LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-18-2013, 07:44 AM   #1
r00t
LQ Newbie
 
Registered: May 2012
Posts: 23

Rep: Reputation: Disabled
Question Easy TCP+UDP tunneling


Hello members,

what is the best way to tunnel both, TCP and UDP from one network to another (external, not local) without having to set something up on the receiving end (so no GRE/VPN)? How about iptables NAT for UDP and redir or x/rinetd for TCP? What do you prefer and why?
 
Old 02-19-2013, 03:48 PM   #2
jefro
Guru
 
Registered: Mar 2008
Posts: 11,956

Rep: Reputation: 1482Reputation: 1482Reputation: 1482Reputation: 1482Reputation: 1482Reputation: 1482Reputation: 1482Reputation: 1482Reputation: 1482Reputation: 1482
The idea of a tunnel is just like a train tunnel. No way to go in between the ends.

You would have to have something on the other end.

If you can't run some software then you need a hardware device.
 
Old 02-19-2013, 03:49 PM   #3
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,045

Rep: Reputation: 86
The TCP and UDP traffic can already reach destination without setup anything. The tunnel deal with private network and have to configure something on both side. What's your main purpose?
 
Old 02-19-2013, 03:54 PM   #4
r00t
LQ Newbie
 
Registered: May 2012
Posts: 23

Original Poster
Rep: Reputation: Disabled
I want to forward some TCP and UDP services (such as FTP, DNS, maybe HTTP but there are better solutions for that, voice server, etc.) from one server to another one. It already works pretty well with NAT, but I wanted to hear your thoughts about other solutions. The other things I listed do work too for my purpose, such as redir and rinetd, I'd just like to hear your opinions and alternatives.
 
Old 02-21-2013, 03:36 PM   #5
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,045

Rep: Reputation: 86
You can use udp_redirect tool to redirect UDP tarffic.
 
Old 02-22-2013, 10:13 AM   #6
r00t
LQ Newbie
 
Registered: May 2012
Posts: 23

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by nini09 View Post
You can use udp_redirect tool to redirect UDP tarffic.
Thanks for the tip. So my other questions would be if and why this (and redir/rinetd for TCP) would be better or worse than just using iptables symmetric NAT, like:

Code:
iptables -t nat -A PREROUTING  -p <tcp/udp> -d $local_ip -j DNAT --to-destination $remote_ip
iptables -t nat -A POSTROUTING -p <tcp/udp> --dst $remote_ip -j SNAT --to-source $local_ip
iptables -A FORWARD -p <tcp/udp> -d $remote_ip -j ACCEPT
iptables -A FORWARD -p <tcp/udp> -s $local_ip -j ACCEPT

Last edited by r00t; 02-28-2013 at 06:28 PM.
 
Old 02-22-2013, 04:02 PM   #7
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,045

Rep: Reputation: 86
From my point, iptable is more flexible and powerful but too complicated. The redir or udp_redirect is simple and easy but maybe less powerful. Both could be working, just dependant on requirement.
 
Old 02-22-2013, 04:32 PM   #8
r00t
LQ Newbie
 
Registered: May 2012
Posts: 23

Original Poster
Rep: Reputation: Disabled
Well, I stated my requirement above (forward services such as FTP, HTTP, DNS, voice server, from one server to another) and the iptables rules I came up with are quite easy. How do these services differ from iptables NAT? I'd like to know any upsides or downsides, except for the obvious, such as configuration.

Edit: I'm mainly asking this, because someone told me iptables NAT would be "bad" for that and I should rather use redir or rinetd. Now I'm trying to figure the reason why that would be.

Last edited by r00t; 02-22-2013 at 04:33 PM.
 
Old 02-25-2013, 03:46 PM   #9
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,045

Rep: Reputation: 86
First of all, is NAT necessary if only forwarding or redirecting traffic from one server to another one.
The redir or rinetd doesn't support NAT.
 
Old 02-28-2013, 06:03 PM   #10
Lantzvillian
Member
 
Registered: Oct 2007
Location: BC, Canada
Distribution: Fedora, Debian
Posts: 210

Rep: Reputation: 41
Iptables can be bad for dynamic protocols that don't use static ports such as FTP (can't remember which one, active or passive). I believe it has a ftp-helper module so this might be a non-issue. Most other protocols are well-behaved and do not exhibit this behavior.. unless your using an industrial protocol perhaps :P

IPtables/NAT also has an advantage of firewalling on specific conditions and offering some protection to the hosts on the other side by limiting their surface area. In my opinion I'd just use iptables and call it a day for what your doing with it unless your changing IP addresses or 1-to-1 NATing (but you can do this anyways with iptables).

Last edited by Lantzvillian; 02-28-2013 at 06:05 PM. Reason: forgot something
 
Old 02-28-2013, 06:23 PM   #11
r00t
LQ Newbie
 
Registered: May 2012
Posts: 23

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Lantzvillian View Post
IPtables/NAT also has an advantage of firewalling on specific conditions and offering some protection to the hosts on the other side by limiting their surface area. In my opinion I'd just use iptables and call it a day for what your doing with it unless your changing IP addresses or 1-to-1 NATing (but you can do this anyways with iptables).
Thank you for your reply! Exactly, NAT with port forwarding and 1:1 NAT in some cases was the solution I thought of first. But now for example, if we have a look at tutorials on how to protect Minecraft servers from DDoS (just using this as an example, as it's for a similar purpose, although I'm not looking to "DDoS protect" Minecraft servers), you will notice that for example redir is suggested here and tcptunnel here. Articles like these were the reason I got confused. Why would they suggest these forwarding tools, if it's just as easy and probably even better to accomplish with iptables?

Last edited by r00t; 02-28-2013 at 06:25 PM.
 
Old 03-06-2013, 06:24 AM   #12
r00t
LQ Newbie
 
Registered: May 2012
Posts: 23

Original Poster
Rep: Reputation: Disabled
Anyone?
 
Old 03-07-2013, 12:11 PM   #13
Lantzvillian
Member
 
Registered: Oct 2007
Location: BC, Canada
Distribution: Fedora, Debian
Posts: 210

Rep: Reputation: 41
Good question, but since your just forwarding services... just use iptables. If you need a hand PM me.

If noone is answering either your doing it wrong or the question has been answered by yourself or the people replying
 
Old 03-07-2013, 12:11 PM   #14
Lantzvillian
Member
 
Registered: Oct 2007
Location: BC, Canada
Distribution: Fedora, Debian
Posts: 210

Rep: Reputation: 41
Dam double post.

Last edited by Lantzvillian; 03-07-2013 at 12:13 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
About TCP / UDP shipon_97 Linux - Newbie 5 06-24-2012 07:22 PM
[SOLVED] i cant open UDP + TCP with our passthru cURL script, but TCP works just not both?? Good Question Linux - Networking 1 10-21-2011 12:57 PM
UDP vs TCP and tcp offload issues JonasKunze Linux - Networking 3 07-28-2011 11:02 PM
VPNC error, tunneling through TCP not supported leupi Linux - Software 5 06-23-2008 12:18 PM
TCP and UDP aatwell Programming 4 11-07-2007 09:47 AM


All times are GMT -5. The time now is 08:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration