: CLIENT_BOX, this is fine. but how is my application able to receive this
: packet in its TCP connection? my sshd is listening on localhost only, but
so
set
PORT
【在 c******n 的大作中提到】
: but here's what I dont' understand:
: I checked the packets in wireshark.
: the first packet sent out by client is REAL_IP_OF_CLIENT_BOX to 127.0.0.1
: I thought according to the tutorial http://www.frozentux.net/iptables-tutorial/images/tables_traverse.jpg
: after DNAT changes the dest IP, it goes through another routing decision, so
: at this step it should be set to the lo interface, so MASQUERADE should set
: its source to be 127.0.0.1 ???
: also wireshark shows that the return ip is $EXTERNAL_BOX_IP to REAL_IP_OF_
: CLIENT_BOX, this is fine. but how is my application able to receive this
: packet in its TCP connection? my sshd is listening on localhost only, but
j*a
18 楼
兄弟,你还是用中文写吧
那个tutorial你看懂了一点 但是和ssh tunnel混淆了
你这里面只需要用到NAT OUTPUT,不需要NAT POSTROUTING
so
set
【在 c******n 的大作中提到】
: but here's what I dont' understand:
: I checked the packets in wireshark.
: the first packet sent out by client is REAL_IP_OF_CLIENT_BOX to 127.0.0.1
: I thought according to the tutorial http://www.frozentux.net/iptables-tutorial/images/tables_traverse.jpg
: after DNAT changes the dest IP, it goes through another routing decision, so
: at this step it should be set to the lo interface, so MASQUERADE should set
: its source to be 127.0.0.1 ???
: also wireshark shows that the return ip is $EXTERNAL_BOX_IP to REAL_IP_OF_
: CLIENT_BOX, this is fine. but how is my application able to receive this
: packet in its TCP connection? my sshd is listening on localhost only, but
那个tutorial你看懂了一点 但是和ssh tunnel混淆了
你这里面只需要用到NAT OUTPUT,不需要NAT POSTROUTING
so
set
【在 c******n 的大作中提到】
: but here's what I dont' understand:
: I checked the packets in wireshark.
: the first packet sent out by client is REAL_IP_OF_CLIENT_BOX to 127.0.0.1
: I thought according to the tutorial http://www.frozentux.net/iptables-tutorial/images/tables_traverse.jpg
: after DNAT changes the dest IP, it goes through another routing decision, so
: at this step it should be set to the lo interface, so MASQUERADE should set
: its source to be 127.0.0.1 ???
: also wireshark shows that the return ip is $EXTERNAL_BOX_IP to REAL_IP_OF_
: CLIENT_BOX, this is fine. but how is my application able to receive this
: packet in its TCP connection? my sshd is listening on localhost only, but
z*r
19 楼
老大,您把问题能一次说清楚吗?
-j
【在 c******n 的大作中提到】
: i don't think so, PREROUTING is for incoming messages,
: here the messages are generated by my local process ( ssh client )
: I got it working in another post.
: but here it is
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
: DNAT --to-destination 127.0.0.1
: sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
:
: j
-j
【在 c******n 的大作中提到】
: i don't think so, PREROUTING is for incoming messages,
: here the messages are generated by my local process ( ssh client )
: I got it working in another post.
: but here it is
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
: DNAT --to-destination 127.0.0.1
: sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
:
: j
c*n
20 楼
just run this on your linux box,
################################
# following is yahoo.com address
EXTERNAL_BOX_IP=67.195.160.76
PORT=10000
sudo iptables -t nat -F
sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
DNAT --to-destination 127.0.0.1
sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
###############################
then do nc -l 10000
as a fake server
then do nc 67.195.160.76 10000
and type a bunch of characters
you will see that the listener nc did get the characters you typed at the nc
client
so it worked, but I don't see why
【在 l*****u 的大作中提到】
: 你这个SCRIPT在哪里运行?
: 1. 在127.0.0.1上?那怎么可能抓到EXT_IP上的包?
: 2. 在EXT_IP上?那么那个127.0.0.1指的是EXT_IP. 鬼才知道是转到那个UNIT的。
: 这些是基础的网络知识。至于你说WORK了,基本上别的巧合。
################################
# following is yahoo.com address
EXTERNAL_BOX_IP=67.195.160.76
PORT=10000
sudo iptables -t nat -F
sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
DNAT --to-destination 127.0.0.1
sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
###############################
then do nc -l 10000
as a fake server
then do nc 67.195.160.76 10000
and type a bunch of characters
you will see that the listener nc did get the characters you typed at the nc
client
so it worked, but I don't see why
【在 l*****u 的大作中提到】
: 你这个SCRIPT在哪里运行?
: 1. 在127.0.0.1上?那怎么可能抓到EXT_IP上的包?
: 2. 在EXT_IP上?那么那个127.0.0.1指的是EXT_IP. 鬼才知道是转到那个UNIT的。
: 这些是基础的网络知识。至于你说WORK了,基本上别的巧合。
l*u
22 楼
貌似明白一点了,是说把从localhost 127.0.0.1上对EXT_IP port 22的包全部转发回
localhost 127.0.0.1 port 22? 貌似很easy呀。如果是hijack局域网内所有机子对EXT
_IP port22的包都发回某一个机子的port22, 你这个script就没有用, 除非局域网所有
的包都从你这个机子这儿过。
-j
nc
【在 c******n 的大作中提到】
: just run this on your linux box,
: ################################
: # following is yahoo.com address
: EXTERNAL_BOX_IP=67.195.160.76
: PORT=10000
: sudo iptables -t nat -F
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
: DNAT --to-destination 127.0.0.1
: sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
: ###############################
localhost 127.0.0.1 port 22? 貌似很easy呀。如果是hijack局域网内所有机子对EXT
_IP port22的包都发回某一个机子的port22, 你这个script就没有用, 除非局域网所有
的包都从你这个机子这儿过。
-j
nc
【在 c******n 的大作中提到】
: just run this on your linux box,
: ################################
: # following is yahoo.com address
: EXTERNAL_BOX_IP=67.195.160.76
: PORT=10000
: sudo iptables -t nat -F
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
: DNAT --to-destination 127.0.0.1
: sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
: ###############################
c*n
23 楼
yes, I only care about my tests on the local box.
the script is used in the context of JMX, please see my previous JMX post.
what I don't understand is basically how kernel is able to properly route
the response packet. it's probably easier to use a plain NAT example.
let's say my box is in a private network ,
my_box 192.168.1.2
||
||
\ /
\/
gateway_box 192.168.1.1 , public_ip : 111.222.333.888
||
||
\ /
\/
yahoo.com 111.222.333.444
on a regular NAT case, my_box sends to yahoo.com, the packet is routed to
gateway_box, gateway_box forwards it to yahoo.com, using the FORWARD chain.
gateway_box also applies MASQUERADE so that the source_ip of the packet
becomes the public ip of gateway.
from yahoo.com's view, it is really talking to the gateway_box, and sends a
response to 111.222.333.888.
my question is, when the gateway receives the response packet, how is it
able to figure out, to change the target ip (111.222.333.888) to which IP on
its internal network? it has to usesome sort of lookup tables, and the
only available key for that lookup table is the source port
EXT
【在 l*****u 的大作中提到】
: 貌似明白一点了,是说把从localhost 127.0.0.1上对EXT_IP port 22的包全部转发回
: localhost 127.0.0.1 port 22? 貌似很easy呀。如果是hijack局域网内所有机子对EXT
: _IP port22的包都发回某一个机子的port22, 你这个script就没有用, 除非局域网所有
: 的包都从你这个机子这儿过。
:
: -j
: nc
the script is used in the context of JMX, please see my previous JMX post.
what I don't understand is basically how kernel is able to properly route
the response packet. it's probably easier to use a plain NAT example.
let's say my box is in a private network ,
my_box 192.168.1.2
||
||
\ /
\/
gateway_box 192.168.1.1 , public_ip : 111.222.333.888
||
||
\ /
\/
yahoo.com 111.222.333.444
on a regular NAT case, my_box sends to yahoo.com, the packet is routed to
gateway_box, gateway_box forwards it to yahoo.com, using the FORWARD chain.
gateway_box also applies MASQUERADE so that the source_ip of the packet
becomes the public ip of gateway.
from yahoo.com's view, it is really talking to the gateway_box, and sends a
response to 111.222.333.888.
my question is, when the gateway receives the response packet, how is it
able to figure out, to change the target ip (111.222.333.888) to which IP on
its internal network? it has to usesome sort of lookup tables, and the
only available key for that lookup table is the source port
EXT
【在 l*****u 的大作中提到】
: 貌似明白一点了,是说把从localhost 127.0.0.1上对EXT_IP port 22的包全部转发回
: localhost 127.0.0.1 port 22? 貌似很easy呀。如果是hijack局域网内所有机子对EXT
: _IP port22的包都发回某一个机子的port22, 你这个script就没有用, 除非局域网所有
: 的包都从你这个机子这儿过。
:
: -j
: nc
c*n
24 楼
looks my guess is right
http://en.wikipedia.org/wiki/Network_address_translation#NAT_an
"
To avoid ambiguity in the handling of returned packets, a one-to-many NAT
must alter higher level information such as TCP/UDP ports in outgoing
communications and must maintain a translation table so that return packets
can be correctly translated back. RFC 2663 uses the term NAPT (network
address and port translation) for this type of NAT. Other names include PAT
(port address translation), IP masquerading, NAT Overload and many-to-one
NAT. Since this is the most common type of NAT it is often referred to
simply as NAT.
【在 c******n 的大作中提到】
: yes, I only care about my tests on the local box.
: the script is used in the context of JMX, please see my previous JMX post.
: what I don't understand is basically how kernel is able to properly route
: the response packet. it's probably easier to use a plain NAT example.
: let's say my box is in a private network ,
: my_box 192.168.1.2
: ||
: ||
: \ /
: \/
http://en.wikipedia.org/wiki/Network_address_translation#NAT_an
"
To avoid ambiguity in the handling of returned packets, a one-to-many NAT
must alter higher level information such as TCP/UDP ports in outgoing
communications and must maintain a translation table so that return packets
can be correctly translated back. RFC 2663 uses the term NAPT (network
address and port translation) for this type of NAT. Other names include PAT
(port address translation), IP masquerading, NAT Overload and many-to-one
NAT. Since this is the most common type of NAT it is often referred to
simply as NAT.
【在 c******n 的大作中提到】
: yes, I only care about my tests on the local box.
: the script is used in the context of JMX, please see my previous JMX post.
: what I don't understand is basically how kernel is able to properly route
: the response packet. it's probably easier to use a plain NAT example.
: let's say my box is in a private network ,
: my_box 192.168.1.2
: ||
: ||
: \ /
: \/
相关阅读
感觉在公司里被烙印领导搞得越来越边缘化了,求支招 (转载)怎么实现在后台查询的同时前段不断更新进度?[bssd] functional programming matters...Facebook announces React Fiber神经突触就是随机森林无人驾驶关键问题是盈利模式不好Kaggle入门问题 (转载)王垠:我为什么不在乎人工智能svm/svr还是不错的面向数据的编程与面向对象的编程[bssd]deep dreamFlask 写菜单:选项会根据另外一个菜单改变ParseServer 正式从Facebook转手给communityDummy Q: can web server code be unreadable from end user ?Baidi把无人驾驶技术开放了Go的并发和channel看上去非常厉害啊为什么grid search伤人品同时train segm和obj detectspacevimc++问题请教