elzalem
guys any iptables freak?
keywords: forwarding, tunneling, ip masquerading
rolf
I spend lots of time on iptables. I even recompiled it to have a module in it that I wanted. I had it set up with complicated rules.
I then looked a bit into tc, but I cant say that I master it. tc is just too hard to debug/watch what is happening.
iptables too, to some extent, but it is manageable.
elzalem
ok, then this should be a piece of cake to you:
i have an ssh server (+gateway?) (A) on lets say 173.214.29.65
i have a gateway + ssh client (B) on 192.168.0.1
a pc (C) on 192.168.0.2
what i need is:
all traffic coming from C (regardless of the port/protocol) to B (or the internet) to be tunneled by an ssh tunnel to A,
then A forwards the traffic (acts as a gateway) and returns the response to B, then B to C
in other words, instead of B being my gateway, i want A to be the gateway but transparently to the pc C and all communication between A and B to be tunneled by an ssh tunnel
is it possible to do so using iptables? i can do the ssh tunneling, but i've never messed with iptables before.
rolf
Usually you would do DNAT in such cases (Destination Nat) I never did any of it myself though.
But ssh is a secure protocol, so I am not sure if it supports masquerading the IP fields.
Do you have shell access your SSH server?
Google DNAT...
Give this a try...
iptables -t nat -A PREROUTING -p tcp -i eth0 -s 192.168.0.2 -d 192.168.0.1 --dport 22 -j DNAT --to 173.214.29.65
Come back to me if you have any questions.
elzalem
@rolf
thanks for the tips about DNAT
i have ssh access to the ssh server (that sounded silly:P), but ill test everything in a private lab before messing with production servers for sure.
ill let u know when i progress, it's a low priority project i'm doing
thanks again
battikh
DNAT will not work. if you do a DNAT it will send the packets TO the new destination and not THROUGH it. once it reaches the new destination, it will not un-nat it and it wont go to the intended destination.
you don't need nating or anything fancy, all you need is create your ssh tunnel and route the traffic you want in it instead of the default gateway.
battikh
elzalem
@battikh
C is not just 1 pc, it's the entire 192.168.0.0/24 network, and as far as they're concerned the gateway is B (192.168.0.1)
my question is what should i do on B and C.
is your reply valid for this configuration?
elzalem
battikh
yes it is valid.
you will be creating a tunnel between A and B.
any traffic that reaches B can be sent through the tunnel, it's all a matter of the routes your configure. you can send just 1 machine, some machines, or the whole C network.
battikh
oh, and i think it's missing in the link i sent, you'll also have to add a route to network C on machine A pointing to the tunnel
and in the link, all traffic coming to machine B will be sent to the tunnel, so all the traffic from network C will go through the tunnel. If you don't want this, you'll have to use iptables to do source based routing and specifically chose which IPs to route through the tunnel. But if you want to send all of network C without exceptions, don't worry about that, no iptables required.
rolf
Oh, sorry, I misread the question. I thought he wanted to forward all ssh connection to an ssh server. I didnt know he wanted to make a tunnel for forwarding all traffic.
battikh
to make it simpler than the example from ubuntu's forum, i think that's all you should need:
PC A: 10.10.0.1 /24
PC B: 10.20.0.1 /24
On B:
ssh -w0:0 10.10.0.1 //create the tunnel
ifconfig tun0 10.30.0.1 netmask 255.255.255.252 //assign an IP to the tunnel's end on B (chose any private ip)
route add -host 10.10.0.1 eth0 //route for B to reach PC A through the internet
route add default gw tun0 //route all other traffic through the tunnel
route del default gw 10.0.0.2 eth0 //remove the old default gateway
On A:
ifconfig tun0 10.30.0.2 netmask 255.255.255.252 //assign ip of the 2nd end of the tunnel (any private ip from same range as you chose on B)
route add -net 10.20.0.1 netmask 255.255.255.0 tun0 //route traffic for the whole B network through the tunnel
elzalem
battikh wroteit's all a matter of the routes your configure
exactly what routes should i configure? << that's my main question :)
battikh wroteoh, and i think it's missing in the link i sent, you'll also have to add a route to network C on machine A pointing to the tunnel
that sounds logical
battikh wroteand in the link, all traffic coming to machine B will be sent to the tunnel, so all the traffic from network C will go through the tunnel.
that's exactly what i want
elzalem
rolf wroteOh, sorry, I misread the question. I thought he wanted to forward all ssh connection to an ssh server. I didnt know he wanted to make a tunnel for forwarding all traffic.
sorry for misleading you...
battikh
oh, and depending on what you're trying to achieve with this, C might need to be routable on A's network, which is not the case. If you have access to A's default gateway, then you add a route there to point network B through PC A.
if you don't have access to it, then you have to use iptables on A to nat all traffic coming out of the tunnel to PC A's eth0 ip.
this will be required if C will go to A and then will have to be routed again somewhere else, like to the internet, or to some other network.
If you will ONLY access PC A, then it's enough and no need for nating.
that's what you have to do on A to do the nating:
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
elzalem
battikh wroteto make it simpler than the example from ubuntu's forum, i think that's all you should need:
PC A: 10.10.0.1 /24
PC B: 10.20.0.1 /24
On B:
ssh -w0:0 10.10.0.1 //create the tunnel
ifconfig tun0 10.30.0.1 netmask 255.255.255.252 //assign an IP to the tunnel's end on B (chose any private ip)
route add -host 10.10.0.1 eth0 //route for B to reach PC A through the internet
route add default gw tun0 //route all other traffic through the tunnel
route del default gw 10.0.0.2 eth0 //remove the old default gateway
On A:
ifconfig tun0 10.30.0.2 netmask 255.255.255.252 //assign ip of the 2nd end of the tunnel (any private ip from same range as you chose on B)
route add -net 10.20.0.1 netmask 255.255.255.0 tun0 //route traffic for the whole B network through the tunnel
i'm having trouble digesting this, PC A is a remote computer & has a public IP, it is directly connected to the internet and has 173.214.29.65/?? as an IP (example).
in my network, i have PC B with IP 192.168.0.1/24, the gateway of PC B is my ADSL modem which is 192.168.0.5. the rest of the network will have its default gateway PC B's address and only PC B would have internet access through the ADSL modem.
now i need every traffic that leaves PC C and heads towards the "internet" to be tunneled by PC B to PC A, PC A will route it to the internet and back to C through B
sorry but i'm still a noob in this
elzalem
@battikh
on second thoughts, let me figure it out myself... some learning won't hurt!
thanks for your input, you've given me what i needed.
battikh
1- PC C tries to ping google (or any public IP), it sends it to it's default gateway which is PC B
2- PC B receives the packets, checks the destination (public IP) and sends it also to its default gateway which is the tunnel
3- PC A receives it, it nats the source IP to it's physical interface's IP (172.214.29.65), checks the destination and routes it accordingly, therefore, to its default gateway (173.214.29.1?)
4- From there it will be routed to google as if it was sent from PC A and the reply will come back from google to PC A
5- PC A un-nats the packets and changes back the destination (which is now its physical IP), to the IP of PC C
6- Based on its routing table, packets to PC C (actually to the whole C network), should be sent to the tunnel
7- PC B receives the packet and sends it back to PC C.
elzalem
@battikh
I couldn't have said it any better!