1Author: Ian (Larry) Latter <Ian.Latter@mq.edu.au> 2Status: request for inclusion 3 4This adds the CONFIG_IP_NF_RSH option, which is the RSH connection 5tracker. 6 7An RSH connection tracker is required if the dynamic stderr "Server 8to Client" connection is to occur during a normal RSH session. This 9typically operates as follows; 10 11 Client 0:1023 --> Server 514 (stream 1 - stdin/stdout) 12 Client 0:1023 <-- Server 0:1023 (stream 2 - stderr) 13 14This connection tracker will identify new RSH sessions, extract the 15outbound session details, and notify netfilter of pending "related" 16sessions. 17 18 19Usage: 20 21The intended usage of this modules would be with a ruleset such as; 22 23 # New session from client to server (stream 1) 24 -A PREROUTING -t nat -m state -i eth0 -p tcp -s ${client} 25 --sport 0:1023 -d ${server} --dport 514 --state 26 NEW,ESTABLISHED -j ACCEPT 27 28 # Continued session from server to client (stream 1) 29 -A PREROUTING -t nat -m state -i eth1 -p tcp -s ${server} 30 --sport 514 -d ${client} --dport 0:1023 ! --syn 31 --state ESTABLISHED -j ACCEPT 32 33 # New session from server to client (stream 2) 34 -A PREROUTING -t nat -m state -i eth1 -p tcp -s ${server} 35 --sport 0:1023 -d ${client} --dport 0:1023 --state 36 RELATED,ESTABLISHED -j ACCEPT 37 38 # Continued session from client to server (stream 2) 39 -A PREROUTING -t nat -m state -i eth0 -p tcp -s ${client} 40 --sport 0:1023 -d ${server} --dport 0:1023 ! --syn 41 --state ESTABLISHED -j ACCEPT 42 43 44 45Warning: 46 47 This module could be dangerous. It is not "best practice" to use 48RSH, use SSH in all instances. (rfc1244, rfc1948, rfc2179, etc 49ad-nauseum) 50 51