ssh tunnel to port forwarded over localhost

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

First, I would like to say that I have searched really long time through historical list archive of netfilter and other forums but I was not able to find the functionality I was searching for!
I have found only this “port forwarding through localhost ”

http://marc.info/?t=116984915600001&r=1&w=2 but it is not exactly that!

Here is the situation:

Host A (Germany - my home laptop – Windows XP)
Router (Bulgaria - public ip ) – Linux openSuse 11.1 Xen Linux clients-pools 2.6.27.29-0.1-xen #1 SMP 2009-08-15 17:53:59 +0200 x86_64 x86_64 x86_64 GNU/Linux Host B (192.168.1.10 which is a Xen virtual host installed on a Router itself - Windows XP )Host B can ping any public ip address and can reslov dns names.

The Router  have 2 open port:
 55431  openSSH
 54322 forwarded to HostB - 192.168.1.10 to port 3389 for remote desktop!

Now, the port forwarding is working just great, I can reach the remote desktop of Host B from Host A, but I want to close that port and let everything be forwarded over a ssh tunnel. I have done this for squid and or apache which are on Router itself and it works just perfectly. But when closed the port 54322 I tried to the same for the for the host B than I run into several problems. Putty tunnel, forwards the port 54322 on Router to my localhost (HostA) port 60000 So the remote desktop from HostA is done like this: localhsot:60000 which forwards the traffic no to eth1 but to the local loop (lo) -A PREROUTING -d 1.1.1.1 /32 -i eth1 -p tcp -m tcp --dport 54322 -j DNAT --to-destination 192.168.1.10:3389

On the router side I can see that tcp segment coming in the localloop with tcpdump

router:~ # tcpdump -vvv -i lo port 3389
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
12:52:26.348931 IP (tos 0x0, ttl 64, id 26881, offset 0, flags [DF], proto TCP (6), length 60) localhost.46449 > localhost.ms-wbt-server: S, cksum 0x21d4 (correct), 463172374:463172374(0) win 32792 <mss 16396,sackOK,timestamp 37886487 0,nop,wscale 7> 12:52:26.348954 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) localhost.ms-wbt-server > localhost.46449: R, cksum 0x606d (correct), 0:0(0) ack 463172375 win 0

My question is what rule should I write in order to redirect this packet to the host 192.168.1.10 on port 3389 and catch that paket on the way back. I do not want to use socat(user space) for this although it is working.


I have enclosed the output of my iptables-save > firewall command below: just have changed my public ip to 1.1.1.1 and the output of ifconfig of the router

# Generated by iptables-save v1.4.2-rc1 on Wed Oct 14 10:27:35 2009
*mangle
:PREROUTING ACCEPT [125872:58570748]
:INPUT ACCEPT [64138:10436284]
:FORWARD ACCEPT [61857:48161272]
:OUTPUT ACCEPT [60175:25422321]
:POSTROUTING ACCEPT [121952:73579737]
COMMIT
# Completed on Wed Oct 14 10:27:35 2009
# Generated by iptables-save v1.4.2-rc1 on Wed Oct 14 10:27:35 2009
*nat
:PREROUTING ACCEPT [2178:203421]
:POSTROUTING ACCEPT [3440:199081]
:OUTPUT ACCEPT [9561:742897]
-A PREROUTING -d 1.1.1.1 /32 -i eth1 -p tcp -m tcp --dport 54322 -j DNAT --to-destination 192.168.1.10:3389 -A PREROUTING -d 1.1.1.1 /32 -i eth0 -p tcp -m tcp --dport 54322 -j DNAT --to-destination 192.168.1.10:3389 -A PREROUTING -d 1.1.1.1 /32 -i tap5_0 -p tcp -m tcp --dport 54322 -j DNAT --to-destination 192.168.1.10:3389 -A PREROUTING -d 1.1.1.1 /32 -i vif5_0 -p tcp -m tcp --dport 54322 -j DNAT --to-destination 192.168.1.10:3389
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o tap5_0 -j MASQUERADE
-A POSTROUTING -o vif5_0 -j MASQUERADE
COMMIT
# Completed on Wed Oct 14 10:27:35 2009
# Generated by iptables-save v1.4.2-rc1 on Wed Oct 14 10:27:35 2009
*raw
:PREROUTING ACCEPT [315487:154134329]
:OUTPUT ACCEPT [221189:110128847]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT
# Completed on Wed Oct 14 10:27:35 2009
# Generated by iptables-save v1.4.2-rc1 on Wed Oct 14 10:27:35 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i br0 -j input_int
-A INPUT -i eth1 -j input_ext
-A INPUT -i eth0 -j input_ext
-A INPUT -i tap5_0 -j input_ext
-A INPUT -i vif5_0 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m physdev  --physdev-is-bridged -j ACCEPT
-A FORWARD -i br0 -j forward_int
-A FORWARD -i eth1 -j forward_ext
-A FORWARD -i eth0 -j forward_ext
-A FORWARD -i tap5_0 -j forward_ext
-A FORWARD -i vif5_0 -j forward_ext
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT -A forward_ext -i eth1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A forward_ext -i eth0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A forward_ext -i tap5_0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A forward_ext -i vif5_0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A forward_ext -d 192.168.1.10/32 -p tcp -m limit --limit 3/min -m tcp --dport 3389 -m state --state NEW -j LOG --log-prefix "SFW2-FWDext-ACC-REVMASQ " --log-tcp-options --log-ip-options
-A forward_ext -d 192.168.1.10/32 -p tcp -m tcp --dport 3389 -j ACCEPT
-A forward_ext -s 192.168.1.10/32 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT -A forward_ext -m limit --limit 3/min -m pkttype --pkt-type multicast -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -m pkttype --pkt-type multicast -j DROP
-A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A forward_ext -j DROP
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT -A forward_int -i br0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A forward_int -i br0 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A forward_int -i br0 -o tap5_0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A forward_int -i br0 -o vif5_0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A forward_int -d 192.168.1.10/32 -p tcp -m limit --limit 3/min -m tcp --dport 3389 -m state --state NEW -j LOG --log-prefix "SFW2-FWDint-ACC-REVMASQ " --log-tcp-options --log-ip-options
-A forward_int -d 192.168.1.10/32 -p tcp -m tcp --dport 3389 -j ACCEPT
-A forward_int -s 192.168.1.10/32 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT -A forward_int -m limit --limit 3/min -m pkttype --pkt-type multicast -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -m pkttype --pkt-type multicast -j DROP
-A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_int -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_int -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A forward_int -j reject_func
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 54321 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 54321 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 54322 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 54322 -j ACCEPT
-A input_ext -p udp -m udp --dport 54321 -j ACCEPT
-A input_ext -m limit --limit 3/min -m pkttype --pkt-type multicast -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-INext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -m pkttype --pkt-type broadcast -j DROP
-A input_int -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_int -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_int -p tcp -m limit --limit 3/min -m tcp --dport 3389 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 3389 -j ACCEPT
-A input_int -p tcp -m limit --limit 3/min -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 443 -j ACCEPT
-A input_int -p udp -m udp --dport 3389 -j ACCEPT
-A input_int -p udp -m udp --dport 443 -j ACCEPT
-A input_int -m limit --limit 3/min -m pkttype --pkt-type multicast -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_int -m pkttype --pkt-type multicast -j DROP
-A input_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_int -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_int -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_int -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-INint-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A input_int -j reject_func
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Wed Oct 14 10:27:35 2009


router:~ # ifconfig
br0       Link encap:Ethernet  HWaddr 00:17:31:66:E0:96
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::217:31ff:fe66:e096/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:33617 errors:0 dropped:0 overruns:0 frame:0
          TX packets:39485 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:9899695 (9.4 Mb)  TX bytes:40149850 (38.2 Mb)

eth0      Link encap:Ethernet  HWaddr 00:17:31:66:E0:96
          UP BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:23 Base address:0xd000

eth1      Link encap:Ethernet  HWaddr 00:C0:26:2B:FD:BF
          inet addr:1.1.1.1  Bcast:1.1.1.63  Mask:255.255.255.224
          inet6 addr: fe80::2c0:26ff:fe2b:fdbf/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:242550 errors:0 dropped:0 overruns:0 frame:0
          TX packets:201341 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:109289170 (104.2 Mb)  TX bytes:84870831 (80.9 Mb)
          Interrupt:17 Base address:0xa000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:72536 errors:0 dropped:0 overruns:0 frame:0
          TX packets:72536 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:40991838 (39.0 Mb)  TX bytes:40991838 (39.0 Mb)

tap5.0    Link encap:Ethernet  HWaddr AA:95:EA:BF:C1:5B
          inet6 addr: fe80::a895:eaff:febf:c15b/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:32308 errors:0 dropped:0 overruns:0 frame:0
          TX packets:38395 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:10396937 (9.9 Mb)  TX bytes:40082135 (38.2 Mb)

vif5.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:2930 overruns:0 carrier:0
          collisions:0 txqueuelen:32
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Can anyone help me with this,

Konstantin
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux