How to check if port forwarding is enabled

dnsfirewallport-forwardingSecurity

I have just set up a DNS server for my own network, and many guides online suggest to make sure that port forwarding on port 53 is not enabled.

The thing that is not clear to me is this: should I configure this at the router level or at the firewall level? If I should do this on the firewall, how would I go about doing this on an Ubuntu Server 12.04?

My home network has a few clients, an ESXi server and a home router. One of the VMs inside ESXi is the DNS server (running on Ubuntu Server 12.04) which is used to handle local DNS requests but is also configured as to forward requests for external IPs to Google's DNS servers.

Best Answer

This should be configured on whatever equipment you have between the DNS server and the outside world. AFAIK port forwarding is disabled by default on pretty much everything so you shouldn't worry too much about it. If you're using residential network gear, there should be port forwarding configuration options in the web interface. To check the port forwarding settings on Ubuntu use iptables:

$ sudo iptables -t nat -vnL

To ultimately check your network for the forwarded port use netcat to connect to the port via your external IP:

$ nc -vu [external ip] 53

You'll have to monitor the connections on the DNS server to watch for the netcat connection because netcat may incorrectly report that the connection was successful due to the stateless nature of UDP

Related Solutions

SSH session through jumphost via remote port forwarding

It looks like you should be using local port-forwarding instead of remote port-forwarding. You may want to refer to the following helpful blog post by Dirk Loss:

SSH port forwarding visualized

It includes the following illustrative diagram:

In order to read the diagram you need to know that it describes the relationships between 4 different roles involved in creating and utilizing an SSH tunnel:

an ssh client (i.e. ssh - the OpenSSH command-line client) used to establish the tunnel;
an ssh server (i.e. sshd - the OpenSSH server daemon) used to maintain the other end of the tunnel;
an application server (e.g. another ssh server or an http server);
an application client (e.g. another ssh client or a web-browser) which wants to access the application server via the tunnel.

It's also important to understand that the two different types of forwarding correspond to two different use cases:

Local Forwarding: where the application client connects via the ssh client
Remote Forwarding: where the application client connects via the ssh server

Remote forwarding is so called because the forwarding is performed remotely (at the ssh server) rather than locally (at the ssh client). I also find "remote forwarding = reverse forwarding" to be a useful mnemonic.

So as you can see, in order to initiate a connection from an ssh client at the origin host through an sshd server on a proxy jumphost to a third target host you would have to use local port-forwarding. Remote port-forwarding is for the case in which you want the entry point to the tunnel to be located at the host running the sshd server rather than at the host running the ssh client.

In the man page the local port-forwarding syntax is written as follows:

ssh -L [bind_address:]port:host:hostport user@remote

This can be written more intuitively as the following:

ssh -L [local_bind_address:]local_port:remote_host:remote_host_port user@proxy_host

Or, using your naming conventions:

ssh -L [origin_bind_address:]origin_port:target_host:target_host_port user@jump_host

If we modify your command to use local port-forwarding instead then we end up with the following:

user@origin:~$ ssh -L *:1234:target:22 myusername@jumphost

Best Answer

Related Solutions

SSH session through jumphost via remote port forwarding

Related Question