[PLUG] IPtables internal port forwarding

Robert Munro ramunro at speakeasy.net
Fri May 8 00:26:48 UTC 2009 

On Thu, 2009-05-07 at 11:47 Michael Rasmussen wrote:
> As the OP here's the background story.
> 
> At work we manage several thousand switches and routers.
> We're replacing our management platform with a new one.
> There is an internal requirement to NEVER use clear text protocols.
> 
> So to put a new IOS image on a Cisco device we use SCP.
> 
> The new management app has two features:
>   it has the Cisco devices pull configs, images, everything
>   its default port for serving these resources is 8022
> 
> Complicating factors:
> 
> The Cisco devices cannot be configured to SCP to a different port than
> 22[1]
> We do normal management via ssh - aka port 22
> 
> In order to not confuse the beejesus out of all the groups that
> currently ssh
> to boxes we are loath to move SSH to a non-standard port.
> 
> Therefore:
> 
> We want to have the incoming port 22 connection from switches and
> routers (we
> know the IPs involved) redirected to port 8022 to connect with the
> management
> app software.
> 
> 
> [1] If you know otherwise and how, please share.
> 
> -- 
>      Michael Rasmussen

This isn't a shoestring operation, so you should be able to throw a bit
of relatively cheap hardware at the situation to simplify the issue and
simultaneously make your life easier and maintain great network service
levels for both the remote network hardware boxes and your human users.

You can't change the port that the switches / routers access to download
their software, you say.  But you CAN change the IP address they attempt
to connect with to do so.  So, just route their traffic through a simple
front-end firewall box to perform the port translation that solves this.

You'll need another little firewall with two NICs, plus another NIC card
in your main configuration server that handles both the automated router
and switch traffic plus ad-hoc SSH connections from the customer groups.

ASCII art:
                                        ___________________________
router/switch --> new firewall --> eth1 |                          |
                                        |   Configuration Server   |
the customers --> old firewall --> eth0 |__________________________|


The new outer firewall uses IPtables Prerouting rules (thousands of 'em)
to change the destination port from 22 to 8022, and one Forward rule to
route those packets to your configuration server's new second IP address
on its new interface eth1.

The old outer firewall passes the same old port 22 traffic right through
to the configuration server's same old IP address on old interface eth0.

This will avoid slowing network traffic for everyone by forcing each and
every packet to traverse thousands of new IPtables rules in the existing
firewall.

With streamlining of established connection packets, you can likely also
make this sort of configuration perform fairly well for the dumb routers
and switches too.

Hope this helps!
Robert

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://lists.pdxlinux.org/pipermail/plug/attachments/20090507/03c134d9/attachment.asc>

More information about the PLUG mailing list