IPv6 Port Redirection
IPv6 Port Redirection
In this video, Cisco CCNA Instructor Mark Jacob demonstrates how to do port redirections in IPv6.
Back in November, I wrote a blog. If you read the blogs at InterfaceTT.com, and it was about IPv6. In fact, I’ve got it up on screen there. You can get IPv6 in your home. I even got a follow‑up question about, “Hey, I got a device that says it’s got a tab for IPv6 port forwarding, port redirection. How does it work?”
As I was researching the topic in a little bit more detail, I realized it was almost like throwing a side of beef at a crocodile pit! There’s ferocious activity on either side of this issue. There are the purists who say that, “Absolutely without fail, there should not be Net in IPv6. It’s horrible. It’s a workaround.”
There’s other people saying, “Well, jeez, I’m in a college dorm. They give me one IPv6 address and I need to make my whole…” Everybody has 10, 12 devices connected to the Internet of Things. “I’m willing to pay for it, can somebody just do it? You purists can argue over there, but can somebody just make it happen?”
I thought, “You know what? Let me take a look at this.” I’m no Linux guru, I’d certainly like to be more of a Linux guru, it’s cool, but I spent most of my time researching Cisco stuff, and teaching Cisco stuff.
I was digging into IP6 tables, and I happen to have let me bring up, couple of connections that I have going here, because what I built looks like this picture on the screen I have, and it’s over there. I’m connected to it. IPv4 connection, but it works.
What I have is a laptop, which is connected to a Raspberry Pi. The Raspberry Pi is a multi‑home device. It has Ethernet 0 and Ethernet 1. It turns out, that using IP6 tables, I was trying to see if I could…I was considering the laptop like being outside of my network, and that I had…actually I only had room for two, but I have router three, router four, router five, a router six, because I just need the targets.
If I’m a college person, with a bunch of stuff, I got my Slingbox in there, whatever I got running inside there, that I need to access. I wanted to validate this by actually hitting targets on the inside. That’s what I have here, built this, and let’s go ahead and log into the Raspberry Pi.
See I got that right here. Root, it’s running currently Linux. Let’s take a look first of all to see what I have. IP6 tables. The one I’m maneuvering, or manipulating is the NAT table, instead of the IP6 tables. Let’s go, ‑T for tables and NAT, and I’m going to say, ‑L, ‑V, ‑N, to look at what I have.
You notice, if you know Linux at all, there’s nothing extra there. This is what it looks like when I haven’t done anything. [inaudible 2:55] OK, we got that. We know what it looks like when you’re not doing anything
I want to add something to this. I want to add a command. Go back to my picture, what I’m trying to do, my initial attempt here, I want to originate from my laptop a connection. I’m going to try to reach router two via port 22, which of course is SSH. But I’m going to tell this Raspberry Pi if you get some IPv6 traffic coming in on Ethernet 0, on port 22, flip that over to port 23 and send it to this guy.
Send it to 2001DBA01 blah, blah, 12. You realize, I’m performing, don’t tell anybody, [laughs] performing that, and IPv6 port reader action, using my little $35 Raspberry Pi. That’s what I’m going to try to do.
Let’s take a look, let’s get back onto the device. If I can just leave this over here. All right. I’m going to add the command, IP6 tables, ‑T and I want to do a net, and I’m going to do a ‑A for add. I’m going to add it to the pre‑routing, if I can spell today. Again, I was saying, off of interface Ethernet 0 and I want to focus on a TCP port, and let’s say two…not two destination, not yet.
TCP dport, destination port is…When I said was 22, I’m going to come in on port 22 and I want it flipped to port 23 and sent to a new destination. Destination port 22, I want to do a jump to the DNET and to destination and put your IPv6 address in brackets. 2001:DBA:0:1::12, and I want to send it to port 23. Notice it didn’t set with that port number.
I can test that by hitting my laptop now, and see if I can attempt a SSH connection to…Notice, by the way, what IPv6 address I’m going to try to hit. I’m going to tell my laptop “Hey, try the SSH to this address here, to this DBA:1:1::2.” In other words, the IPv6 address that’s on Ethernet 0.
That’s my target. I’m going to shoot at that target and then the Raspberry Pi is going to take that, say “Not only am I going to send you that way, but I’m going to change your port as well.” Let’s get my laptop, let’s go get a command prompt. Do I not have one? Let’s go ahead and make one.
Let’s see, I’m on a…You guys have probably seen that you can Telnet, and you don’t have to Telnet to the default port of Telnet, which of course is 23. I’m going to Telnet, and I’m going to go to that 2001:DBA:0:1:1::2 and then I’m going to change the destination port because if I just “enter” now it’s going to automatically try port 23.
I’m going to put 22 there and hit “enter.” Guess what? Router two is prompting me. I know it’s router two because if I log in, R2 shows up. Notice what we did there. I did a Telnet session to an address which was the…you can imagine if this is your dorm, if you’re a college person trying to do this, this is your edge device.
This is the one address over here that your IT director at the dorm gives you so you got to make everything work from that one.
I hit that address on port 22, the Raspberry Pi flipped that over to port 23. Just a coolest thing in the world. I love that. I don’t have to do port reader action. Let’s try this, let’s go…In fact, if I just hit the up arrow and backspace and do a…By the way, I should have shown you, you can actually see that you get hits on this.
Let’s see…IP6 tables, ‑T net, and I want a ‑L, ‑V, ‑N. You’ll notice that now, there’s that entry that I just created and you see that it’s gotten hits because I’ve got 72 bytes of traffic. It’s gotten hit on that entry in the IP6 tables. Kind of cool.
Anyway, let me pull that command out, and all I got to do to get rid of it is change my Ave from Add to a D for delete. It’s gone. It was like, “OK, all that for not much.” What I want to do now is I want to put it back in but I want to change the 22 to 23, just to show you that you don’t have to do port redirection.
You can do just plain adding. I’m hitting the outside address here, the Ethernet 0, and it’s just going to kick it over to router two. Let’s test that. I don’t have to add…let me exit out of the router [inaudible 8:17] and router two, but let’s get out of it. Let’s try that same command again, but get rid of the 22.
Which means this Telnet attempt is going to happen on the default port, which is 23. Oh, could not, I must have messed it up. What did I…connect failed, port 23…I know why. [laughs] Because it’s probably trying to Telnet directly into the Raspberry Pi. It’s not being redirected.
That wasn’t much fun, but let me show you something that you’ll really think it’s cool. By the way, I found that out because I also try to do this with SSH and I kept SSH‑ing into the Raspberry Pi. That messed me up.
Let’s do this. It’s not in the picture, because I added it after the fact. But I have a R6, a router six, which is actually a 2901 series router. My R2, 3, 4 and 5 are all 2621s, like that R2 that we just logged into is a 2621XM.
Turns out that they do support HTTP connectivity IPv4, but I couldn’t get it to accept IPv6 connectivity. As I said, I have a 2901 series, and its address if you look at the pattern that I have here, notice that R2 has a 12, R3 has a 13, so following that same pattern, R6 is going to have::16.
Since I created this, I know this. It’s not like you’re expected to know that, but I have that. Let’s check, first of all, if I can reach that. I’m going to ping from my Raspberry Pi to 2001:
DB8: 0:1::16 and let’s just get five pings. See if I can…64, yeah, I’m getting replies. That router is up and ready to receive.
I can test it, let’s see if I can test it, will be a good way. Let’s go ahead and just directly try to access it. Let’s bring this guy up, and I don’t need, since it has connectivity, but I’m going to try to browse to its IPv4 address which is 10.2.1.6. Let’s see if it’s going to allow me in…”Unable to connect,” OK, so I have a configured connectivity.
But I do. Take my word, it is up and ready to receive connections. I want to see if I can access it or hit it by redirecting the port. Here’s what I want to do. If I look at this laptop, I want to try to hit this address, IPv6 wise, on…and I’m going to pick a [inaudible 10:54] like port 27, don’t even have that one memorized.
It’s just some port that my Raspberry Pi isn’t going to interfere with by accidentally listening to. I want to have it redirected not only to a different address, IPv6 address, but to a different port. Coming in on port 26, I want it to flip it over to port 80. We go back and I should just be able to hit the [inaudible 11:16] so not to have to retype all this.
Let’s change that to an 80. By the way this is kind a small. Let’s go to my options. Let’s see. There you go. A little bit larger so you can see it.
All I’ve done so far is I change that ending, the destination port to 80. Remember its 6 so this is going to be a 16.The destination port I change it to some random port like 27, no big deal. Anything else I want to get rid of the ‑D because I can’t delete something that doesn’t exist yet, so let’s add that in and I believe that’s all I need.
One last thing before I do this because if I can’t actually hit the device, I was able to ping it right up here, I was able to ping it.
Let’s review what have done, or what I am trying to do. I want to try to create a connection attempt via HTTP, but HTTP over IPv6. I’m going to point to this address and it should redirect me to router 6, which is::16 at the end.
Let’s check it. I can do that by once again I will try using Telnet. Actually, no. Let’s try this. Let’s do this. Let’s stop that. I want to go to 2001:
DB8: And let me shrink this a little bit so you can see what I am doing.
That’s the address I want right there, so 1:1::2. That’s the address, and I want to go on, what did we say, 26 or 27. I should look at that too. Let’s see, where did you go, we changed that to a 27. That’s not at 27. I should’ve copy it and paste it.
Let’s try this again. 2001:
DB8: 1, 1, 2, 27. This time I’m going to be smart and selected so I can have it at the ready in case I do something wrong. Look at that its prompting me for logging credentials. Turns out by the way, kind of a heads up, I didn’t name this one R6 to match the other names like R2, 3, 4, 5. This is just the 2901 series router which would accept IPv6 connections.
Let’s go ahead and log in, see if it lets me. Look at that Cisco configuration professional, here I am. I am on this device, I have hit this device. According to my window, I am going to port 27. If I go back to my Raspberry Pi, I can check.
Let’s go IP6 tables ‑T is the net table. I’m going to do ‑L, ‑V, V is for both so I can see if I got any hits. Look at that, I have bytes that are going, coming in on port 27, kicking over to this IPv6 address on this port. If I really want to verify, I can even go back to my device, like my 2901 series device. Let’s see. I don’t want to do it from here, I want to do it from, let’s see if it would let me.
DB8: 1, 1, 2 and the Telnet should work. That’s right. It’s going to try the Telnet into the Pi.
Anyway, one of the things I recommend doing and it could use for debug command if you try to see if the traffic gets there. Debug IPv6 packets is a good one, or you can create an access list to watch for and since I’m having trouble hitting R6 because the Pi is getting in the way, let me show you if you really need to see the traffic.
Let’s go ahead and go into router 2 and I’m going to create IPv6 access list, and name it, I don’t know, IPv6. Let’s permit, let’s go TCP from anywhere to anywhere as long as it’s addressed to port 80. Let’s try that. Anything coming in on port 80. Now, I can do debug on this where I am watching for just that traffic cause anytime you debug IP or IPv6 packets, you are overloading the device or you are in danger of it.
Watch this, I will do a debug IPv6 packet and then I can [inaudible 16:12] the question mark one of the options is I can apply an access list. I named the access list IPv6. I don’t need the detailed options so I will just hit that. Right now, nothing’s happening because nobody is trying to access this device on port 80, but let’s go back to our Raspberry Pi and let’s put in something that redirects traffic.
Now, it’s useful to have this picture. I want to direct traffic to this address, the::12 and I want to send it to port 80.
Let’s do that. Port 80,::12 to destination and let’s do this. This is what I was showing you before. You don’t even have to do port redirection, I’ll say just 80 but, still leave it on port 80 but send it over there and I’m adding this in.
To test this I need to attempt to, from a browser on my laptop. Look at this picture, I want to open a browser on here and try to access this address on port 80. Let’s see what we get. Bringing it up and I will just do a tab and its 2001:
DB8: And the whole reason for this is how can I verify the receiving device that anything is even happening.
DB8: 1, 1, 2 and we said port 80, so I don’t need to do anything. It’s already going to be port 80. Hit enter. Now it is not going to work. This was the issue I was having but you’ll notice if I go back to router 2. Look at all that debug traffic that is now showing up and I know for a fact that it’s the only debug I have running and that access list its only going to show hits if it’s coming in on port 80.
This is before I realize that. I can’t get my HTTP access to work on IPv6. It’s platform dependent. My 2901 can do it.
Let me just see if the traffic is getting there. This is very useful way to do that. As I said at the outset, for small $40 investment you can get yourself a Raspberry Pi running, it’s Linux. Mine is Kali Linux, and do your own IPv6 port redirection.
Do that inside your college dorm room or whenever you need to do it because where there exist a need, no matter how pure you want to keep the standard, if just people willing to purchase, the option it’s going to happen. I wanted to show you one way it could be done.
If you have any questions or comments, please feel free to post them.
Until next time.
You May Also Like
In this video, Cisco CCNA and CompTIA Network + Instructor Mark Jacob demonstrates how to do port redirections in IPv6. If you have any questions or comments, please feel free to post them. Until next time. Mark Jacob Cisco and CompTIA Network + Instructor – Interface Technical Training Phoenix, AZ
In this video, Cisco CCNA instructor Mark Jacob show how to find and fix misconfigured subnet masks in a typical IT network environment. Mark Jacob Cisco and CompTIA Network + Instructor – Interface Technical Training Phoenix, AZ
How does an investigator hunt down and identify unknown malware? In this recording of our IT Security training webinar on April 21, 2015, Security expert Mike Danseglio (CISSP / CEH) performed several malware investigations on infected computers and identify symptoms, find root cause, and follow the leads to determine what’s happening. He demonstrated his preferred … Continue reading Detailed Forensic Investigation of Malware Infections – April 21, 2015