Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
New here and am a newbi to Linux. I have a debian raspberry pi that I have setup as a router with iptables. Basically replaced my DD-WRT because of memory and cpu issues. Question is in regards to SSH port forwarding
First of all, I have port forwarding working. I have a debian based router (raspberry pi) at another location. Its running sshd and I can connect with my putty client. I installed polipo – a http proxy on this remote router. I go into putty and setup a port forward to port 9999. polipo is setup to listen on 9999. I fire up my browser with the proxy settings and I can browse over the remote router.
So far so good.
So, how do I do get pop3, imap, dns, and other services running on my pc to work in the same manner? Do I have to setup another proxy on the remote router one for each of these services?
It looks like putty will allow me to create additional port forwards i.e. pop3 on 9998 in the same connection. If I were to setup a pop3 proxy on the remote router listening to 9998 it will probably work.
So do I need to do this for each service?? Is there a better way? Is there something like a transparent proxy that simply forwards any protocol? I don't want or need it to cache or filter anything. Or is there a proxy out there that listens to more then one port and will forward the protocol correctly?
Basically I am looking for some software that listens on various ports and then forwards back to the correct port. Like this:
pc - port 80 -|...................port 9999.........................|.............|- 9999 to port 80
pc - port 443 -|ssh tunnel - port 9998 - remote router - | proxy? - |-9998 to port 443
pc - port 110 -|.................port 9997........sshd...........|..............|- 9997 to port 110
Does this make sense or am I missing something? I have the opportunity to set up multiple routers like this and basically want to decide what traffic goes out where. I made this post sitting in Austria connected via ssh to this router in Germany and am sending this out over the router located in Germany.
But if you are new to iptables, I suggest you to install ipcop as the OS on the gateway host. (before that try that on your local test machine) That will provide you the GUI interface with the help of that you can do the port forwarding and all. http://www.ipcop.org/
Thanks for the reply. The packages you mentioned are not really what I am looking for. I guess I need or want to understand this. I am not that new to iptables, I have designed what I think is a pretty stable and robust firewall, imho.
This has been bugging me so I put a couple of log rules in the output and input tables on source and destination port 9999. Here is what I got:
Jan 2 09:53:40 depi kernel: [53766.335648] [INPUT sport 9999] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61725 DF PROTO=TCP SPT=41718 DPT=9999 WINDOW=32792 RES=0x00 SYN URGP=0
So here is what I am thinking is happening:
Since I see the syn flag set, I know that this was truly the first http packet sent from my client to the remote router after I brought up the browser
The http packet is inside the ssh tunnel and is coming across as a ssh packet on port 22 as it enters the router in from the client. sshd listening on port 22 takes in the packet and unwraps it and send it out the loopback interface on port 9999 - the ssh tunnel destin port – first entry above.
iptables routes it right back to the input table (destin loopback address) with a dstin port of 9999. I guess at that point the http proxy I have installed see the packet on port 9999 and puts it back out with a destination port of 80 and it goes out locally to the internet. I guess I could do more logging but I am pretty sure that this is what is happening.
The rest of the log follows the exact same pattern and you can watch the tcp flags go back and forth with acks until the page is fully loaded.
I guess the tricky part here is that both log entries above have 127.0.0.1 as source and destin addresses and both source and destin ports are the same. All of the traffic is taking place between sshd and the http proxy server both on the loopback with the data going across port 9999 - my port forward set in the putty client.
Only thing to go on is that the prerouting tables does have incoming interface as a valid test since it looks at packets before they are routed. But there is another problem. I can dnat to port 80 since I know that the tunnel I created was for http coming across as 9999 but where is the new destin address? I bet its embedded in data of the packet. If only iptables could log the whole packet contents :-( If memory serves me, http has the url or better yet ip address in the data portion of the packet.
I don’t think that iptables and nat alone will solve this problem…
Thanks though, it really makes me think about what is going on
Still I didn't understand about your config.. might be my mistake....
I hope all your default policy of all the chain is ACCEPT. Just do the following... Enable logging to the chains one by one... and check.. I think that will help you to solve this...(Not enable logging in all chains)
Thanks again for your reply! I really appreciate it!
My setup is like this:
PC <-----(Internet)-----> Remote Router (Rassbery Pi / debian) running sshd
I have sshd setup on the router with rsa key authentication
I have putty on my pc windows laptop
What I would like to do is create a ssh tunnel to the router and then browse through the tunnel where my http traffic goes out the remote router.
PC >= ssh tunnel = Remote Router > http out to internet (local to router there)
So, I setup my putty client with a tunnel. I setup the tunnel so that port 9999 on my pc is tunneled over to the remote router. Local port 9999 to remote 127.0.0.1:9999 I setup firefox on my pc to proxy http to 127.0.0.1:9999. Typical ssh port forwarding.
Now if I had a web server running on the remote router, everything would work fine and I could access it. But I have nothing on the remote router (other then dhcp. Iptables, ntp client). No other applications on the router. So the http packets comes through the tunnel to port 9999 and dies since nothing is there to pickup the packet.
I have tried to setup the remote tunnel end as 10.10.10.11:80 (which is the internet port eth1) but it doesn’t work. (See previous post and what the packets look like coming out of the tunnel). The destin address and ports are all screwed up coming out of the tunnel. In other words, the packets coming out of the tunnel do not have port 80 and the destin address of the url in them. If destin address was there, I could dnat the packet in prerouting.
So to solve the problem, I installed a http proxy on the remote router. I installed polipo and turned off all of the caching and filtering. I setup polipo is listening on port 9999. And, everything works like a dream. My client opens a ssh tunnel through to the router. The http traffic goes through the tunnel and gets forwarded to the http proxy who is listening on port 9999 who takes the traffic out locally at the router and everyone is happy.
Here are the individual steps that take place and work:
PC proxy – all http to port 127.0.0.1:9999
Putty on the local client sees the port 9999 traffic and places the traffic in the ssh tunnel
ssh tunnel – local port 9999 to remote 127.0.0.1:9999
sshd sees the incoming traffic and un-wraps the http pack out of the tunnel
pushes the packet out port 9999
http proxy listening on port 9999 picks up the packet and sends it out to the intenet
when the http proxy receive back a packet from the web server – all is reversed
packet get to my pc
everything works and is fast as lightning (ok I have super fast dsl on both ends)
Problem I have is that there is more then just http running on my client pc. To even get to the url I need dns to look up the url. Since dns is not going through the tunnel, the dns lookup is taking place locally in my lan where my pc is. So my pc goes to my local provider here in Vienna and gets the ip address of the url. Then firefox creates the http traffic now over the ssh tunnel and I go out and browse over the remote router. Kind of crazy when you think about it.
I also have a pop3 client on my pc. It also goes out locally here in Vienna all at the same time.
So, what I am looking to do is send everything I have locally on my pc – dns, pop3, imap, https, and http over the ssh tunnel to the remote router. My local provider would just see one ssh tunnel to the remote router. My goal is for me to decide what goes out where.
So, I bet that if I setup a pop3 proxy on the remote router to say listen to port 9998 and setup my putty client and add another setting for the tunnel – local port 9998 to remote port 127.0.0.9998 that it will work.
But now I have another proxy on the remote machine. In fact, I would have to have one proxy for each service I want to use.
So far my little Rasberry Pi (512Meg ram 700Mhz) is doing fine. It’s the size of a credit card! Its running about 10% cpu max and 70 Meg ram. Would be nice to keep it this way even with lots of ip table rules. I need to read up on squid because I saw somewhere that it can proxy a whole lot of different protocols. Just wonder if it will run on the pi without killing the performance.
Does this better explain what I am trying to do?
At the end of your post you wrote:
host ---> Remote server:80 ---> Redirect to port 9999 of the server ---> Redirect to server port 80
host ---> Remote server:110 ---> Redirect to port 9997 of the server ---> Redirect to server port 110
Exactly what I want to do! Problem is that I have no server on the other end to do the redirect! Well actually I do but only for http.
Why don't you think about setting up a vpn -server on the remote side.... So after that by default, all your request will be gone through that vpn right...?
Just have a look at the following URL
That's a great idea! Never thought about vpn. Positive thing is that it bundles everything on the client by default and forwards it to the vpn server . It's like putting you right on the lan. With a local lan ip, getting out to the internet should work at the remote site.
Thanks for the great idea!
I'm going to take a serious look at squid first simply because I find ssh tunneling pretty cool and it by default will punch a hole through almost any firewall getting you out. My wife's iphone tries doing the same thing at least a couple times a day. At some point I changed my outgoing tcp rules to block all and added rules for what to let out since the list of what I was blocking kept growing. Strange protocols trying to get out. When I changed the rules, I busted the little bugger trying to ssh out to the provider.