LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-06-2012, 02:45 PM   #1
AresiusXP
LQ Newbie
 
Registered: Mar 2012
Posts: 6

Rep: Reputation: Disabled
Redirect traffic between ssh tunnels with iptables


Here's the first piece of information that you'll need: I'm from Argentina and in order to use some country-restricted pages (such as Pandora, Netflix, Hulu), I need to tunnel it to a host in USA.

I have 2 Ubuntu servers running SSH listening to port 443. One is at home, the other is my host in USA. Usually, at the office, I create 2 ssh tunnels using PuTTY: 1st session for my host at home, 2nd session to my USA server. I configure my proxy settings in my browser according to what pages i'm going to use.

What I want to do is to just use one ssh tunnel at the office (the one with my home server) and if my traffic goes to Pandora for example (208.85.40.0/21), that it automatically relays it to an SSH tunnel created there with my USA server.

I created the SSH tunnel at home running the following:
Code:
ssh -fqNp 443 aresius@host.inUSA.com -D 1081
As far as I know, traffic redirection, rerouting, or whatever it's called, can be done using iptables. However, I never fully understood it or its syntax, and this is the best I could come up with:
Code:
iptables -t nat -A OUTPUT -p TCP -d 208.85.40.0/21 -j REDIRECT --to-port 1081
When I run elinks www.pandora.com in the host, it just doesn't work.


Can you help me? Thanks in advance!
 
Old 03-06-2012, 11:19 PM   #2
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,982
Blog Entries: 1

Rep: Reputation: 83
Compadre, creo que va a ser más sencillo si usas un PAC, ahí puedes especificarle al proxy "si vas a tall dominio, te vas por este proxy.... si vas por este otro dominio, te vas por este otro proxy"... lo único que no estaría seguro es si puedes apuntar el proxy hacia un socks (como el que te ofrece un tunel ssh) o si tiene que ser un proxy http necesariamente.

http://en.wikipedia.org/wiki/Proxy_auto-config

For english speakers: I'm just telling the guy to go do a little research on PAC files. That could make his life a little simpler (though I'm not sure if socks proxies like the one an ssh tunnel provides works with PAC files).
 
1 members found this post helpful.
Old 03-06-2012, 11:25 PM   #3
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,982
Blog Entries: 1

Rep: Reputation: 83
About using iptables: The thing is that when traffic is going out from firefox to the web server directly (and that is how you could catch it with iptables) it's HTTP, but the ssh tunnel expects to handle socks so it shouldn't work. You know what you could do that will avoid socks completely? Install squid on the USA server and then do a "local" tunnel using the USA server to connect to its squid service. Then you could use the pac file without much problem by providing localhost:localport when you want to use the USA squid. That should hold water.
 
1 members found this post helpful.
Old 03-07-2012, 06:08 AM   #4
AresiusXP
LQ Newbie
 
Registered: Mar 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
That actually makes a lot of sense. Maybe Squid is a little overkill; i could try something like tinyproxy or similar to that. I'll dig into it using PAC and I'll let you know.

Gracias por la ayuda!
 
Old 03-07-2012, 08:57 AM   #5
AresiusXP
LQ Newbie
 
Registered: Mar 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Ok, here's my status:

I was able to install tinyproxy in my USA server and it's working flawlessly. I configured it in my home windows browser and i'm able to open any page. So far so good. Also, i created a pac file in order to apply in my home Ubuntu server. It's the following:

Code:
function FindProxyForURL(url, host) {
	if (shExpMatch(url,"*netflix.com*") || 
	    shExpMatch(url,"*pandora.com*") ||
		shExpMatch(url,"*hulu.com*"))                  
			return "PROXY host.inUSA.com:8888";	
	
	return "DIRECT";
}
Problem now is that i can't find anywhere where to add this proxy.pac file i created. I tried using it as an env variable running the following:
Code:
export http_proxy=/home/aresius/proxy.pac
However that was not working, and elinks mentioned that it was not a valid proxy configuration. Where can I add this file for global networking? I noticed that there's a configuration like that in Ubuntu Desktop using System -> Preferences -> Network Proxy, but is there anything like that for Ubuntu server?

Thanks again!

Last edited by AresiusXP; 03-07-2012 at 09:22 AM.
 
Old 03-07-2012, 11:47 AM   #6
Skaperen
Senior Member
 
Registered: May 2009
Location: WV, USA
Distribution: Slackware, CentOS, Ubuntu, Fedora, Timesys, Linux From Scratch
Posts: 1,777
Blog Entries: 20

Rep: Reputation: 115Reputation: 115
This looks like you are just running SSH over port 443, that normally would be used for HTTPS. You are using 1081 as a SOCKS protocol connection point in the computer running the SSH client, and the connections going through it come out from the server. All you need to do is configured your browser to use the SOCKS protocol to host 127.0.0.1 port 1081.

Do you need to use other programs through this tunnel to USA, too?
 
Old 03-07-2012, 11:50 AM   #7
AresiusXP
LQ Newbie
 
Registered: Mar 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
I believe you didn't fully get my problem. I'm aware that I can build another tunnel using 1081 with my USA server and just tunnel through it, but that would mean having 2 tunnels: my home and USA. What i'm trying to achieve is only having one tunnel (home) and it redirects from that server to USA server when necessary.
 
Old 03-07-2012, 12:05 PM   #8
Skaperen
Senior Member
 
Registered: May 2009
Location: WV, USA
Distribution: Slackware, CentOS, Ubuntu, Fedora, Timesys, Linux From Scratch
Posts: 1,777
Blog Entries: 20

Rep: Reputation: 115Reputation: 115
Quote:
Originally Posted by AresiusXP View Post
I believe you didn't fully get my problem. I'm aware that I can build another tunnel using 1081 with my USA server and just tunnel through it, but that would mean having 2 tunnels: my home and USA. What i'm trying to achieve is only having one tunnel (home) and it redirects from that server to USA server when necessary.
I guess I do not understand what you are trying to do. I don't see why doing "ssh -D 1081" from work, and another "ssh -D 1081" from home, is an issue.

If you can make an ssh connection from work to home, one way to make the internet connections hop first through home is to do an SSH local port forward to home:

ssh -L 127.0.0.1:1081:127.0.0.1:1081 aresius@home.inAR.com

This will listen on port 1081 but instead of making that be a SOCKS protocol, it just forwards it as is through the ssh connection from work to home, and feeds that connection to port 1081 at home. If the home computer is already doing the "ssh -D 1081" then connections to 1081 at work will end up going to 1081 at home, and operate as SOCKS via the server in USA. If you can make ssh connections from work to home, try that.

If I didn't understand what you are trying to do, maybe another explanation with more details could help. I do not think any iptables is needed for this.
 
Old 03-07-2012, 12:37 PM   #9
AresiusXP
LQ Newbie
 
Registered: Mar 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Perhaps what I'm omitting in my explanation is that latency when using USA server is considerably higher than my home computer, and that's why I only want to use the USA server for specific pages such as Netflix, Pandora or Hulu. Doing the tunnel as you say, I will only be using USA server connection.

Another detail that maybe was not considered is that I'm using Windows XP for my desktop. Not that it makes any significant difference, but it doesn't hurt saying it.


Basically what I want is to tunnel my connection to my home Ubuntu server, and when, and only when, traffic is supposed to hit one of those pages, traffic in my Ubuntu server gets redirected to my USA server. At first I though I could that creating a tunnel between my home Ubuntu and my USA ubuntu, and somehow redirect with iptables. eantoranz explained that I can create a proxy server in USA Ubuntu and in my home Ubuntu apply a PAC file to redirect matching those hostnames (Netflix.com, pandora.com).
 
Old 03-07-2012, 12:59 PM   #10
AresiusXP
LQ Newbie
 
Registered: Mar 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
As an update, here's what I did with the PAC file.

I remembered that I had installed X for VNC, so I opened a VNC session, and I used the Network Proxy option, specifying my pac file located in http://localhost/proxy.pac. Using Epiphany in that session, it shows that it's working ok. I was able to open Pandora with no problem. When I use elinks from my PuTTY session, it's saying that it's restricted because it's not taking the PAC config, even though it's supposed to be Globally applied in system.
 
Old 03-08-2012, 01:59 PM   #11
Skaperen
Senior Member
 
Registered: May 2009
Location: WV, USA
Distribution: Slackware, CentOS, Ubuntu, Fedora, Timesys, Linux From Scratch
Posts: 1,777
Blog Entries: 20

Rep: Reputation: 115Reputation: 115
I was under the impression you wanted to get access to content you cannot get in Argentina, either from home or from work.

I don't know what a PAC file is. Is that something specific to how you are doing your proxying from Windows XP at work? If that can let you select which of "USA proxy" or "home proxy" to use based on the hostname, that sounds great. But I am sorry that I don't know anything about that part, or Windows XP setups in general.

If you were running some Linux everywhere, or even BSD or some other Unix systems, I could likely get tunnel paths going for you. As for a means to select which path by hostname, I don't know about anything that can do that. It would surprise me if nothing exists to do that in Linux, somewhere, such as proxy server rules or a browser plug-in.

Sorry for being of no help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables redirect local ip traffic roof-us Linux - Networking 3 12-07-2011 09:56 AM
Using IPTABLES to redirect web traffic to another network. slugman92 Linux - Networking 1 04-20-2011 05:41 PM
iptables redirect all traffic from external ip to internal ip brb_bart Linux - Networking 1 12-17-2009 06:56 PM
[HELP] redirect traffic to spesific port based on Traffic Content using iptables summersgone Linux - Server 2 06-22-2009 11:26 AM
Redirect All Traffic Through SSH wwnexc Linux - Networking 2 03-14-2007 05:37 AM


All times are GMT -5. The time now is 05:40 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration