lightweight tunnel

eantoranz · 07-20-2005, 10:39 PM

I need a very lightweight tunnel.

I want to have a service listening in port X and it will simply forward traffic to a service in port Y (can't use iptables' REDIRECT, which is the simplest solution).

michaelsanford · 07-21-2005, 01:00 AM

I assume from your post you mean X and Y are on the same machine ? If so I think this will suffice:

ssh localhost -g -L x:127.0.0.1:y

The -g allows remote hosts to connect to local tunneles ports (i.e., allow non-localhost computers to make use of the forward).

If the two ports aren't local, just change the line above appropriately.

Now I have to ask the obvious question: if you're chaning a service port locally, why not just edit the service's config file, or make a change in xinetd if the service supports it? That way you won't have the added overhead of the encryption...

eantoranz · 07-21-2005, 10:14 AM

Oh, well.... because the service will actually listen in it's natural port.. plus this other port(s).

Let me explain myself a little better:

We have (will have, should I say) three internet connections attached to a single host. This host will provide openVPN connection.

The problem is that as the box will have three internet connections to get to a given host, to avoid choosing the wrong path, I will use a different port for each network interface (plus the normal not tunneled openVPN port). According to the port the packet came in, I pass traffic back thru the network interface the request traffic came from.

sind · 07-21-2005, 10:59 AM

This isn't the most elegant solution, but you could use netcat to forward from one port to another. For instance:

Code:

$ nc -lp 8080 | nc localhost 80

You'd need to make a shell script or something to restart the above command, perhaps:

Code:

#!/bin/sh

for ((;;)); do
    nc -lp 8080 | nc localhost 80
done

The main drawback is it will only accept one connection at a time.

Hobbit's netcat is available here: http://www.securityfocus.com/tools/137
There is also a re-write called GNU netcat here: http://netcat.sourceforge.net/

~sind

PS: in fact it looks like GNU netcat has some sort of tunneling system built in, I haven't tried it though.

EDIT: using GNU netcat's tunnel function still requires a restart script. It would mean replacing:

Code:

    nc -lp 8080 | nc localhost 80

with:

Code:

    netcat -L localhost:80 -p 8080

eantoranz · 07-21-2005, 01:44 PM

Oh... did I forget to mention that the tunnel is for UDP traffic? :-O

Is there a ssh option to make it work with UDP?

sind · 07-22-2005, 08:16 AM

I don't think ssh supports UDP port forwarding.

This website shows how to use netcat to do UDP port forwarding.

Having reading that web page, I realised/learned that:

Code:

$ nc -lp 8080 | nc localhost 80

is a one way tunnel. Need to add a pipe in the other direction:

Code:

$ mkfifo reverse
$ nc -lp 8080 < reverse | nc localhost 80 > reverse

BTW why can't you use iptables' port forwarding?

~sind

eantoranz · 07-22-2005, 05:20 PM

Because I need to be able to differ traffic acording to the source port when the response traffic is going out... and If I do REDIRECT, the source port by the time the response hits POSTROUTING is the actual port the traffic was redirected TO, and not the APPARENT port.

Do I explain myself?