Redirecting outgoing TCP/IP port requests in Windows?

chorpler · December 23, 2003, 12:46pm

My ISP has recently taken to blocking many ports for every customer, even commercial customers like me who pay a higher price so that we can make security decisions like that for ourselves. And they refuse to unblock the ports at all, claiming it’s a corporate decision that they can’t undo.

Unfortunately, a couple of the ports they’ve chosen to block are relatively vital to some of my customers – port 119, which is how my customers connect to my NNTP news server, and port 139, which is how they were set up to map folders on their remote machines to drive letters on their local machines. (I know that mapping drives via the built-in sharing setup of Windows is not very secure, but it’s extremely convenient, and security is already taken care of by various hardware and software firewalls.)

Since the news server is on my Linux server, it is pretty trivial to redirect a non-blocked incoming higher port to local port 119, so that they can access the news server from, say, port 8119. And, with Windows XP’s built-in firewall, I have been able to map incoming local port 8139 to local port 139, so theoretically the services could easily be accessed – if I could change the ports that the news client and SMB file-sharing client attempted to use.

But unfortunately, I can’t change the ports. I could change the NNTP port if my customers used a normal newsreader like Outlook Express or some other newsreader, but they use a proprietary news client that was programmed long ago and has port 119 hard-coded in, and they do not want to change.

And similarly, although Samba under Linux allows you to specify whatever port you want to use, and therefore I can map drives just fine using Samba from a Linux box, Windows’s “Map Drive” and “NET USE” commands have no such option, and always use port 139.

So, my desperate plea would be this: does anybody know of any software for Windows that will somehow intercept outgoing TCP/IP requests for <host X>:<port Y> and change them to <host X>:<port Z>? As I said, there is software to do it for incoming ports – AnalogX Portmapper and the built-in Windows XP firewall can easily map incoming ports to other ports. But what about outgoing ports? Is there any way to do that? Anybody have any idea how difficult it would be for a utility to do something like this?

Any help would be greatly appreciated. I sure hope there’s some way to get this done short of having to install Linux machines as gateways for all of my customers…

Scarf-Ace · December 23, 2003, 1:19pm

Get them to change their newsreader, make up some nasty security flaw.

Eleusis · December 23, 2003, 1:31pm

It might be possible to use a hex editor to change the port in the proprietary software.

Open it up, search for 119, and see what you find. XVI32 is good and free.

chorpler · December 23, 2003, 3:55pm

Yeah, I tried hex editing a while back (using XVI32, as a matter of fact – that program is really great, and freeware), but unfortunately the program does some kind of CRC check when it starts.

And, I’m more concerned with the drive mapping than the newsreader – at least there are better alternatives for a newsreader out there, whereas the only alternatives for mapping drives on remote computers are expensive NFS implementations that don’t actually work very well. Too bad there’s no Samba for Windows – the smbmount command at least has the option for specifying which port to use.

But a general purpose solution for redirecting outgoing ports would be my ideal here, if anybody has any ideas.

5cents · December 23, 2003, 6:56pm

Netfilter: http://www.netfilter.org/

Build-your-own router. Take a cheap PC, install two ethernet ports, load linux, configure netfilter. Give it to client.

chorpler · December 23, 2003, 7:18pm

Yes, as I said, having a Linux box as a gateway for my clients would solve the problem, with more possible ways to do it than just using netfilter; with Linux, I could use smbmount to mount the remote Windows shares as a Linux directory, and then map a drive on the local Windows machines to that directory on the Linux box.

But that would require me building, installing, and maintaining eight new Linux PCs, two of which are located more than an hour away from me. A piece of software similar to AnalogX Portmapper that worked for outbound ports instead of incoming ports would be ideal for me, because I could install that on all of their computers remotely.

chorpler · December 23, 2003, 7:53pm

… and, in case this part wasn’t clear, what I meant by “two of which are located more than an hour away from me” was that each of those two Linux boxes would have to be installed at an office that is more than an hour away from me, since those customers are waaaaaaaaaaaay out in the outskirtsofg.the offices those Linux boxes would have to be installed at are both located more than an hour away from me. Thus adding to the already considerable expense and inconvenience of building, configuring, and installing eight Linux boxes in various locations.

micilin · December 23, 2003, 10:08pm

I do know that Exchange server can be fooled into thinking SMTP isn’t on port 25 by editing the ‘smtp’ entry in c:\winnt\drivers\etc\services. It is possible (though admittedly unlikely) that your app plays nice with this file. Its slightly more likely that the OS does use it to figure out the smb port. Bear in mind that if it does work for the OS it’ll change both outgoing and incoming ports - making the computers drop off their local nets. (Of course I should just really recommend that you don’t do SMB over the Internet, but…)

Good luck!

micilin · December 23, 2003, 10:18pm

Oops! The ‘drivers’ folder might be in c:\winnt\system32. Don’t have a PC in front of me to check.

Maxxxie · December 24, 2003, 2:18am

Chorpler, why not set up a VPN between your site and your clients’ sites? Then there is no need to modify your target ports or the applications involved.

Granted, there will be a performance hit from the overhead of VPN, but this might outweigh the bother involved in modifying your apps.

I don’t want to harp on this but it is really very bad practice to open your NetBIOS ports to the big bad world.

As others have mentioned, a form of network address translation would do this - as might a proxy on the client’s network.

Basically, you’re looking for something I would describe as reverse port address translation.

I’d love to know what you find (apart from the Linux solution you’ve already discounted).

Max.

chorpler · December 24, 2003, 2:43am

Oh yeah, micilin, thanks for mentioning that. I did try something with that a while back, but I never got it working. (And the path for the file is c:\windows\system32\drivers\etc\services on my installation of Windows XP … though most people probably have it as c:\winnt and not c:\windows.) I’m going to go try it again to see if I can get it working this time …

… (half an hour and two reboots later) … darn, I still can’t make it work. It’s too bad, because if it did work, I could just set all the computers on each LAN to use the same port, so they would still be able to share files with each other too.

Hmm … maybe I could use XVI32 to edit the NET.EXE program, or the DLL or whatever that it actually uses to establish the SMB connection when mapping a drive with the NET USE command, and change port 139 that way. Does anybody have any idea what file I would need to edit? I would think it couldn’t just be NET.EXE, since you can also map a drive with the “Map Network Drive …” menu selection from the Windows GUI itself and it doesn’t seem to actually call NET.EXE…

Maxxxie · December 24, 2003, 3:06am

Just a followup - many hardware firewalls/NAT/routers will do this - Firebrick is just one: http://www.firebrick.co.uk/wf1730/techref/mapping.html

Hope this helps,
Max.

chorpler · December 24, 2003, 3:42am

I did actually try setting up a VPN between myself and the clients earlier, just using Windows XP’s built-in VPN capabilities, and I couldn’t get it to map a drive over the VPN connection – it just kept trying to use the regular Internet connection and port 139, which was of course filtered out by the ISP. And … wow, I just got it working! You’re my new hero, Maxxxie (and you too, Nametag, don’t worry!). Okay, so that takes care of – and vastly enhances the security of – the file sharing problem. Unless there is any VNC software that is better than Microsoft’s built-in stuff that is also free, I’m satisfied.

Hmm, now I realize that I only tested it between directly-connected-to-the-Internet Windows XP machines. Will Windows XP’s built-in VPN client and server allow you to connect to and from a Linux machine?

chorpler · December 24, 2003, 9:58pm

Maxxxie, that’s good news … and if it can be done with a hardware firewall/NAT/router, it should be possible to do with a piece of software running right on the Windows machine, right?

Too bad nobody seems to have written such a program yet.