LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Easy TCP+UDP tunneling (http://www.linuxquestions.org/questions/linux-networking-3/easy-tcp-udp-tunneling-4175450642/)

r00t 02-18-2013 06:44 AM

Easy TCP+UDP tunneling
 
Hello members,

what is the best way to tunnel both, TCP and UDP from one network to another (external, not local) without having to set something up on the receiving end (so no GRE/VPN)? How about iptables NAT for UDP and redir or x/rinetd for TCP? What do you prefer and why?

jefro 02-19-2013 02:48 PM

The idea of a tunnel is just like a train tunnel. No way to go in between the ends.

You would have to have something on the other end.

If you can't run some software then you need a hardware device.

nini09 02-19-2013 02:49 PM

The TCP and UDP traffic can already reach destination without setup anything. The tunnel deal with private network and have to configure something on both side. What's your main purpose?

r00t 02-19-2013 02:54 PM

I want to forward some TCP and UDP services (such as FTP, DNS, maybe HTTP but there are better solutions for that, voice server, etc.) from one server to another one. It already works pretty well with NAT, but I wanted to hear your thoughts about other solutions. The other things I listed do work too for my purpose, such as redir and rinetd, I'd just like to hear your opinions and alternatives.

nini09 02-21-2013 02:36 PM

You can use udp_redirect tool to redirect UDP tarffic.

r00t 02-22-2013 09:13 AM

Quote:

Originally Posted by nini09 (Post 4896943)
You can use udp_redirect tool to redirect UDP tarffic.

Thanks for the tip. So my other questions would be if and why this (and redir/rinetd for TCP) would be better or worse than just using iptables symmetric NAT, like:

Code:

iptables -t nat -A PREROUTING  -p <tcp/udp> -d $local_ip -j DNAT --to-destination $remote_ip
iptables -t nat -A POSTROUTING -p <tcp/udp> --dst $remote_ip -j SNAT --to-source $local_ip
iptables -A FORWARD -p <tcp/udp> -d $remote_ip -j ACCEPT
iptables -A FORWARD -p <tcp/udp> -s $local_ip -j ACCEPT


nini09 02-22-2013 03:02 PM

From my point, iptable is more flexible and powerful but too complicated. The redir or udp_redirect is simple and easy but maybe less powerful. Both could be working, just dependant on requirement.

r00t 02-22-2013 03:32 PM

Well, I stated my requirement above (forward services such as FTP, HTTP, DNS, voice server, from one server to another) and the iptables rules I came up with are quite easy. How do these services differ from iptables NAT? I'd like to know any upsides or downsides, except for the obvious, such as configuration.

Edit: I'm mainly asking this, because someone told me iptables NAT would be "bad" for that and I should rather use redir or rinetd. Now I'm trying to figure the reason why that would be. :)

nini09 02-25-2013 02:46 PM

First of all, is NAT necessary if only forwarding or redirecting traffic from one server to another one.
The redir or rinetd doesn't support NAT.

Lantzvillian 02-28-2013 05:03 PM

Iptables can be bad for dynamic protocols that don't use static ports such as FTP (can't remember which one, active or passive). I believe it has a ftp-helper module so this might be a non-issue. Most other protocols are well-behaved and do not exhibit this behavior.. unless your using an industrial protocol perhaps :P

IPtables/NAT also has an advantage of firewalling on specific conditions and offering some protection to the hosts on the other side by limiting their surface area. In my opinion I'd just use iptables and call it a day for what your doing with it unless your changing IP addresses or 1-to-1 NATing (but you can do this anyways with iptables).

r00t 02-28-2013 05:23 PM

Quote:

Originally Posted by Lantzvillian (Post 4901954)
IPtables/NAT also has an advantage of firewalling on specific conditions and offering some protection to the hosts on the other side by limiting their surface area. In my opinion I'd just use iptables and call it a day for what your doing with it unless your changing IP addresses or 1-to-1 NATing (but you can do this anyways with iptables).

Thank you for your reply! Exactly, NAT with port forwarding and 1:1 NAT in some cases was the solution I thought of first. But now for example, if we have a look at tutorials on how to protect Minecraft servers from DDoS (just using this as an example, as it's for a similar purpose, although I'm not looking to "DDoS protect" Minecraft servers), you will notice that for example redir is suggested here and tcptunnel here. Articles like these were the reason I got confused. Why would they suggest these forwarding tools, if it's just as easy and probably even better to accomplish with iptables?

r00t 03-06-2013 05:24 AM

Anyone?

Lantzvillian 03-07-2013 11:11 AM

Good question, but since your just forwarding services... just use iptables. If you need a hand PM me.

If noone is answering either your doing it wrong or the question has been answered by yourself or the people replying ;)

Lantzvillian 03-07-2013 11:11 AM

Dam double post.


All times are GMT -5. The time now is 06:00 PM.