Tunnel all internet traffic through a ssh connected remote computer [solved]
I've recently started using a "telephony over internet" service from a telecom operator.
The company solution is that You connect Your normal phone to an ip phone box, which itself is connected to the internet. The Ip phone box needs the following to work: * A DHCP server providing it an ip address, subnet, default gateway, DNS, etc. * Has to be reached on five specific ports, say 1000-1005. * Connect to various ports on various internet addresses. As of today, my configuration is as follows: --------------------------------------------- * The uni computer is equipped with 2 eth cards. * One of them to the internet (static, public address), the other to the ip phone box. * There is a DHCP and a Ip forwarding service running and creating a internal, DHCP distributed network to the phone box (172.16.1.12). * Forwarding through masquerading enbales the information on port 1000-1005 to reach the phone box. A graphical approach: Code:
------- What someone on this forum (thanks "bignerd") explained to me the other day about remote port forwarding pretty much changed my view about the possibilities in networking. After started using it, I now have new hope about connecting the ip phone box to my home computer and, with help from my uni computer, be able to tunnel the necessary traffic to the ip phone box. This procedure is necessary as my ISP only provides my home computer with a static private ip address - and of course doesn't want to forward ports for me. My new suggested setup: ---------------------- Code:
------- Since the incoming traffic only is sent on port 1000-1005, that part should be easy. My issue is how to make all the outgoing traffic from the phone box to go through the uni computer. From the internet, is should look like the phone was sitting behind the uni computer in order for the incoming packets on port 1000-1005 to be sent through the mentioned tunnel. The question is therefore: How can I access the internet (various domains and ports) from the home computer so that everything is routed through the uni computer? I've been considering tunneling local ports through ssh, but there You only dedicate a local port on Your computer to a certain address. Am I looking for some kind of proxy solution to handle this? Sorry about the length of this post! Thanks |
To be honest I think your easiest approach would be to set up a vpn which is run over the ssh tunnel. This would save forwarding 5 individual ports and having to proxy the phones outgoing connections.
For more info see: http://www.tldp.org/HOWTO/ppp-ssh/ |
Thanks a lot for that answer!
I've set up the vpn and can ping back and forth on the ppp interfaces. The interface on the vpn client is given 172.16.1.3. The vpn server interface is set to 172.16.1.2. The phone box sits on the client side, and has 172.16.1.12 as IP address. The client's eth interface (on which the phone sits) is 172.16.1.1. I can (of course) ping the phone 172.16.1.12 from the client. However, I haven't managed to do this from the server. How should I edit the routing table on the server in order to be able to ping 172.16.1.12 from there? Should I change the routing on the client as well? Was it bad of me to place everything on the same subnet? It should also be mentioned that 172.16.1.12 is distributed by a DHCP server on the client side. The DHCP server gives 172.16.1.12 the 172.16.1.2 as the default gateway. Is it correct to try to route all outgoing traffic via the vpn from 172.16.1.12 in this way? What I basically can configure are routing tables on the server and the client side and firewalls on each side. Thanks in advance! Hope that the questions are clear enough! |
Tunnel all internet traffic through a ssh connected remote computer
Realizing that what I wrote last night isn’t too clear, I will try to rephrase my question:
Code:
------- ---------- ---------- The routing table for “Home Comp” looks like this: Code:
Kernel IP routing table The routing table for “Uni Comp”: Code:
Kernel IP routing table “proc/sys/../ipv4/ip_forwarding” is “1” on both systems. So are all the interfaces in “proc/sys/../ipv4/conf/”. The tunnel works perfect between the two boxes (thanks for the vpnssh-howto tip), and 172.16.2.3 can ping 172.16.2.2, as well as the other way around. My humble wish is to be able to ping the “Uni comp” ppp0 interface from the phone or vice versa. I would like all traffic from 172.16.1.12 to access internet through the tunnel. I’ve been trying to add different entries into the routing tables, but I haven’t managed to get it work. Thanks a lot! edit: It should also be mentioned that ICMP and ssh login attempts to 172.16.2.3 created by the phone arrives on the "Uni comp". However it generates a "martian source 172.16.2.3 from 172.16.1.12, on dev ppp0" instead of sending back a reply. |
After adding a route to the "Uni comp." (route add -net 172.16.1.0 netmask 255.255.255.0 gw 172.16.2.2), I can now get replies from and ssh to "Uni comp." from 172.16.1.12.
However, 172.16.1.12 still uses "Home comp"'s connection to internet instead of accessing it via "Uni comp" through the tunnel. How do I manage to force all traffic from the phone to go through the tunnel and access internet via "Uni Comp"? |
I thought the idea of doing this was that the phone needed to access the internet out of your home connection but you needed to connect to the phone over the vpn?
Is there any documentation on the phone system anywhere online? |
Tunnel all internet traffic through a ssh connected remote computer
Thanks for Your answer!
Quote:
My interpretation of a tcpdump is that the phone box constantly sends small packages to a server (at the phone company). Since it still sends the packages via the home comp's network, the phone company's server will never be able to send a respons back (the port's mentioned above are not forwarded by the Home ISP). What do You think? Is it possible to do what I'm trying? I believe that I'm pretty close, and will manage as soon as I can force all communication from the phone to go through the Uni Comp. At the Uni Comp, I then need to masquerade the appropriate ports (on incoming traffic from the phone company) and forward then through the tunnel to the phone. Quote:
Kindest regards, huge thanks again |
The easiest way would probably be to route all traffic destined for the phone companies server over the ppp tunnel - run this on your home gateway system:
route add ip.of.phone.company netmask 255.255.255.255 ip.of.work.gateway dev ppp0 |
Tunnel all internet traffic through a ssh connected remote computer
Running SuSE (version 9.0 and 9.1) on the different computers in the above graphed system, I use Susefirewall 2. In turn, this firewall seems to be using iptables to solve its tasks.
Having spent some time reading the iptables manual and different configuration examples on the web, I was wondering if it could help adding a rule to the FORWARD chain (in order to push all outgoing traffic from the source 172.16.1.12 through the ppp0 interface? How would that look like? Could it look something similar to: Code:
iptables -A FORWARD -s 172.16.1.12 -o ppp+ All help is highly appreciated! |
Quote:
Is my iptables suggestion rule not a good idea for this? |
If the destination is a range of IPs then you could specify a subnet to do it.
You could try using iptables but I haven't tried it over a vpn quite like that, it may be worth a shot. |
Your routing suggestion worked out really well! Thanks a lot for all the help! Since the phone box uses a quite huge span of ip addresses when communicating with the phone company's servers (of course different addresses everytime I initiate a call), it felt like I routed half internet through ppp0 in the end. However, it worked - which is the most important thing.
Thanks again for the help - it is highly appreciated! If any reader of this thread knows some iptable rules that could push all the traffic from 172.16.1.12 through the ppp0 interface - then please let me know! I believe that this should be possible but don't know enough about iptables to do it. |
I don't really know anything about IPTABLES either, but a soution I use generally is a program called FIREHOL it basically generates an iptables conf file for you but it uses much simpler rules. Think of it as a translator. You might want to give it a try.
|
All times are GMT -5. The time now is 03:01 AM. |