LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-25-2004, 03:58 PM   #1
Bateman
LQ Newbie
 
Registered: Oct 2003
Distribution: Gentoo
Posts: 28

Rep: Reputation: 15
Tunnel all internet traffic through a ssh connected remote computer [solved]


I've recently started using a "telephony over internet" service from a telecom operator.

The company solution is that You connect Your normal phone to an ip phone box, which itself is connected to the internet.

The Ip phone box needs the following to work:
* A DHCP server providing it an ip address, subnet, default gateway, DNS, etc.
* Has to be reached on five specific ports, say 1000-1005.
* Connect to various ports on various internet addresses.

As of today, my configuration is as follows:
---------------------------------------------
* The uni computer is equipped with 2 eth cards.
* One of them to the internet (static, public address), the other to the ip phone box.
* There is a DHCP and a Ip forwarding service running and creating a internal, DHCP distributed network to the phone box (172.16.1.12).
* Forwarding through masquerading enbales the information on port 1000-1005 to reach the phone box.

A graphical approach:
Code:
  -------
  |Phone|
  -------
    |
    |               dhcpd, ip forwarding,
    |               masquerading 5 ports
 --------------     ------------------
 |IP Phone box| --- |Eth0:172.16.1.1 |
 |172.16.1.12 |     |  Uni computer  |
 --------------     |Eth1:public ip  | --Internet
                    ------------------
This has worked very well for me, except for that I have to be at the university in order to use the phone.

What someone on this forum (thanks "bignerd") explained to me the other day about remote port forwarding pretty much changed my view about the possibilities in networking. After started using it, I now have new hope about connecting the ip phone box to my home computer and, with help from my uni computer, be able to tunnel the necessary traffic to the ip phone box. This procedure is necessary as my ISP only provides my home computer with a static private ip address - and of course doesn't want to forward ports for me.


My new suggested setup:
----------------------

Code:
      -------
      |Phone|
      -------
         |
         |
         |
   --------------
   |IP Phone box|
   |172.16.1.12 |
   --------------
         |
         |
         |
dhcpd, ip forwarding,
masquerading 5 ports
---------------------
|Eth0:  172.16.1.1  |
|   Home computer   |
|Eth1: 192.168.2.227| --ISP
---------------------    |
                         |
            ------------- 
            |
            |
        Internet
            |
            |
  -------------------
  |Eth0: public ip  |
  |  Uni computer   |
  |Eth1: not in use |
  -------------------
Through remote port forwarding in an ssh tunnel started at the home computer, I could actually forward the five needed ports from the uni computer to the home machine. I only need to set up the tunnel, and then let the masquerading on the home computer forward the ports to the phone box. This requires all the internet communication from the phone box to go through the uni computer.

Since the incoming traffic only is sent on port 1000-1005, that part should
be easy. My issue is how to make all the outgoing traffic from the phone box to go through the uni computer. From the internet, is should look like the phone was sitting behind the uni computer in order for the incoming packets on port 1000-1005 to be sent through the mentioned tunnel.

The question is therefore:
How can I access the internet (various domains and ports) from the home computer so that everything is routed through the uni computer?

I've been considering tunneling local ports through ssh, but there You only dedicate a local port on Your computer to a certain address.

Am I looking for some kind of proxy solution to handle this?

Sorry about the length of this post!

Thanks

Last edited by Bateman; 12-09-2004 at 05:23 PM.
 
Old 11-25-2004, 04:06 PM   #2
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 64
To be honest I think your easiest approach would be to set up a vpn which is run over the ssh tunnel. This would save forwarding 5 individual ports and having to proxy the phones outgoing connections.

For more info see:
http://www.tldp.org/HOWTO/ppp-ssh/
 
Old 12-04-2004, 04:08 PM   #3
Bateman
LQ Newbie
 
Registered: Oct 2003
Distribution: Gentoo
Posts: 28

Original Poster
Rep: Reputation: 15
Thanks a lot for that answer!

I've set up the vpn and can ping back and forth on the ppp interfaces. The interface on the vpn client is given 172.16.1.3. The vpn server interface is set to 172.16.1.2.

The phone box sits on the client side, and has 172.16.1.12 as IP address. The client's eth interface (on which the phone sits) is 172.16.1.1.

I can (of course) ping the phone 172.16.1.12 from the client. However, I haven't managed to do this from the server. How should I edit the routing table on the server in order to be able to ping 172.16.1.12 from there? Should I change the routing on the client as well?

Was it bad of me to place everything on the same subnet?

It should also be mentioned that 172.16.1.12 is distributed by a DHCP server on the client side. The DHCP server gives 172.16.1.12 the 172.16.1.2 as the default gateway. Is it correct to try to route all outgoing traffic via the vpn from 172.16.1.12 in this way?

What I basically can configure are routing tables on the server and the client side and firewalls on each side.

Thanks in advance! Hope that the questions are clear enough!

Last edited by Bateman; 12-04-2004 at 06:16 PM.
 
Old 12-05-2004, 07:20 AM   #4
Bateman
LQ Newbie
 
Registered: Oct 2003
Distribution: Gentoo
Posts: 28

Original Poster
Rep: Reputation: 15
Tunnel all internet traffic through a ssh connected remote computer

Realizing that what I wrote last night isn’t too clear, I will try to rephrase my question:

Code:
-------            ----------           ----------
|Phone|   ---     |Home Comp|  -Tunnel- |Uni Comp|
-------            ----------           ----------
172.16.1.12   172.16.1.1  172.16.2.2  172.16.2.3
               (ETH1)        (PPP0)    (PPP0)
The tunnel is set up between ETH0 on “Home Comp” and the “UNI Comp”’s ETH.

The routing table for “Home Comp” looks like this:

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.16.2.3      0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
172.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.2.1     0.0.0.0         UG    0      0        0 eth0
192.168.2.1 is the default gateway provided by my ISP (which is connected to ETH0).

The routing table for “Uni Comp”:

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.16.2.2      0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
xxx.xxx.xxx.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         xxx.xxx.xxx.xxx 0.0.0.0         UG    0      0        0 eth0
xxx.xxx.xxx.xxx is the internet connection’s default gateway.

“proc/sys/../ipv4/ip_forwarding” is “1” on both systems.
So are all the interfaces in “proc/sys/../ipv4/conf/”.

The tunnel works perfect between the two boxes (thanks for the vpnssh-howto tip), and 172.16.2.3 can ping 172.16.2.2, as well as the other way around.

My humble wish is to be able to ping the “Uni comp” ppp0 interface from the phone or vice versa. I would like all traffic from 172.16.1.12 to access internet through the tunnel.

I’ve been trying to add different entries into the routing tables, but I haven’t managed to get it work.

Thanks a lot!

edit: It should also be mentioned that ICMP and ssh login attempts to 172.16.2.3 created by the phone arrives on the "Uni comp". However it generates a "martian source 172.16.2.3 from 172.16.1.12, on dev ppp0" instead of sending back a reply.

Last edited by Bateman; 12-05-2004 at 11:02 AM.
 
Old 12-05-2004, 03:20 PM   #5
Bateman
LQ Newbie
 
Registered: Oct 2003
Distribution: Gentoo
Posts: 28

Original Poster
Rep: Reputation: 15
After adding a route to the "Uni comp." (route add -net 172.16.1.0 netmask 255.255.255.0 gw 172.16.2.2), I can now get replies from and ssh to "Uni comp." from 172.16.1.12.

However, 172.16.1.12 still uses "Home comp"'s connection to internet instead of accessing it via "Uni comp" through the tunnel. How do I manage to force all traffic from the phone to go through the tunnel and access internet via "Uni Comp"?
 
Old 12-06-2004, 02:34 PM   #6
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 64
I thought the idea of doing this was that the phone needed to access the internet out of your home connection but you needed to connect to the phone over the vpn?

Is there any documentation on the phone system anywhere online?
 
Old 12-06-2004, 04:26 PM   #7
Bateman
LQ Newbie
 
Registered: Oct 2003
Distribution: Gentoo
Posts: 28

Original Poster
Rep: Reputation: 15
Tunnel all internet traffic through a ssh connected remote computer

Thanks for Your answer!

Quote:
Originally posted by david_ross
I thought the idea of doing this was that the phone needed to access the internet out of your home connection but you needed to connect to the phone over the vpn?
I need to connect the phone to the internet over the vpn; the phone box needs a public ip address. If this can't be supplied, it will also settle for a private address, to which a certain range of ports (UDP:10000-10005) are forwarded from the outside. Since I can't control my ISP's router connected to my home computer (and this ISP only provides private addresses), I would like to use my offices public address to forward appropriate ports to the phone box. Your suggestion about VPN was great, and I really have good hope to make it work (it has to - right now I have no phone).

My interpretation of a tcpdump is that the phone box constantly sends small packages to a server (at the phone company). Since it still sends the packages via the home comp's network, the phone company's server will never be able to send a respons back (the port's mentioned above are not forwarded by the Home ISP).

What do You think? Is it possible to do what I'm trying? I believe that I'm pretty close, and will manage as soon as I can force all communication from the phone to go through the Uni Comp. At the Uni Comp, I then need to masquerade the appropriate ports (on incoming traffic from the phone company) and forward then through the tunnel to the phone.

Quote:

Is there any documentation on the phone system anywhere online?
Yes, but it is all in Swedish and has no technical depth. They don't even mention private and public addresses. www.tele2.se/bredbandstelefoni

Kindest regards, huge thanks again
 
Old 12-08-2004, 03:07 PM   #8
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 64
The easiest way would probably be to route all traffic destined for the phone companies server over the ppp tunnel - run this on your home gateway system:
route add ip.of.phone.company netmask 255.255.255.255 ip.of.work.gateway dev ppp0
 
Old 12-08-2004, 03:08 PM   #9
Bateman
LQ Newbie
 
Registered: Oct 2003
Distribution: Gentoo
Posts: 28

Original Poster
Rep: Reputation: 15
Tunnel all internet traffic through a ssh connected remote computer

Running SuSE (version 9.0 and 9.1) on the different computers in the above graphed system, I use Susefirewall 2. In turn, this firewall seems to be using iptables to solve its tasks.

Having spent some time reading the iptables manual and different configuration examples on the web, I was wondering if it could help adding a rule to the FORWARD chain (in order to push all outgoing traffic from the source 172.16.1.12 through the ppp0 interface?

How would that look like? Could it look something similar to:
Code:
iptables -A FORWARD -s 172.16.1.12 -o ppp+
Please forgive my lack of knowledge about iptables!

All help is highly appreciated!
 
Old 12-08-2004, 03:13 PM   #10
Bateman
LQ Newbie
 
Registered: Oct 2003
Distribution: Gentoo
Posts: 28

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by david_ross
The easiest way would probably be to route all traffic destined for the phone companies server over the ppp tunnel - run this on your home gateway system:
route add ip.of.phone.company netmask 255.255.255.255 ip.of.work.gateway dev ppp0
Thanks! The thing is that the phone box seems to be using several different ip addresses. But I will give Your suggestion a try tomorrow night and let You know whether it works!

Is my iptables suggestion rule not a good idea for this?
 
Old 12-08-2004, 03:17 PM   #11
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 64
If the destination is a range of IPs then you could specify a subnet to do it.

You could try using iptables but I haven't tried it over a vpn quite like that, it may be worth a shot.
 
Old 12-09-2004, 05:16 PM   #12
Bateman
LQ Newbie
 
Registered: Oct 2003
Distribution: Gentoo
Posts: 28

Original Poster
Rep: Reputation: 15
Your routing suggestion worked out really well! Thanks a lot for all the help! Since the phone box uses a quite huge span of ip addresses when communicating with the phone company's servers (of course different addresses everytime I initiate a call), it felt like I routed half internet through ppp0 in the end. However, it worked - which is the most important thing.

Thanks again for the help - it is highly appreciated!

If any reader of this thread knows some iptable rules that could push all the traffic from 172.16.1.12 through the ppp0 interface - then please let me know! I believe that this should be possible but don't know enough about iptables to do it.

Last edited by Bateman; 12-09-2004 at 05:17 PM.
 
Old 12-10-2004, 05:53 AM   #13
hezaplaya
LQ Newbie
 
Registered: Dec 2004
Posts: 4

Rep: Reputation: 0
I don't really know anything about IPTABLES either, but a soution I use generally is a program called FIREHOL it basically generates an iptables conf file for you but it uses much simpler rules. Think of it as a translator. You might want to give it a try.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with DHCP on computer connected to the internet through a bridging firewall mullog *BSD 2 04-23-2005 08:41 AM
Playing sound on a remote computer over ssh Waldo Linux - Hardware 0 01-20-2005 07:28 AM
Remote Desktop using SSH tunnel..... help! redhatbeatswin Linux - Newbie 5 08-14-2004 11:51 AM
Not able launch KDE_Fedora core on remote computer using ssh-X The_Fed Linux - Newbie 2 03-31-2004 10:58 AM
Most efficient way to tunnel all traffic to remote linux box to then be forwarded? Rims Linux - Networking 0 03-14-2004 01:49 PM


All times are GMT -5. The time now is 05:26 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration