Table of contents
Remotely control iptables for port reuse
The second way: using keywords in tcp packets
Then we try to log in to 200 on the 201 host:
The first way: using ICMP
Remotely control iptables for port reuse
Disadvantages: If the target is on the internal network, you cannot ping it directly.
Create a port reuse chain
iptables -t nat -N HTTP_TO_SSH
Customized a chain
Create port reuse rules
iptables -t nat -A HTTP_TO_SSH -p tcp -j REDIRECT --to-port 22
Forward the traffic of the custom chain to port 22
Turn on the switch
iptables -t nat -A PREROUTING -p icmp --icmp-type 8 -m length --length 1139 -m recent --set --name oupeng --rsource -j ACCEPT
If an icmp packet with a length of 1139 is received, add the source IP to the loupeng list.
off switch
iptables -t nat -A PREROUTING -p icmp --icmp-type 8 -m length --length 1140 -mrecent --name oupeng --remove -j ACCEPT
If an icmp packet with a length of 1140 is received, the source IP will be removed from the oupeng list.
let’s do it
iptables -t nat -A PREROUTING -p tcp --dport 80 --syn -m recent --rcheck --seconds 3600 --name oupeng --rsource -j HTTP_TO_SSH
If it is found that the source of the syn package is in the letmein list, it will jump to the letmein chain for processing. The effective time is 3600 seconds.
You can check the status of the five chains:
[root@centos111 ~]# iptables -t nat -nvxL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 length 1139 recent: SET name: oupeng side: source mask: 255.255.255.255
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 length 1140 recent: REMOVE name: oupeng side: source mask: 255.255.255.255
0 0 HTTP_TO_SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x17/0x02 recent: CHECK seconds: 3600 name: oupeng side: source mask: 255.255.255.255
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
26 1804 RETURN all -- * * 192.168.122.0/24 224.0.0.0/24
0 0 RETURN all -- * * 192.168.122.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24
Chain HTTP_TO_SSH (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 redir ports 22
Before reuse is enabled, the web can be accessed normally:
Now we can try to enable reuse, that is, ping192.168.159.200 (this machine) at 192.168.159.201
ping -c 1 -s 1111 192.168.159.200
An icmp data packet with a length of 1111 is sent to the target (plus the header 28, the total length is actually 1139)
Because ip data packet = ip header + icmp
So the 28 bytes here include: 20 bytes of the ip header + 8 bytes of the icmp header
Try to use port 80 for ssh (the actual access here is port 22)
As you can see, we successfully used port 80 to log in to port 22.
We can check port 22 on 200
netstat -antp |grep 22
It shows that two IP addresses have established connections with port 22 of this host.
We can now try to access port 80 on the 201 host.
You can see that the access failed because we used port 80 of the 200 host as port 22.
Looking at the NAT table, you can also see that the packet in the rule is 1139 bytes:
Now let's turn off reuse
ping -c 1 -s 1112 192.168.159.200
An icmp data packet with a length of 1111 is sent to the target (plus the header 28, the total length is actually 1140)
Check the rules of the nat table again on centos1
After turning off reuse, we try to log in again
As you can see, if you try to log in now, it will fail!
The second way: using keywords in tcp packets
Advantages: Not afraid that the target is not on the intranet
Port multiplexing chain
iptables -t nat -N HTTP_TO_SSH
Port reuse rules
iptables -t nat -A HTTP_TO_SSH -p tcp -j REDIRECT --to-port 22
Turn on the switch
iptables -A INPUT -p tcp -m string --string 'oupeng' --algo bm -m recent --set --name HTTP_TO_SSH --rsource -j ACCEPT
off switch
iptables -A INPUT -p tcp -m string --string 'close' --algo bm -m recent --name HTTP_TO_SSH --remove -j ACCEPT
let‘s do it
iptables -t nat -A PREROUTING -p tcp --dport 80 --syn -m recent --rcheck --seconds 3600 --name HTTP_TO_SSH --rsource -j HTTP_TO_SSH
Enable multiplexing and enable traffic from the local machine to the target port 80, which will be forwarded to the target's SSH. Port 80 will no longer be accessible by the host;
[root@centos222 ~]# echo oupeng | socat - tcp:192.168.159.200:80
HTTP/1.1 400 Bad Request
Server: nginx/1.20.1
Date: Sun, 19 Nov 2023 04:29:46 GMT
Content-Type: text/html
Content-Length: 157
Connection: close
<html>
<head><title>400 Bad Request</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.20.1</center>
</body>
</html>
Then we try to log in remotely using port 80:
[root@centos222 ~]# ssh -p80 [email protected]
[email protected]'s password:
Last login: Sun Nov 19 12:15:29 2023 from 192.168.159.1
[root@centos111 ~]#
You can see that you have successfully logged in using port 80 here.
Close reuse. After closing, port 80 returns to normal. We try to log in again.
[root@centos222 ~]# echo close | socat - tcp:192.168.159.200:80
SSH-2.0-OpenSSH_7.4
Protocol mismatch.
[root@centos222 ~]# ssh -p80 [email protected]
ssh_exchange_identification: Connection closed by remote host
You can see that we can’t log in now!
The third way: use SSLH tools
Install sslh tool:
yum install sslh
Then we start the nginx/apache service and make sure it is listening on port 80
systemctl restart nginx.service
systemctl restart httpd.service
Then we modify the listening port in the nginx configuration file
Note: Do not restart the nginx service after the configuration is completed.
After downloading the sslh tool, let’s modify its configuration file
Note that what is written in listen is the listening port, which must be synchronized to the accessed address. What is written in protocls is the forwarding target. Only port 80 and port 22 are used here. Note that there is no comma at the end of the last set of curly braces in the brackets, otherwise an error will be reported.
Start the sslh service:
[root@centos111 ~]# sslh -F/etc/sslh.cfg
sslh-fork 4ae2e62d25b9faf984a303c4bdf2b7675f4988b9 started
Note: If there is an error when starting up saying that this address has been used, you can close the nginx/httpd service to solve this problem.
Then we try to log in to 200 on the 201 host:
You can see that we successfully used port reuse and logged in using port 80!
So far, the three methods have been introduced.