Beginner question, port forwarding

Hi,

I'm distributing Java app to SuSe 7.2
I have one problem, I need to receive UDP packets on port 67 (bootp)
on
Windows that's OK but on Linux I can't bind to the port <1024.
Is there a way to route packets from port 67 to some port > 1024 using
linux
IPtables or some other way, I tried several combinations with no
success.
Device that is sending UDPs is 10.254.254.100 and it is sending to
255.255.255.255, interface that have to receive UDPs is 10.254.254.1

iptables -t nat -A PREROUTING -i 10.254.254.1 -p udp --dport 67 -j
REDIRECT --to-port 6700
iptables -t nat -A OUTPUT -p udp -d 10.254.254.1 --dport 67 -j
REDIRECT --to 6700

With tcpdump (tcpdump udp port 67) I can see that packets are coming
to the
port 67, but nothing to the port 6700.

Thanx

uk wrote:

> Hi,
>
> I'm distributing Java app to SuSe 7.2
> I have one problem, I need to receive UDP packets on port 67 (bootp)
> on
> Windows that's OK but on Linux I can't bind to the port <1024.

Unless the process attempting this has root access / is run by root.

> Is there a way to route packets from port 67 to some port > 1024 using
> linux IPtables or some other way, I tried several combinations with no
> success.

Believe me - at least one "combination" will work ;-)

> Device that is sending UDPs is 10.254.254.100 and it is sending to
> 255.255.255.255

Why ?

> interface that have to receive UDPs is 10.254.254.1

Yes, but that doesn't matter, does it ? It's broadcast, so any IP should do.
Oh wait - but it doesn't, does it ?
You've set up iptables only for .1, not for any broadcasts...
A broadcast destination address will *never* match a single address!
It doesn't matter whether that address lies within the broadcast domain,
iptables will *not* match the broadcast address to .1

Make up yer mind - either broadcast it and correct iptables rules, or use
normal directed traffic...

> iptables -t nat -A PREROUTING -i 10.254.254.1 -p udp --dport 67 -j
> REDIRECT --to-port 6700
> iptables -t nat -A OUTPUT -p udp -d 10.254.254.1 --dport 67 -j
> REDIRECT --to 6700

So..let me see if I understand you correctly...you change the port of
everything incoming from .1 to 6700, and then change the port of everything
going out TO .1 to 6700 AGAIN ?

Bit of a mix-up here - you've been staring too long at the screeen probably.

incoming : 67 -> 6700
outgoing : 6700 -> 67

No other "combination" will get the traffic back to your client program.

> With tcpdump (tcpdump udp port 67) I can see that packets are coming
> to the port 67, but nothing to the port 6700.

obviously...

Since you xlate 67 -> 6700 in the prerouting chain, there's nothing LEFT
coming from port 67 by the time you want to xlate it again in the output
chain, so you get...nothing.

(Unless the Linux machine actually sends out UDP on port 67 itself, in which
case your client program gets nonsense data back - on port 6700, which it
doesn't look for, so that's okay...okay but pointless)

Again, first make up your mind - why use broadcasts in any program that
*knows* whom it wants to communicate with ?

Even better: why use a well-known port at all ? That's more trouble than
it's worth - in every thinkable circumstance.

Just pick a port not used by any service, you'll be much happier.

--
Jeroen Geilman

All your bits are belong to us.

Well, I think I didn't explain this correctly.

10.254.254.100 is AXIS IP cammera, and when you restart camera it's
sending UDPs to 255.255.255.255,to port 67 (this is manufacturer
specification and also RFC bootp specification, I can't change that).
The point is that anyone(bootp server) can receive that bootp request
and send reply back to camera to set up new IP address of camera.
So camera is bootp client and my software is bootp server, my software
is on 10.254.254.1, but because my app. is not root it can't receive
that UDPs on port 67 and I have to forward UDPs on some other port
that I can bind to, > 1024.
My question is what IPTABLES combination I have to use for this.





Jeroen Geilman <(E-Mail Removed)> wrote in message news:<3f74af33$0$58714$(E-Mail Removed)>...
> uk wrote:
>
> > Hi,
> >
> > I'm distributing Java app to SuSe 7.2
> > I have one problem, I need to receive UDP packets on port 67 (bootp)
> > on
> > Windows that's OK but on Linux I can't bind to the port <1024.
>
> Unless the process attempting this has root access / is run by root.
>
> > Is there a way to route packets from port 67 to some port > 1024 using
> > linux IPtables or some other way, I tried several combinations with no
> > success.
>
> Believe me - at least one "combination" will work ;-)
>
> > Device that is sending UDPs is 10.254.254.100 and it is sending to
> > 255.255.255.255
>
> Why ?
>
> > interface that have to receive UDPs is 10.254.254.1
>
> Yes, but that doesn't matter, does it ? It's broadcast, so any IP should do.
> Oh wait - but it doesn't, does it ?
> You've set up iptables only for .1, not for any broadcasts...
> A broadcast destination address will *never* match a single address!
> It doesn't matter whether that address lies within the broadcast domain,
> iptables will *not* match the broadcast address to .1
>
> Make up yer mind - either broadcast it and correct iptables rules, or use
> normal directed traffic...
>
> > iptables -t nat -A PREROUTING -i 10.254.254.1 -p udp --dport 67 -j
> > REDIRECT --to-port 6700
> > iptables -t nat -A OUTPUT -p udp -d 10.254.254.1 --dport 67 -j
> > REDIRECT --to 6700
>
> So..let me see if I understand you correctly...you change the port of
> everything incoming from .1 to 6700, and then change the port of everything
> going out TO .1 to 6700 AGAIN ?
>
> Bit of a mix-up here - you've been staring too long at the screeen probably.
>
> incoming : 67 -> 6700
> outgoing : 6700 -> 67
>
> No other "combination" will get the traffic back to your client program.
>
> > With tcpdump (tcpdump udp port 67) I can see that packets are coming
> > to the port 67, but nothing to the port 6700.
>
> obviously...
>
> Since you xlate 67 -> 6700 in the prerouting chain, there's nothing LEFT
> coming from port 67 by the time you want to xlate it again in the output
> chain, so you get...nothing.
>
> (Unless the Linux machine actually sends out UDP on port 67 itself, in which
> case your client program gets nonsense data back - on port 6700, which it
> doesn't look for, so that's okay...okay but pointless)
>
> Again, first make up your mind - why use broadcasts in any program that
> *knows* whom it wants to communicate with ?
>
> Even better: why use a well-known port at all ? That's more trouble than
> it's worth - in every thinkable circumstance.
>
> Just pick a port not used by any service, you'll be much happier.

"uk" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Hi,
>
> I'm distributing Java app to SuSe 7.2
> I have one problem, I need to receive UDP packets on port 67 (bootp)
> on
> Windows that's OK but on Linux I can't bind to the port <1024.
> Is there a way to route packets from port 67 to some port > 1024 using
> linux
> IPtables or some other way, I tried several combinations with no
> success.
> Device that is sending UDPs is 10.254.254.100 and it is sending to
> 255.255.255.255, interface that have to receive UDPs is 10.254.254.1
>
> iptables -t nat -A PREROUTING -i 10.254.254.1 -p udp --dport 67 -j
> REDIRECT --to-port 6700
> iptables -t nat -A OUTPUT -p udp -d 10.254.254.1 --dport 67 -j
> REDIRECT --to 6700
>
> With tcpdump (tcpdump udp port 67) I can see that packets are coming
> to the
> port 67, but nothing to the port 6700.
>

Well the prerouting rule seems to be ok,

The output rule seems to be odd. wouldnt the dport be 6700 and redirect to
67, if this is required ?

Also you may need to add a rule to allow the packet to be Input first ?
eg iptables -I INPUT -dport 67 -j ACCEPT






---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.521 / Virus Database: 319 - Release Date: 23/09/2003

> The output rule seems to be odd. wouldnt the dport be 6700 and redirect to
> 67, if this is required ?

Well, I need to redirect from 67 to 6700.
These two rules that I wrote, I didn't use these rules together, I
tried each one alone but with no result:

*iptables -t nat -A PREROUTING -i 10.254.254.1 -p udp --dport 67 -j
REDIRECT --to-port 6700
*iptables -t nat -A OUTPUT -p udp -d 10.254.254.1 --dport 67 -j
REDIRECT --to 6700

> Also you may need to add a rule to allow the packet to be Input first ?
> eg iptables -I INPUT -dport 67 -j ACCEPT

I don't know , because this is my first encounter with Linux, but if
I listen with dcpdump on receiving port 67, I can see that packets are
coming.




"Leon The Peon" <(E-Mail Removed)> wrote in message news:<bl8dvu$svv$(E-Mail Removed)>...
> "uk" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > Hi,
> >
> > I'm distributing Java app to SuSe 7.2
> > I have one problem, I need to receive UDP packets on port 67 (bootp)
> > on
> > Windows that's OK but on Linux I can't bind to the port <1024.
> > Is there a way to route packets from port 67 to some port > 1024 using
> > linux
> > IPtables or some other way, I tried several combinations with no
> > success.
> > Device that is sending UDPs is 10.254.254.100 and it is sending to
> > 255.255.255.255, interface that have to receive UDPs is 10.254.254.1
> >
> > iptables -t nat -A PREROUTING -i 10.254.254.1 -p udp --dport 67 -j
> > REDIRECT --to-port 6700
> > iptables -t nat -A OUTPUT -p udp -d 10.254.254.1 --dport 67 -j
> > REDIRECT --to 6700
> >
> > With tcpdump (tcpdump udp port 67) I can see that packets are coming
> > to the
> > port 67, but nothing to the port 6700.
> >
>
> Well the prerouting rule seems to be ok,
>
> The output rule seems to be odd. wouldnt the dport be 6700 and redirect to
> 67, if this is required ?
>
> Also you may need to add a rule to allow the packet to be Input first ?
> eg iptables -I INPUT -dport 67 -j ACCEPT
>
>
>
>
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.521 / Virus Database: 319 - Release Date: 23/09/2003