iptables forward non-local traffic through ssh proxy

Question

I trying to forward traffic from a local port to a remote machine through SSH proxy (not tunnel). I learned, that it can't be done only with iptables rules (please correct me, if it's not true), so I set up REDSOCKS to redirect TCP connections to the SSH SOCKS proxy.
I managed to transport the local traffic to the remote machine with iptables rules in the OUTPUT chain, but the same concept in the PREROUTING not working. The goal is to make the local machine view the outside internet as it would be in the remote machine's network (like a VPN).

----------                      --------------
| inside |  <-- 10.0.0.0/24 --> |-> iptables |
----------                      |      |     |
                                |      ˇ     |
                                |   redsocks |
                                |      |     |
                                |      ˇ     |                  ----------
                                |     ssh -> | <-- internet --> | remote |
                                --------------                  ----------

Note: I don't want to do anything (changing configuration, adding routes) on the remote machine!

SSH connection established with ssh -D 1337 user@remote.
Redsocks is already configured and started, listening on port 12345.

on the middles machine:

OUTSIDE_INTERFACE=wlan0
INSIDE_INTERFACE=eth0
SSH_SOCKS_PORT=1337
REDSOCKS_PORT=12345

# set the ip address
ifconfig $INSIDE_INTERFACE 10.0.0.1 netmask 255.255.255.0

# enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# reset iptables
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -F
iptables -X

# redirect local traffic, except traffic from redsocks to ssh
iptables -t nat -A OUTPUT -p tcp --dport $SSH_SOCKS_PORT -j RETURN
iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports $REDSOCKS_PORT

# redirect traffic from inside
iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports $REDSOCKS_PORT

So after this, traffic from the local machine get redirected, and I see the internet as I would be in the remote network!
But the inside machine cannot access to the internet.

(The ip address on the inside machine already set, tested with a successful ping.)

I tried:

iptables -t nat -A PREROUTING -s 10.0.0.0/24 -p tcp -j REDIRECT --to-ports 12345
adding iptables -t nat -A POSTROUTING -o $OUTSIDE_INTERFACE -j MASQUERADE

If I only set the iptables -t nat -A POSTROUTING -o $OUTSIDE_INTERFACE -j MASQUERADE rule alone, the inside machine can access to the internet (but not through the proxy).

After trying to connect, I see the following statistics:

# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 10 packets, 641 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   42  2184 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            redir ports 12345

Chain INPUT (policy ACCEPT 43 packets, 2244 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 19 packets, 1164 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   18  1080 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1337
   18  1080 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            redir ports 12345

Chain POSTROUTING (policy ACCEPT 46 packets, 2825 bytes)
 pkts bytes target     prot opt in     out     source               destination

As I understand, it means that the packets from the inside machine also get redirected, but than lost somewhere...

Also I have some question

why the ssh traffic not get redirected by the iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports $REDSOCKS_PORT rule? I only filtered the $SSH_SOCKS_PORT port...

iptables flowchart

selivik · Accepted Answer · 2020-02-08 22:22:52Z

1

Ok, the problem was not with the iptables rules, or not mainly.
Iptables REDIRECT do the following:

It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the 127.0.0.1 address).

And redsocks, by default, listen only to packet came to 127.0.0.1, so packets with the destination of an interface address won't arrive to redsocks.

After changing redsocks config to local_ip = 0.0.0.0; it worked.

(Note: it's only for TCP, for UDP (like DNS) further settings needed.)

answered Feb 8, 2020 at 22:22

selivik

315 bronze badges

Please have a look at Can I answer my own question? and come back two days later and check as answered if you have more than 15 reputation.
– help-info.de
Commented Feb 19, 2021 at 9:32

Add a comment |

Dave M · Accepted Answer · 2021-02-20 12:57:05Z

0

According to your situation, you only need to monitor redsocks to 10.0.0.1, then REDIRECT or DNAT, for example

iptables -t nat -A PREROUTING -p tcp -m tcp --syn -j DNAT --to 10.0.0.1:12345

I encountered the same problem as you. I was confused by OUTPUT and kept listening on 127.0.0.1.

Reference: Routing a VPN connection to a socks proxy on the same server

edited Feb 20, 2021 at 12:57

Dave M

13.2k25 gold badges37 silver badges48 bronze badges

answered Feb 19, 2021 at 7:28

zjian

1

Add a comment |

Stack Exchange Network

iptables forward non-local traffic through ssh proxy

2 Answers 2

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
linux
networking
ssh
proxy
iptables
.

Linked

Hot Network Questions

iptables forward non-local traffic through ssh proxy

2 Answers 2

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged linuxnetworkingsshproxyiptables.

Linked

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
linux
networking
ssh
proxy
iptables
.