intro: I really need to write some proper docs, don't I :-) louis@steelbytes.com support: http://forum.steelbytes.com ********** [ Main options ] ********** Enabled: enables/disables this port mapping port in and bind address: is what PortTunnel will listen on. port out and address out: is where valid connections will have the data tunneled to. add to total stats: add active connections, kb/s in and kb/s out of this entry to total values of the title bar. ********** [ end Main options ] ********** ********** [ IP Security options ] ********** main text window: enter the IPs you want to accept/block. search for ip: allows you ask which line will decide the result of a connection request from a choosen IP. redirect bad IPs: allows you to redirect 'blocked' ips to a different ip/port. if this is ticked and has 0 for the port or a blank address, the IP will be blocked. if this is ticked and doesn't have 0 for the port and doesn't doesn't a blank address, the IP will be redirected. if this is unticked and you are using win2k/xp then the IP will be blocked, and the port placed in stealth mode (the client doesn't receive any reply to the attempted connection), they will just time out as though there was no server PC at the address/port at all. if this is unticked and you are not using win2k/xp. the IP will be blocked. advanced stuff ........ to use an external file for the ips, do something like the following 1. in the IP Security tab, enter i,c:\valid_ips.txt 2. create c:\valid_ips.txt, and use the same syntax inside it eg. y,127.0.0.1 y,12.34.56.78 n,* // etc and then every time you modify c:\valid_ips.txt, porttunnel will notice, and reload it. (it checks the date/time stamp every 30 seconds). so have your perl script (or whatever method you choose) generate/update c:\valid_ips.txt whenever you want. you can even 'nest' these files, ie have one c:\valid_ips.txt include another file with the 'i' syntax. you can also have multiple includes, etc. here's an example I just typed up, to show you the flexibility .... ----- [start example] ----- ----- [in ftp port mapping IP security tab] ----- i,c:\ftp_valid_ips.txt ----- [end] ----- ----- [in irc port mapping IP security tab] ----- i,c:\irc_valid_ips.txt ----- [end] ----- ----- [in file c:\ftp_valid_ips.txt] ----- i,c:\global_ban_list.txt y,34.56.78.99 // a friend I let use ftp i,c:\global_ok_list.txt n,* ----- [end] ----- ----- [in file c:\irc_valid_ips.txt] ----- i,c:\global_ban_list.txt y,12.45.12.45 // a friend I let use irc i,c:\global_ok_list.txt n,* ----- [end] ----- ----- [in file c:\global_ok_list.txt] ----- y,66.66.66.66 // a friend I let use every thing ----- [end] ----- ----- [in file c:\global_ban_list.txt] ----- n,33.44.66.77 // a lamer I hate ---- [end] ----- ----- [end example] ----- try studying the default stuff in the IP Security tab, that has simple examples showing the syntax. ********** [ end IP Security options ] ********** ********** [ HTTP options ] ********** prefix http 1.1 connect: this is for tunneling out through a proxy. eg. you are at work, and work only allows you to connect to the inet via a proxy, but you want to use IRC. 1. create a port mapping on 127.0.0.1:6667 redirecting to the proxy address (eg proxy.company.local:8080). 2. tick prefix http connect, and enter the details of the irc server eg ircserver.ircnetwork.net:6667 3. point your IRC client to 127.0.0.1:6667. note: this wont work in all cases, as some times the proxy is configured to disallow connections with this method to some ports. Add ProxyAuthenticate: use this in the above example if the proxy server requires a user/password (only works with 'basic' style proxy authentication) Fix Port Numbers: this will change the port number in the http url request (including Header and Location). Why ? So if your are redirecting say from port 80 to 81, then without this, the http server would receive a request with port 80 in the url, which may confuse it since it thinks its on 81. Note there is currently a side effect of this switch, if the http server replies with a redirect (eg http 301, or 302) that points to a different server, then the port may be incorrectly changed by PortTunnel. eg (assuming that porttunnel is listening on 81, and the http server is on 82) client sends GET http://test.server:81/folder HTTP/1.1 Host: test.server portTunnel changes it to GET http://test.server:82/folder HTTP/1.1 Host: test.server:88 and IIS will send back a HTTP/1.0 302 Moved Temporarily Location: http://test.server:82/folder/ and PortTunnel chages it to HTTP/1.0 302 Moved Temporarily Location: http://test.server:81/folder/ note: if a port to be added/changed to the url is 80, then it is ommited, as port 80 is the default for http, and is therefore not required. Add X-Client-Address to request header: adds a line to the request of the form X-Client-Address: aab.bbb.ccc.ddd this maybe useful for some logging or scripting purposes. ********** [ end HTTP options ] ********** ********** [ FTP options ] ********** translate ftp port and pasv: if you are redirecting a ftp connection, tick this (this is also known as 'FTP Bouncing'). PortTunnel will create port mappings for each data connection as needed when this is ticked. use alternate address in pasv replys: this is for when your ftp server is behind a nat/router/etc. tick this, and stick in the public ip of the nat/router. Only for clients in a different subnet (Class C): the alternated address will only be used if the client is connecting from an IP that is not of the same mask. (eg 192.168.0.1 and 192.168.0.10 are on the same class csubnet, but 192.168.0.1 and 192.168.1.1 are not) Use the following port range for pasv: this is if you wish to restrict the port range used for PASV mode transfers. eg1, your ftp server is on a home lan behind a hardware router/nat (eg a cable/xdsl sharing device from the likes of netgear). do the following. 1. install porttunnel on a pc on the lan. and configure a mapping with the following settings a. listen on port 0.0.0.0:21 b. redirect to ftp-server-lan-ip:1021 c. tick translate port & pasv d. tick use alternate pasv address, and enter the public address of the nat/router (can be a dns name - eg myaddress.dyndns.org) e. tick use the following port range, and enter 5001-5020 2. configure ftp-server to listen on port 1021 3. configure router/nat to redirect port 21 and ports 5001-5020 to the lan-ip of the pc with porttunnel. if you have problems connecting to this server from other PCs on the same LAN, then tick the only for clients on the same subnet option. eg2, you ftp server is on a home lan behind a windows router/nat (eg ICS in a recent version of windows, or wingate, etc) 1. install porttunnel on the router pc. and configure a mapping with the following settings a. listen on port 0.0.0.0:21 b. redirect to ftp-server-lan-ip:1021 c. tick translate port & pasv 2. configure ftp-server to listen on port 1021 note1: port 1021 has been used here as an example. any port that does not clash with anything else is ok. note2: some nat/routing devices may mess with the data stream if you use port 21. therefore, if you have problems try a different port like 1021 Add IDNT: if the target ftp server accepts or requires IDNT, tick this. Note with RaidenFTPD to use IDNT, you have to add the IP of the PC running PortTunnel to the BOUNCERIP= line in the .ftpd file. ********** [ end FTP options ] ********** ********** [ SMTP options (licensed only)] ********** relay filtering .... ********** [ end SMTP options ] ********** ********** [ SSL options (licensed only)] ********** read all the legal stuff about openssl on www.openssl.org, and make sure you are allow to do this first .... :-) [old] download http://www.modssl.org/contrib/openssl-0.9.6c-win32.zip [old] and place libeay32.dll and ssleay32.dll in the same folder as [old] porttunnel.exe. If the files are found the message 'OpenSSL not found' [old] is replaced by the OpenSSL version found and its release date. [new] openssl 0.9.7 dlls are now included in the standard msi of PortTunnel [new] Note: the 0.9.6 dlls will not work with porttunnel anymore. connection from client to porttunnel: the following values are for connections between a client, e.g. a webbrowser, and porttunnel. connection from porttunnel to server: the following values are for connections between porttunnel and a server, e.g. a werbserver. note: if the connection from the server is already encrypted and the client should use the servers encryption and server certificates, you should choose the encryption methode none at this point, to keep the original encryption. method: choose an encryption methode out of none, ssl v2, ssl v3, ssl v2/3, tls v1. ciphers: choose some ciphers out of EXPORT:@STRENGTH and ALL:@STRENGTH or enter others by yourself (further information at www.openssl.org). certificate: enter the full path to your certificate file and choose the correspondending format from the listbox. Please make sure the security (under NTFS) is set right. key: enter the full path to your key file and choose the correspondending format from the listbox. Please make sure the security (under NTFS) is set right. If the key is stored in the certificate file, you can leave this field blank. password: if the private key has a password, enter it here. you can also remove the password out of the key file by entering "openssl rsa -in key.pem -out key.pem". this process needs you to enter the password once. how to make a "self signed" certificate: grab openssl.exe from the above zip or compile it from the source on www.openssl.org place it, and the two dlls in a folder along with openssl.cnf (grabbed from the source tar on openssl.org) openssl req -new -x509 -newkey rsa:1024 -nodes -days 9999 -config openssl.cnf -out steelbytes.pem -keyout steelbytes.pem Country Name (2 letter code) []: AU State or Province Name (full name) []: Victoria Locality Name (eg, city) []: Melbourne Organization Name (eg, company) []: www.SteelBytes.com Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: *.steelbytes.com Email Address []: how to then test it: openssl s_server -accept 443 -cipher ALL:@STRENGTH -www -bugs -cert steelbytes.pem start https://www.steelbytes.com/ notes: * Internet Explorer seems to preffer SSL v2/3 * I don't currently distribute compiled versions of the openssl dll files for legal reasons (I've gotta look into if it's ok in Australia) * tested with, 0.9.6c dlls from modssl.org, and 0.9.6d (compiled with VS.NET) * Refer to the following URL to learn how to get your MS IIS keys working with openssl (replace ssleay through openssl there): http://www.thawte.com/support/server/msiis4.html#iistossl * Refer to the following URL to learn more about the pem format in conjunction with ssl certs bought from a CA: http://www.thawte.com/support/server/apachessl.html#pemcert ********** [ end SSL options ] ********** ********** [ logging and stats options ] ********** logging: this will log info about connections and disconnections and errors etc. errors will log only errors (eg can't connect to target), warnings will log errors+warnings (eg dropped connections), connections will log errors+warnings+connections (eg connection from client has been succesfuly redirected to target), full will log everthing. all data: useful for debugging problems - will dump all data to numbered files in this folder (new number for each connection). note, this is the data received by porttunnel, but may not be what is transmitted by porttunnel. (eg if porttunnel is translating ftp port/pasv, then this is a dump of the untranslated data) write stats: exports connections stats (number connects, blocks, KB through put etc) to a file. date format: d Day of month as digits with no leading zero for single-digit days dd Day of month as digits with leading zero for single-digit days. ddd Day of week as a three-letter abbreviation. dddd Day of week as its full name. M Month as digits with no leading zero for single-digit months. MM Month as digits with leading zero for single-digit months. MMM Month as a three-letter abbreviation. MMMM Month as its full name. y Year as last two digits, but with no leading zero for years less than 10. yy Year as last two digits, but with leading zero for years less than 10. yyyy Year represented by full four digits. gg Period/era string. This element is ignored if the date to be formatted does not have an associated era or period string. For example, to the following Wed, Aug 31 94 use the following string dd',' MMM dd yy time format: h Hours with no leading zero for single-digit hours; 12-hour clock hh Hours with leading zero for single-digit hours; 12-hour clock H Hours with no leading zero for single-digit hours; 24-hour clock HH Hours with leading zero for single-digit hours; 24-hour clock m Minutes with no leading zero for single-digit minutes mm Minutes with leading zero for single-digit minutes s Seconds with no leading zero for single-digit seconds ss Seconds with leading zero for single-digit seconds t One character time marker string, such as A or P tt Multicharacter time marker string, such as AM or PM For example, to get the following 11:29:40 PM use the following string hh':'mm':'ss tt ********** [ end logging and stats options ] ********** ********** [ Misc options ] ********** idle disconnect: allows you to set the number of seconds until automatical disconnect at inactivity to the value entered at number of seconds until disconnect. limit bandwidth in: allows you to limit the bandwidth which is provided per incoming connection to the value entered at bandwidth limit. limit bandwidth out: same per outgoing connection buf size: if you feel porttunnel is slowing down you throughput, try increasing this value. (only likely to be necessary on very high volume connections) limit simultaneous connections: allows you to define how many connections can be using the mapping at once (connections attempts above this will be blocked). Force OOB inline: fixes a few issues with some ftp clients (I've only seen it needed with Bullet Proof FTP client) ********** [ end Misc options ] ********** ********** [ TIPS / FAQ ] ********** 1. if using IIS for either FTP or HTTP services, IIS will by default (on win2000 and winxp) bind to 0.0.0.0 regardless of what IP you specify. this can be disabled by: cd c:\inetpub\adminscripts cscript adsutil.vbs set w3svc/disablesocketpooling true cscript adsutil.vbs set msftpsvc/disablesocketpooling true see MS KB article Q238131 for more info or do a google 2. I get "ServiceStart(NT) returned: Overlapped I/O operation in progress" I have seen this error when you are trying to using it from a location that is not availble to the system at boot time. eg a network drive. (Don't ask me it returns such an error code, blame MS). If that is not the case, check the NT service list to see if PortTunnel is listed (running or not). If it is, you can remove it from the list by pressing stop (this will stop it if it is running, and remove it from the NT service list). This can be a problem, because if you say use "net stop PortTunnel" to stop PortTunnel, then copy in a new one at a different location, and delete the old one, when you press start in PortTunnel, it sees the service in the nt list, and just does a "net start PortTunnel" which fails, because the entry in the service list, points to the old location of porttunnel.exe, where as if porttunnel doesn't see it when you press start, it adds then does a "net start PortTunnel". NOTE: PortTunnel doesn't actually do a "net start/stop", it instead does the equivalent through the win32 service api. I just refered to it like that above, so as to hopefully make it clear. ********** [ end TIPS / FAQ ] **********