Warith AL Maawali

0 %
Warith AL Maawali
Driving cybersecurity excellence
Innovator behind Linux Kodachi
  • Residence:
    127.0.0.1
  • Uptime Binary:
    101110
  • Mantra:
    Innovate, Secure, Repeat
ONS
EEDS
NSSG
Visual basic
Gambas
PHP
Delphi
Bash
  • Cybersecurity
  • Generative AI
  • Cloud & Automation
  • Cryptocurrency

The art of port forwarding on Linux

23/03/2014

Stealth Navigation with Port Forwarding on Linux

You sometimes need to use port forwarding to be stealthy and move from one node to another to cover your tracks. Why choose Linux for this task? Because it’s stable and offers many options, you don’t get on Windows.  
There are many tools out there, but we have picked the ones we have tried, as explained below:

  • Rinetd Score:3/10 Limitation on number of connections.
  • Socat Score:6/10 High ram consumption more connection=more RAM.
  • Redir Score:8/10 Same as above but less consumption of RAM for about 20%.
  • Haproxy Score:10/10 Is an http, https, and TCP load balancer but can be used to forward Tcp traffic only light usage of CPU and RAM.
  • Iptables Score:10/10 Perfect usage is 0 CPU 12 MB RAM including the OS !.

Rinetd:

ShellScript
To install rinetd, we simply run:

sudo apt-get update
sudo apt-get install rinetd

rinetd's configuration file is /etc/rinetd.conf.

nano /etc/rinetd.conf

To forward traffic from your internet node ip 212.72.6.1 port 808 to remote node 62.41.90.2 port 443 add this line:

212.72.6.1 808 62.41.90.2 443

To forward from all local ips on port 808 to 62.41.90.2 on port 443 :

0.0.0.0 808 62.41.90.2 443

Then we restart rinetd:

/etc/init.d/rinetd restart
#or
service rinetd restart
ShellScript

Socat:

ShellScript
To install Socat, we run:

sudo apt-get update
sudo apt-get install socat

To run socat and forward traffic from your internet node ip 212.72.6.1 port 808 to remote node 62.41.90.2 port 443 run the following command:

socat TCP4-LISTEN:808,fork TCP4:62.41.90.2:443

To forward traffic from your internet node from port 9090 to remote node 62.41.90.2 port 22 and forward traffic from port 81 to port 21 on ftp.microsft.com run the following command:

socat TCP4-LISTEN:9090,fork TCP4:62.41.90.2:22|socat TCP4-LISTEN:81,fork TCP4:ftp.microsft.com:21
ShellScript

Redir:

ShellScript
To install redir, we simply run:

sudo apt-get update
sudo apt-get install redir

To run redir and forward traffic from your internet node ip 212.72.6.1 port 808 to remote node 62.41.90.2 port 443 run the following command:

redir --laddr=212.72.6.1 --lport=808  --caddr=62.41.90.2 --cport=443

To forward traffic from your internet node 212.72.6.1 from port 9090 to remote node 62.41.90.2 port 22 and forward traffic from port 81 to port 21 on ftp.microsft.com run the following command:

redir --laddr=212.72.6.1 --lport=9090  --caddr=62.41.90.2 --cport=22|redir --laddr=212.72.6.1 --lport=81  --caddr=ftp.microsft.com --cport=21
ShellScript

Haproxy:

ShellScript
At the moment haproxy can only be retrieved from sid unstable repository so you need to do the following changes:

nano /etc/apt/sources.list

Add the following:

deb http://ftp.de.debian.org/debian sid main

to

nano /etc/apt/sources.list

To install haproxy, we simply run:

sudo apt-get update
sudo apt-get install haproxy

We need to set ENABLED to 1 in order to get all the init scripts working:

nano /etc/default/haproxy

Config it by adding the server details end of listen http-in section:

 nano /etc/haproxy/haproxy.cfg

On the defaults section change HTTP to tcp:

mode    tcp
ShellScript

Then add to accept a connection on port 80 and 443 then forward them to 6 different servers:

ShellScript
global
        stats socket /var/run/haproxy/haproxy.sock mode 0600 level admin #Creates Unix-Like socket to fetch stats
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        user haproxy
        group haproxy
        daemon
        maxconn 99999

defaults
        log     global
        mode    tcp
       

        contimeout 500000
        clitimeout 500000
        srvtimeout 500000
       

listen http-in
        option tcplog
        option logasap
        contimeout 500000
        clitimeout 500000
        srvtimeout 500000
        maxconn 99999
        bind 0.0.0.0:80
        bind 0.0.0.0:443

		server server-1 ip:port maxconn 5000
		server server-2 ip:port maxconn 10000

listen  stats   0.0.0.0:1936
        mode            http
        #log             global

        maxconn 10

        clitimeout      100s
        srvtimeout      100s
        contimeout      100s
        timeout queue   100s

        stats enable
        stats hide-version
        stats refresh 30s
        stats show-node
        stats auth admin:your_passwrod_here
        stats uri  /haproxy?stats

Run this command to create the required directory:

mkdir /var/run/haproxy/

To access the statistics report visit the following site and make sure you use your account as set on haproxy.cfg:

http://www.your-haproxy-server-ip.com:11936/haproxy?stats

To run as daemon:

cd /etc/haproxy/
haproxy -f haproxy.cfg -D

Or use the following:

/etc/init.d/haproxy start
/etc/init.d/haproxy stop
/etc/init.d/haproxy restart

To check the ips of connected clients:

# You need to install netcat first:
apt-get install netcat-openbsd

# Then run the following command:
echo show sess | nc -U /var/run/haproxy/haproxy.sock | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq -c
ShellScript

Troubleshooting:

For some reasons, if the load is too high Haproxy service will stop running, so the only way to make sure it will stay alive is to monitor it and restart it using monit tool as follows:

ShellScript
sudo apt-get install monit

Now edit the config file

sudo nano /etc/monit/monitrc

# change  set daemon 120 to set daemon 5 
#uncomment the following lines:

set httpd port 2812 and
use address localhost  # only accept connection from localhost
allow localhost        # allow localhost to connect to the server and
allow admin:monit      # require user 'admin' with password 'monit'
allow @monit           # allow users of group 'monit' to connect (rw)
allow @users readonly  # allow users of group 'users' to connect readonly

# Now go to the end of the file and paste the following:
check process haproxy with pidfile /var/run/haproxy.pid
start program = "/etc/init.d/haproxy start"
stop program = "/etc/init.d/haproxy stop"

Check if your syntax is correct if not you will get an error:

monit -t

Now we are done with the configuration let us run it:

monit

To check the status:

monit status

To reload:

monit reload

After resolving any possible syntax errors, you can start running all of the monitored programs by:

monit start all

 
 
If you are getting the following error:

[....] Restarting haproxy: haproxy[ALERT] 221/134103 (1900) : cannot bind socket for UNIX listener (/var/run/haproxy/haproxy.sock). Aborting.
[ALERT] 221/134103 (1900) : [/usr/sbin/haproxy.main()] Some protocols failed to start their listeners! Exiting.
 failed!

Open /etc/haproxy/haproxy.cfg and comment the following line:

 stats socket /var/run/haproxy/haproxy.sock mode 0600 level admin #Creates Unix-Like socket to fetch stats

 
 

Extra commands for logging purpose only:

create a HAProxy config file for rsyslog:

nano /etc/rsyslog.d/haproxy.conf

Then add the following:

if ($programname == 'haproxy' and $syslogseverity-text == 'info') then -/var/log/haproxy/haproxy-info.log
& ~
if ($programname == 'haproxy' and $syslogseverity-text == 'notice') then -/var/log/haproxy/haproxy-notice.log
& ~

This will rotate your HAProxy logs daily and keep them for 4 weeks.

nano /etc/logrotate.d/haproxy

Add the following:

/var/log/haproxy/*.log {
    daily
    missingok
    rotate 28
    compress
    delaycompress
    notifempty
    create 644 root adm
    sharedscripts
    postrotate
    /etc/init.d/haproxy reload > /dev/null
    endscript
}
ShellScript

Iptables:

 
To forward using iptables you don’t need to install any tool, so to forward traffic from your internet node ip 212.72.6.1 port 808 to remote node 62.41.90.2 port 443, run the following command:

ShellScript
iptables -F
iptables -F -t nat
echo 1 >| /proc/sys/net/ipv4/ip_forward
iptables -t nat -A  PREROUTING -p tcp -d  212.72.6.1 --dport 808 -j DNAT --to 62.41.90.2:443
iptables -t nat  -A POSTROUTING -j MASQUERADE

List your changes:

iptables -L -t nat

To forward traffic from your internet node 212.72.6.1 from port 9090 to remote node 62.41.90.2 port 22 and forward traffic from port 81 to port 21 on ftp.microsft.com run the following command:

iptables -F
iptables -F -t nat
echo 1 >| /proc/sys/net/ipv4/ip_forward
iptables -t nat -A  PREROUTING -p tcp -d  212.72.6.1 --dport 9090 -j DNAT --to 62.41.90.2:22
iptables -t nat -A  PREROUTING -p tcp -d  212.72.6.1 --dport 81 -j DNAT --to 67.215.65.132:21        # You can't use domain names use the ip I will show you later how to automate this
iptables -t nat  -A POSTROUTING -j MASQUERADE
iptables -L -t nat

Display Iptables counters:

watch --interval 0 'iptables -nvL | grep -v "0     0"'

or

while true; do iptables -nvL > /tmp/now; diff -U0 /tmp/prev /tmp/now > /tmp/diff; clear; cat /tmp/diff; mv /tmp/now /tmp/prev; slee p 1; done
ShellScript

Startup script:

ShellScript
For socat, redir, and iptables you will need to put them on a start-up script so they start each time your node boots up.

Create a boot script:

nano /etc/init.d/myfwd

Add the following for socat:

#!/bin/bash
socat TCP4-LISTEN:9090,fork TCP4:62.41.90.2:22|socat TCP4-LISTEN:81,fork TCP4:ftp.microsft.com :21

Add the following for redir:

#!/bin/bash
redir --laddr=212.72.6.1 --lport=9090  --caddr=62.41.90.2 --cport=22|redir --laddr=212.72.6.1 --lport=81  --caddr=ftp.microsft.com --cport=21

Add the following for iptables:

#!/bin/bash
iptables -F
iptables -F -t nat
echo 1 >| /proc/sys/net/ipv4/ip_forward
iptables -t nat -A  PREROUTING -p tcp -d  212.72.6.1 --dport 9090 -j DNAT --to 62.41.90.2:22
iptables -t nat -A  PREROUTING -p tcp -d  212.72.6.1 --dport 81 -j DNAT --to 67.215.65.132:21        # You can't use domain names use the ip I will show you later how to automate this
iptables -t nat  -A POSTROUTING -j MASQUERADE

If you need to get the ip automatically from a domain name you need to use dig command as the following:

sudo apt-get install dnsutils

Then add the following for iptables:

#!/bin/bash
iptables -F
iptables -F -t nat
echo 1 >| /proc/sys/net/ipv4/ip_forward
IP_ADDR=$(dig +short ftp.microsft.com| awk 'NR==1')
iptables -t nat -A  PREROUTING -p tcp -d  212.72.6.1 --dport 9090 -j DNAT --to 62.41.90.2:22
iptables -t nat -A  PREROUTING -p tcp -d  212.72.6.1 --dport 81 -j DNAT --to $IP_ADDR::21         
iptables -t nat  -A POSTROUTING -j MASQUERADE

Then run the following commands:

cd /etc/init.d
chmod a+x myfwd
update-rc.d myfwd defaults

Reboot then check your results by the following commands:

socat and redir use:

netstat -antp

To check ip tables you will need to install netstat-nat

sudo apt-get install netstat-nat

Then run:

netstat-nat -D
ShellScript

Custom script:

 

Here are some scripts that we have written to monitor forward status for redir, socat, and iptables.

You will need vnstat to install it:

ShellScript
sudo apt-get install vnstat
ShellScript

The following script will show you cpu + ram + forward counters and status from redir or socat:
 

Shell script:

ShellScript
#!/bin/sh
# Shell script written by W. Al Maawali    
# (c) 2014 Founder of Eagle Eye Digital Solutions
# https://www.digi77.com
# http://www.om77.net
# script starts here:

echo ""
echo ""
users_online=`uptime`
echo "System status: "$users_online
echo "======================================================================"
echo ""
echo ""
cat /proc/meminfo |grep Free
used_ram=`free | grep Mem | awk '{print $3/$2 * 100.0}'`
free_ram=`free | grep Mem | awk '{print $4/$2 * 100.0}'`
echo ""
echo "Used RAM  = %"$used_ram
echo "Free RAM  = %"$free_ram
echo ""
echo ""
echo "======================================================================"
echo "Bandwidth Status:"
vnstat -i venet0 -m
echo "======================================================================"
echo "Getting results......."
echo ""
echo ""
org1_count=`netstat -antp | grep -c '51.219.221.206\|215.165.18.97'`
org2_count=`netstat -antp | grep -c '132.71.46.3'`
sum=$(($org1_count+$org2_count))
sokatSum=`ps aux | grep -c socat`
redirSum=`ps aux | grep -c redir`
echo "Org_1      =" $org1_count
echo "Org_2      =" $org2_count
echo ""
echo "Sum      =" $sum
echo "Redir    =" $redirSum
echo "Sokat    =" $sokatSum
echo ""
echo ""
echo "======================================================================"
echo "Server connection by ip numbers:"
echo ""
netstat -ntu | awk -F"[ :]+" 'NR>2{print $6}'|sort|uniq -c|sort -nr
echo ""
echo ""
echo "======================================================================"
ShellScript

 

Download

 The following script will show you cpu + ram + forward counters and status from iptables: 

Shell script:

ShellScript
#!/bin/sh
# Shell script written by W. Al Maawali  
# (c) 2014 Founder of Eagle Eye Digital Solutions
# https://www.digi77.com
# http://www.om77.net
# script starts here:

echo ""
echo ""
users_online=`uptime`
echo "System status: "$users_online
echo "======================================================================"
echo ""
echo ""
cat /proc/meminfo |grep Free
used_ram=`free | grep Mem | awk '{print $3/$2 * 100.0}'`
free_ram=`free | grep Mem | awk '{print $4/$2 * 100.0}'`
echo ""
echo "Used RAM  = %"$used_ram
echo "Free RAM  = %"$free_ram
echo ""
echo ""
echo "======================================================================"
echo "Bandwidth Status:"
vnstat -i venet0 -m
echo "======================================================================"
echo "Getting results......."
echo ""
echo ""
org1_count=`netstat-nat -s '51.219.221.206'|wc -l`
org1b_count=`netstat-nat -s '215.165.18.97'|wc -l`
org1_count=$(($org1_count+$org1b_count))
org2_count=`netstat-nat -s '132.71.46.3'|wc -l`
sum=$(($org1_count+$org2_count))
sokatSum=`ps aux | grep -c socat`
redirSum=`ps aux | grep -c redir`
echo "Org_1      =" $org1_count
echo "Org_2      =" $org2_count
echo ""
echo "Sum      =" $sum
echo "Redir    =" $redirSum
echo "Sokat    =" $sokatSum
echo ""
echo ""
echo "======================================================================"
echo "Server connection by ip numbers:"
echo ""
netstat -ntu | awk -F"[ :]+" 'NR>2{print $6}'|sort|uniq -c|sort -nr
echo ""
echo ""
echo "======================================================================"
ShellScript
Download

The IPs mentioned above are just examples. For the commands to function properly, you should use your own IP addresses. 


 

Posted in Tech BlogTags:
© 2024 Warith AL Maawali. All Rights Reserved.
Stay Secure, Stay Assured.