Forwarding Yahoo IM using iptables after SSH tunnel

kenevel · 03-31-2009, 08:08 AM

Hi there,

I'd like to be able to forward Yahoo IM traffic over an SSH-tunnel and then forward it from the target machine to the Yahoo servers. I was wondering whether this was possible with iptables and if so, how that could be done? I suppose there are alternatives, such as running a proxy server, but would like to know the iptables solution

Cheers

K.

datopdog · 04-01-2009, 02:24 AM

Of course you can forward anything with ssh you just need to know the destination address and port.

Code:

ssh -L outbound_nic_address:port:yahoo_messenger_ip:yahoo_port server_address

Code:

iptables -t nat -I POSTROUTING -p tcp(or udp) --dport yahoo_port -d yahoo_messenger_ip -j DNAT --to-destination outbount_nic_address

Am using your nic_address because DNAT to localhost does not seem to work.

kenevel · 04-07-2009, 05:31 AM

Hi datopdog,

Thanks very much for your reply, it's working a treat. I got a bit confused with all the different IP settings, so thought I'd post my solution here.

The Yahoo IM server runs off several hostnames, but the primary one I'm aware of is scs.msg.yahoo.com. This currently resolves to 66.163.181.167 and is used in the following scripts.

Please also not I'm running CentOS 5 so seem to have a slightly different iptables syntax to the one suggested. Its man page suggested that for my version, the DNAT target was valid in the OUTPUT, not POSTROUTING chain.

I've then modified my Yahoo client to use localhost:5050 as its server.

Once again thanks to datopdog for a great answer.

Cheers

K.

Client machine

tunnelyim.sh

Code:

#!/bin/bash

ssh -fN -L 5050:66.163.181.167:5050 -l myusername RELAY_HOST_IP

Relay machine

fwdyim.sh

Code:

#!/bin/bash

if [ "`whoami`" != "root" ] ; then
        echo "you must be root to execute this script"
        exit 1
fi

for protocol in tcp udp ; do 
        /sbin/iptables -t nat -I OUTPUT -p $protocol --dport 5050 -j DNAT --to-destination 66.163.181.167
done