NNTPS pointers / NNSP

Grant Taylor gtaylor at tnetconsulting.net
Sun Oct 24 07:47:46 UTC 2021 

On 10/20/21 4:40 PM, Grant Taylor wrote:
> I know that is the standard mode of operation.  However I believe there 
> are some ... hacks that can be applied on Linux that get extremely 
> creative with the routing table and use other skulduggery to fake the IP 
> address that INN (et al.) sees.

Success!!! \o/

I'm using a combination of stunnel, iptables connection marking, and 
iproute2 policy based routing to provide NNSP such that INN sees the 
remote system's real IP address.  }:-D

I can now connect to TCP port 433 on my transit news server using 
OpenSSL's s_client.  --  I even had to change the location that I was 
testing from because INN was rejecting the first client system I was 
testing from with "502 You have no permission to talk.  Goodbye!".  When 
I test from an IP address that is allowed to connect, I get 200.

> I'll do some more reading and poking with sticks.  I don't know that the 
> systems in question have the necessary support installed; kernel 
> requirements, policy based routing, etc.

I started with the following blog article.

Link - stunnel transparent proxy to localhost
  - https://blog.inf.re/stunnel-transparent-proxy-to-localhost.html

I then adapted it down to the following:

	iptables -t filter -A INPUT -s $INN_IP/32 -i lo -p tcp -m tcp --sport 
119 -j ACCEPT
	iptables -t nat -A OUTPUT -d $INN_IP/32 -o lo -p tcp -m tcp --dport 119 
--tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x1/0xf
	iptables -t mangle -A OUTPUT -s $INN_IP/32 -o eth0 -p tcp -m tcp 
--sport 119 -m connmark --mark 0x1/0xf -j CONNMARK --restore-mark 
--nfmask 0xf --ctmask 0xf

	ip rule add fwmark 0x1 lookup 433
	ip route add local 0.0.0.0/0 dev eth0 table 433

I did not need to disable the route_localnet protection IP system 
controls.  Nor did I need to provide similar protection after disabling 
route_localnet protection.

The 2nd and 3rd iptables rules above correspond tot he 3rd & 4th rules 
on the linked article.

I used iproute2 routing table #433 to correspond with TCP port 433. 
This is a convenient / convention and can really be just about any 
non-conflicting number.

This is the /server/ side (receiving server) of the connection.  I I 
believe that I have an idea for the /client/ side (sending server) that 
will basically re-use / extend -- I think -- the second iptables rule 
above, just targeting / matching the remote servers that I want to use 
NNSP with.

> I believe that somewhere I recently read that TCP wrappers was being 
> deprecated.  I have no idea where that was.  Perhaps I should search for 
> it.  --  Not that deprecation has prevented ifconfig / route / et al. 
> from being mainstream utilities some 20 years later.  ;-)

It looks like what I saw was from RHEL / Fedora announcements.

Link - Changes/Deprecate TCP wrappers - Fedora Project Wiki
  - https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/inn-workers/attachments/20211024/6f77ed8d/attachment.bin>

More information about the inn-workers mailing list