-   Linux - Networking (
-   -   Redirect traffic between ssh tunnels with iptables (

AresiusXP 03-06-2012 02:45 PM

Redirect traffic between ssh tunnels with iptables
Here's the first piece of information that you'll need: I'm from Argentina and in order to use some country-restricted pages (such as Pandora, Netflix, Hulu), I need to tunnel it to a host in USA.

I have 2 Ubuntu servers running SSH listening to port 443. One is at home, the other is my host in USA. Usually, at the office, I create 2 ssh tunnels using PuTTY: 1st session for my host at home, 2nd session to my USA server. I configure my proxy settings in my browser according to what pages i'm going to use.

What I want to do is to just use one ssh tunnel at the office (the one with my home server) and if my traffic goes to Pandora for example (, that it automatically relays it to an SSH tunnel created there with my USA server.

I created the SSH tunnel at home running the following:

ssh -fqNp 443 -D 1081
As far as I know, traffic redirection, rerouting, or whatever it's called, can be done using iptables. However, I never fully understood it or its syntax, and this is the best I could come up with:

iptables -t nat -A OUTPUT -p TCP -d -j REDIRECT --to-port 1081
When I run elinks in the host, it just doesn't work.

Can you help me? Thanks in advance!

eantoranz 03-06-2012 11:19 PM

Compadre, creo que va a ser más sencillo si usas un PAC, ahí puedes especificarle al proxy "si vas a tall dominio, te vas por este proxy.... si vas por este otro dominio, te vas por este otro proxy"... lo único que no estaría seguro es si puedes apuntar el proxy hacia un socks (como el que te ofrece un tunel ssh) o si tiene que ser un proxy http necesariamente.

For english speakers: I'm just telling the guy to go do a little research on PAC files. That could make his life a little simpler (though I'm not sure if socks proxies like the one an ssh tunnel provides works with PAC files).

eantoranz 03-06-2012 11:25 PM

About using iptables: The thing is that when traffic is going out from firefox to the web server directly (and that is how you could catch it with iptables) it's HTTP, but the ssh tunnel expects to handle socks so it shouldn't work. You know what you could do that will avoid socks completely? Install squid on the USA server and then do a "local" tunnel using the USA server to connect to its squid service. Then you could use the pac file without much problem by providing localhost:localport when you want to use the USA squid. That should hold water.

AresiusXP 03-07-2012 06:08 AM

That actually makes a lot of sense. Maybe Squid is a little overkill; i could try something like tinyproxy or similar to that. I'll dig into it using PAC and I'll let you know.

Gracias por la ayuda! :)

AresiusXP 03-07-2012 08:57 AM

Ok, here's my status:

I was able to install tinyproxy in my USA server and it's working flawlessly. I configured it in my home windows browser and i'm able to open any page. So far so good. Also, i created a pac file in order to apply in my home Ubuntu server. It's the following:


function FindProxyForURL(url, host) {
        if (shExpMatch(url,"**") ||
            shExpMatch(url,"**") ||
                        return "PROXY";       
        return "DIRECT";

Problem now is that i can't find anywhere where to add this proxy.pac file i created. I tried using it as an env variable running the following:

export http_proxy=/home/aresius/proxy.pac
However that was not working, and elinks mentioned that it was not a valid proxy configuration. Where can I add this file for global networking? I noticed that there's a configuration like that in Ubuntu Desktop using System -> Preferences -> Network Proxy, but is there anything like that for Ubuntu server?

Thanks again!

Skaperen 03-07-2012 11:47 AM

This looks like you are just running SSH over port 443, that normally would be used for HTTPS. You are using 1081 as a SOCKS protocol connection point in the computer running the SSH client, and the connections going through it come out from the server. All you need to do is configured your browser to use the SOCKS protocol to host port 1081.

Do you need to use other programs through this tunnel to USA, too?

AresiusXP 03-07-2012 11:50 AM

I believe you didn't fully get my problem. I'm aware that I can build another tunnel using 1081 with my USA server and just tunnel through it, but that would mean having 2 tunnels: my home and USA. What i'm trying to achieve is only having one tunnel (home) and it redirects from that server to USA server when necessary.

Skaperen 03-07-2012 12:05 PM


Originally Posted by AresiusXP (Post 4621037)
I believe you didn't fully get my problem. I'm aware that I can build another tunnel using 1081 with my USA server and just tunnel through it, but that would mean having 2 tunnels: my home and USA. What i'm trying to achieve is only having one tunnel (home) and it redirects from that server to USA server when necessary.

I guess I do not understand what you are trying to do. I don't see why doing "ssh -D 1081" from work, and another "ssh -D 1081" from home, is an issue.

If you can make an ssh connection from work to home, one way to make the internet connections hop first through home is to do an SSH local port forward to home:

ssh -L

This will listen on port 1081 but instead of making that be a SOCKS protocol, it just forwards it as is through the ssh connection from work to home, and feeds that connection to port 1081 at home. If the home computer is already doing the "ssh -D 1081" then connections to 1081 at work will end up going to 1081 at home, and operate as SOCKS via the server in USA. If you can make ssh connections from work to home, try that.

If I didn't understand what you are trying to do, maybe another explanation with more details could help. I do not think any iptables is needed for this.

AresiusXP 03-07-2012 12:37 PM

Perhaps what I'm omitting in my explanation is that latency when using USA server is considerably higher than my home computer, and that's why I only want to use the USA server for specific pages such as Netflix, Pandora or Hulu. Doing the tunnel as you say, I will only be using USA server connection.

Another detail that maybe was not considered is that I'm using Windows XP for my desktop. Not that it makes any significant difference, but it doesn't hurt saying it.

Basically what I want is to tunnel my connection to my home Ubuntu server, and when, and only when, traffic is supposed to hit one of those pages, traffic in my Ubuntu server gets redirected to my USA server. At first I though I could that creating a tunnel between my home Ubuntu and my USA ubuntu, and somehow redirect with iptables. eantoranz explained that I can create a proxy server in USA Ubuntu and in my home Ubuntu apply a PAC file to redirect matching those hostnames (,

AresiusXP 03-07-2012 12:59 PM

As an update, here's what I did with the PAC file.

I remembered that I had installed X for VNC, so I opened a VNC session, and I used the Network Proxy option, specifying my pac file located in http://localhost/proxy.pac. Using Epiphany in that session, it shows that it's working ok. I was able to open Pandora with no problem. When I use elinks from my PuTTY session, it's saying that it's restricted because it's not taking the PAC config, even though it's supposed to be Globally applied in system.

Skaperen 03-08-2012 01:59 PM

I was under the impression you wanted to get access to content you cannot get in Argentina, either from home or from work.

I don't know what a PAC file is. Is that something specific to how you are doing your proxying from Windows XP at work? If that can let you select which of "USA proxy" or "home proxy" to use based on the hostname, that sounds great. But I am sorry that I don't know anything about that part, or Windows XP setups in general.

If you were running some Linux everywhere, or even BSD or some other Unix systems, I could likely get tunnel paths going for you. As for a means to select which path by hostname, I don't know about anything that can do that. It would surprise me if nothing exists to do that in Linux, somewhere, such as proxy server rules or a browser plug-in.

Sorry for being of no help.

All times are GMT -5. The time now is 07:15 PM.