I am hoping to use iptables to silently redirect incoming traffic arriving at a privileged port on the public eth interface (public IPv4 address) to a hidden unprivileged port on the same ubuntu box. The ufw firewall is active. There are other options, of course, such as capabilities, or a privileged process copying traffic to the unprivileged port, or a privileged process dropping its privs after bind, etc, but to me at least iptables seems to be the most appealing.
The dummy interface solution in DNAT to 127.0.0.1 with iptables / Destination access control for transparent SOCKS proxy would be perfect for me (once I insert an extra 'dev' keyword into the ip add addr... command). Except for one thing:
- I must open the firewall up for incoming traffic to the IP of the dummy interface on the hidden port
As far as I can see, this allows others to send incoming traffic directly to that IP:port, should they be able to guess the roughly 40 bits of hidden info (a private IPv4 address + a port).
Is there a solution where no outside traffic can reach that hidden port, unless the original dest IP is the public IP of the box, and the dest port is the privileged port?
[In everyday terms, the dummy interface solution is like having my buddy come to my club, and telling him that here is a VIP pass, take it to the back entrance, and the bouncer will let you in. He will get in, sure, but anyone else may try to fool the bouncer with a fake pass. Can I instead escort my buddy to the back entrance, tell the bouncer he is good, and walk in with him? In other words, can I mark this NATted packet somehow that the firewall rules are bypassed on it?]