Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Translate outgoing destination ports UNIX
This is probably evident for Unix wizards, but I spent a whole morning figuring this out so I thought some of you might find it useful too.

I have a client app which does not permit specifying a non-standard destination port. In this example, it is an LDAP client which will only contact a host on the local network on the standard port 389. The LDAP server it is trying to contact is in the local network at 193.168.4.253, but listening on the non-standard port 712. So, I had to set up a port translation for outgoing connections. The code to achieve this is as follows (must be run with sudo privileges, or as root in a launchd startup daemon to make it persistent):
sysctl -w net.inet.ip.forwarding=1
ipfw add 01000 divert natd tcp from me to 192.168.4.253 389 via en0
ipfw add 01000 divert natd tcp from 192.168.4.253 712 to me via en0
cat > natd.conf << end
interface en0
reverse
same_ports
redirect_port tcp 192.168.4.253:712 192.168.4.253:389
redirect_port tcp 192.168.4.253:389 192.168.4.253:712
end
natd -f natd.conf
Specifically, what this does is enable ipfw forwarding, then set up that ipfw should pass all traffic to host 192.168.4.253 on port 389, and from host 192.168.4.253 port 712 to the natd daemon. natd gets launched as a daemon and is told to rewrite the outgoing connection to the host's port 389 to the "real" port 712. All returning packets from the host's port 712 are then translated back to the original port 389 expected by the client application.

[robg adds: I haven't tested this one.]
    •    
  • Currently 2.33 / 5
  You rated: 3 / 5 (12 votes cast)
 
[6,040 views]  

Translate outgoing destination ports | 4 comments | Create New Account
Click here to return to the 'Translate outgoing destination ports' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Translate outgoing destination ports
Authored by: dschneiderch on Oct 21, '09 12:39:06PM

Would this solution work for email too? For example, my university only uses port 25 for email but my isp at home blocks port 25. Unfortunately I don't understand most of what was written but was wondering what sort of changes would have to be made.



[ Reply to This | # ]
Translate outgoing destination ports
Authored by: Anonymous on Oct 22, '09 01:22:30PM

The example given in the hint aligns two port numbers where neither client nor server can be altered. The firewall, ipfw, was used as the intermediary to solve this by sending traffic from local port 389 to remote port 712 and vice versa. The translation happens on the local machine, so the network carries traffic on port 712.

In your case, the client software is largely irrelevant: you need to avoid port 25 on the network, but the remote machine is only listening on port 25. Note also that the hint would not have been necessary if the client software had the ability to alter the port it uses; and I can't think of an email program where you can't alter the SMTP port.

If I were you, I'd make absolutely certain they don't offer an alternative port for SMTP. It seems strange they wouldn't. Have you tried port 587? That's the usual alternative. You might want to track down an actual technical person, too and ask them.

Good luck!



[ Reply to This | # ]
Translate outgoing destination ports
Authored by: GaelicWizard on Oct 27, '09 11:10:58AM

The University of California should know better, but doesn't. At least at the Riverside campus, SMTP is _only_ available on port 25. Suck. Any given ISP will, however, un-block port 25 if you explain this to them. I've done it with both cable and phone ISPs.

JP

---
Pell



[ Reply to This | # ]
Warning: breaks real port 712 traffic
Authored by: GaelicWizard on Oct 27, '09 11:14:14AM

Any traffic from a computer using this hint that really does want to use port 712 will break. This hint is only useful if it is known in advance that only port 389 will be used and 712 will never be used. I don't know of a way to work around this limitation.

JP



[ Reply to This | # ]