I trying to forward traffic from a local port to a remote machine through SSH proxy (not tunnel).
I learned, that it can't be done only with iptables rules (please correct me, if it's not true), so I set up REDSOCKS to redirect TCP connections to the SSH SOCKS proxy.
I managed to transport the local traffic to the remote machine with iptables rules in the OUTPUT chain, but the same concept in the PREROUTING not working.
The goal is to make the local machine view the outside internet as it would be in the remote machine's network (like a VPN).
---------- --------------
| inside | <-- 10.0.0.0/24 --> |-> iptables |
---------- | | |
| ˇ |
| redsocks |
| | |
| ˇ | ----------
| ssh -> | <-- internet --> | remote |
-------------- ----------
Note: I don't want to do anything (changing configuration, adding routes) on the remote machine!
SSH connection established with ssh -D 1337 user@remote
.
Redsocks is already configured and started, listening on port 12345
.
on the middles machine:
OUTSIDE_INTERFACE=wlan0
INSIDE_INTERFACE=eth0
SSH_SOCKS_PORT=1337
REDSOCKS_PORT=12345
# set the ip address
ifconfig $INSIDE_INTERFACE 10.0.0.1 netmask 255.255.255.0
# enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# reset iptables
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -F
iptables -X
# redirect local traffic, except traffic from redsocks to ssh
iptables -t nat -A OUTPUT -p tcp --dport $SSH_SOCKS_PORT -j RETURN
iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports $REDSOCKS_PORT
# redirect traffic from inside
iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports $REDSOCKS_PORT
So after this, traffic from the local machine get redirected, and I see the internet as I would be in the remote network!
But the inside machine cannot access to the internet.
(The ip address on the inside machine already set, tested with a successful ping.)
I tried:
iptables -t nat -A PREROUTING -s 10.0.0.0/24 -p tcp -j REDIRECT --to-ports 12345
- adding
iptables -t nat -A POSTROUTING -o $OUTSIDE_INTERFACE -j MASQUERADE
If I only set the iptables -t nat -A POSTROUTING -o $OUTSIDE_INTERFACE -j MASQUERADE
rule alone, the inside machine can access to the internet (but not through the proxy).
After trying to connect, I see the following statistics:
# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 10 packets, 641 bytes)
pkts bytes target prot opt in out source destination
42 2184 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 redir ports 12345
Chain INPUT (policy ACCEPT 43 packets, 2244 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 19 packets, 1164 bytes)
pkts bytes target prot opt in out source destination
18 1080 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1337
18 1080 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 redir ports 12345
Chain POSTROUTING (policy ACCEPT 46 packets, 2825 bytes)
pkts bytes target prot opt in out source destination
As I understand, it means that the packets from the inside machine also get redirected, but than lost somewhere...
Also I have some question
- why the ssh traffic not get redirected by the
iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports $REDSOCKS_PORT
rule? I only filtered the$SSH_SOCKS_PORT
port...