Lord777
Professional
- Messages
- 2,578
- Reaction score
- 1,519
- Points
- 113
Ports allow network and Internet-connected devices to communicate through specified channels. Although servers with assigned IP addresses can connect to the Internet directly and make ports publicly available, the system behind the router on the local network may not be accessible from the Internet. Port forwarding technology overcomes this limitation and makes devices publicly available.
Network services and applications running on various devices use ports with specific numbers to initiate connections and organize communications. Different ports can be used simultaneously to separate traffic types and requests. Typically, ports are associated with specific services so that the client can connect to the server on a specific port, and the server accepts the connection and responds accordingly.
The most common ports are listed below:
- 21: FTP (File Transfer Protocol)
- 22: SSH (Secure Shell; Secure Shell)
- 23: Telnet (Teletype Network; Teletype network)
- 25: SMTP (Simple Mail Transfer Protocol)
- 80: HTTP (Hypertext Transfer Protocol)
- 194: IRC (Internet Relay Chat; Internet Relay Chat)
- 443: HTTPS (HTTP with Encryption Support)
While ports make it easy to identify and handle specific requests, the port numbering convention is a standard, but not a rule. Ports can be used for any task, provided that the connection between the client and the server on the specified port uses the appropriate protocol.
In web browsers, non-standard HTTP ports can be specified after a colon at the end of an IP address or URL in order to download content through that port. If the web server is running on a local machine on port 8080, and not more than the generally accepted port 80, it is possible to access this server by entering the address localhost: 8080 or 127.0.0.1:8080 in the browser. If you enter one of the above addresses without the ": 8080" suffix, the same page will not be loaded.
localhost: 8080
Although any open port must allow connection attempts, the client must have network access to the target device for these attempts to succeed. In the case of a server connected to the Internet directly, or when connecting through a local network, difficulties usually arise. The problem appears at the moment when we try to connect to a port on a device located behind a router or firewall.
Most home or office networks are connected to the Internet through a router that regulates access and accumulates traffic on a single IP address. All requests and packets are sent through the router before returning responses back to the appropriate devices that made the original requests. By default, routers do not process incoming requests on specific ports. If someone tries to connect to the router via SSH, the router will not be able to process this request or send this request further down the chain, since it does not know the target recipient. This problem is solved by setting up port forwarding inside the router.
Step 1. Finding out the IP address of the router
Code:
C: \> ipconfig / all
Windows IP Configuration
Host Name. ... ... ... ... ... ... ... ... ... ... ... : █████████
Primary Dns Suffix. ... ... ... ... ... ... : █████████
Node Type. ... ... ... ... ... ... ... ... ... ... ... : █████████
IP Routing Enabled. ... ... ... ... ... ... : █████████
WINS Proxy Enabled. ... ... ... ... ... ... : █████████
Ethernet adapter Ethernet:
Connection-specific DNS Suffix. : █████████
Description. ... ... ... ... ... ... ... ... ... ... : Intel (R) PRO / 1000 MT Desktop Adapter
Physical Address. ... ... ... ... ... ... ... : █████████
DHCP Enabled. ... ... ... ... ... ... ... ... ... : Yes
Autoconfiguration Enabled. ... ... ... : Yes
Link-local IPv6 Address. ... ... ... ... : █████████
IPv4 Address. ... ... ... ... ... ... ... ... ... : █████████
Subnet Mask. ... ... ... ... ... ... ... ... ... ... : 255.255.255.0
Lease Obtained. ... ... ... ... ... ... ... ... : █████████
Lease Expires. ... ... ... ... ... ... ... ... ... : █████████
Default Gateway. ... ... ... ... ... ... ... ... : 192.168.0.1
DHCP Server. ... ... ... ... ... ... ... ... ... ... : 192.168.0.1
DHCPv6 IAID. ... ... ... ... ... ... ... ... ... ... : █████████Usually, routers have an administrative panel available via the HTTP protocol (port 80). In most cases, the local IP address of the router is used for access (192.168.0.1 or 192.168.1.1). On Microsoft Windows, a connected router (or default gateway) can be easily detected using the ipconfig / all command.
In Linux, the same task is accomplished with the netstat utility. Open a terminal and enter the following command to find out the IP address of the connected router.
Code:
~ $ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 enp0s25
█████████ ████████████ █████████ ███ ██████ ███████████ █
█████████ ████████████ █████████ ███ ██████ ███████████ █
On macOS, the same command is used: ~% netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.0.1 UGSc en0
█████████ █████████ █████████ ███ ████
█████████ █████████ █████████ ███ ████
█████████ █████████ █████████ ███ ████
█████████ █████████ █████████ ███ ████
█████████ █████████ █████████ ███ ████
█████████ █████████ █████████ ███ ████Step 2. Accessing the router's configuration panel
After finding out the local IP address of the router, you can access the configuration panel if you enter the address in the browser, as is the case with a regular URL (some routers, for example, have a mobile application, and the task is simplified).
Figure 2: Form of authorization of the configuration panel of the router
After loading the control panel, you need to authorize. The username and password can be set by the manufacturer or ISP or by you. This information can be found in the documentation for the router or on the case.
Although the control panel may vary from router to router, the general setup procedure is approximately the same. After logging in, go to the "Advanced" section or find where the "Port Forwarding" section is located. In our case, the corresponding section is called "Advanced Port Forwarding Rules".
Figure 3: Section with port forwarding settings
Step 3. Configuring port forwarding rules
To demonstrate the rules for port forwarding, consider the simplest case when the user has a Raspberry Pi device connected to a home network router. The Pi is running an SSH service that allows you to log in to the device with the correct username and password. The current IP address of the Raspberry Pi device is 192.168.0.105.
- The rule was named "RBPi SSH" for the purpose of easier identification in the future. In general, the name of the rule is entirely up to your personal preference and does not affect the ports used.
- The range for the Public Port (sometimes referred to as Source Port) is set from 22 to 22 (the standard SSH protocol port). The router will make this port accessible via the Internet. Through the same port, the user will connect to the Raspberry Pi.
- The Private Port (sometimes referred to as Destination Port) is set to 22 because the Pi's SSH daemon runs on port 22.
- The Traffic Type parameter is set to TCP, since TCP traffic is transmitted over the SSH protocol.
- The IP Address parameter corresponds to the IP address of the Pi on the local network (192.168.0.105).
- Finally, a check box is checked to the left of the rule to make the rule active.
Figure 4: Port forwarding rule settings for authorization via SSH protocol
The above rule means that the user can connect to the IP address of the router using the SSH protocol via the Internet and will subsequently be redirected to the server of the Raspberry Pi device. This scheme can be used to create a web server running on port 80, or, for example, to attach a video game server to a specified port. Keep in mind that some providers have rules regarding hosting and other content that you need to consider before making a server accessible from the local network.
Step 4. Protection against port scans and attacks
One of the problems that arises when opening ports on the Internet using forwarding is that the ports become available for scanning. Attackers on the Internet can use automated tools to scan IP address ranges or utilities like Shodan to search for potentially vulnerable devices with certain active ports. SSH ports are the primary target as they provide access to a shell that can be used to steal data or install a malicious application.
In the case of port forwarding to protect against scanning, it may be useful to change the public or source port in the router settings. Instead of the common port 22, which all scanners are configured for, you can specify a non-standard port (for example, 9022).
Figure 5: Configuring SSH to a Non-Standard Port
After changing the port, the client, when connecting to devices via SSH from the Internet, will have to specify port 9022. An attempt to connect to port 22 from the outside will be unsuccessful, since the forwarding will go from port 9022, and not from port 22.
You can also use a service like Fail2ban (an external intrusion protection framework) designed to protect your network from brute-force attacks after an attacker finds an active port. Utilities like Fail2ban limit the number of authorization attempts from the external network.
Port forwarding in Linux at the system level
Port forwarding at the router level can be useful for configuring networks accessible over the Internet. In Linux, the same task can be accomplished at the system level.
In a similar way that a router port is associated with a specified port of a device within a local network, one port can be associated with another for ease of use. For example, when installing the Cowrie honeypot, the SSH daemon is moved from port 22 to port 9022. Then port 2222, where the honeypot is running, is redirected to port 22, which will be available on the Internet and, as a result, is highly likely to be scanned and attacked.
To configure local port forwarding in Linux, first you need to run the following command to set the ip_forward parameter to 1 (in this case, port forwarding is activated at the operating system level):
Code:
~ $ echo "1"> / proc / sys / net / ipv4 / ip__forwardOnce IP forwarding is enabled, make sure you know the current port of the service to be forwarded. When configuring the Cowrie honeypot, this task is accomplished by setting up the SSH daemon on port 9022.
Code:
GNU nano 2.7.4 File: / etc / ssh / sshd_config Modified
# $ OpenBSD: sshd_config, v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config (5) for more information.
# This sshd was compiled with PATH = / usr / bin: / bin: / usr / sbin: / sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 9022
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::Finally, you can use iptables to enable local port forwarding. The command below redirects requests from port 22 to port 2222, where the honeypot handles these requests.
Code:
~ $ sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222Other Areas Where Port Forwarding Is Used
Port forwarding can be used in other tasks as well. For example, port 8080 can be forwarded to port 80 to facilitate access to the test server, or new ports can be added for use by a particular service. Port forwarding is useful for remote access, server administration, network configuration, and even during post-exploitation and pivoting. Understanding this technology could be the key to countless other security projects.
