| View previous topic :: View next topic |
| Author |
Message |
teper
Guest
|
 Posted: Thu Apr 25, 2002 12:58 pm Post subject: simple tunel |
 |
|
Hello!
I used FreeLSD previously and bounce.c as a simple port tunel.
(normal connection)
My_Host -> foregin_IP:port
(bounced connection)
MY_HOST-> server_IP:INC-PORT [FeeBSD] -> foregin_IP:port
What should i use in gentoo linux as a bounce.c substitute or what should i use to compile that simple program
standard cc,gcc won't work
Wojciech Teperski
teper@polsl.gliwice.pl |
|
| Back to top |
|
 |
Target
Apprentice
Joined: 25 Apr 2002
Posts: 200
|
| Posted: Thu Apr 25, 2002 4:23 pm Post subject: |
|
|
This feature is built into iptables' preroute/forward/postroute rules, but since I use ssh whenever I tunnel anywhere (I'm an encryption nut), any examples I give you may need a lot of tweaking to get working.
First, you'll either need to load the netfilter (iptables) kernel module if you have it, or compile a kernel with it built-in. Then emerge iptables to get the userspace tools.
We'll assume you have two network cards in the bounce host with eth0 as the external interface and eth1 as the internal. Card references can just as easily be replaced with IPs and IP ranges, though.
Let's also assume you want to reach remote port 2000 on host 101.101.101.101, and that just for the hell of it you'll actually be bouncing through 2002 on your own server.
First we set forwarding's default policy to deny... we don't want people coming in from the outside and tunneling right back out.
| Code: | | iptables -P FORWARD DROP |
We'll want to allow packets we've actually requested to get forwarded through to us:
| Code: | | iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT |
Allow all safe/needed forms of tcp connections on port 2002 to be forwarded out the external interface:
| Code: | | iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 2002 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT |
Now that the ground rules have been established, we set up the NAT table to do the dirty work of routing the server's internal port 2002 to the remote host's port 2000:
| Code: | | iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 2002 -j DNAT --to 101.101.101.101:2000 |
I'm not 100% sure about that last one... you may need to specify your internal IP instead of the interface because the NAT table is treated a little differently.
Generally, I'd reccomend taking things a step further and setting up a whole firewall. You can never be too careful, and the tools to do it are the same ones you use to bounce/forward ports.
If you're looking to do full SNAT, iptables has a full-blown masquerading subsystem.[/code] |
|
| Back to top |
|
|
teper
n00b
Joined: 25 Apr 2002
Posts: 3
Location: Poland
|
| Posted: Thu Apr 25, 2002 6:28 pm Post subject: |
|
|
| Target wrote: | This feature is built into iptables' preroute/forward/postroute rules, but since I use ssh whenever I tunnel anywhere (I'm an encryption nut), any examples I give you may need a lot of tweaking to get working.
|
THX for answer but one thing - i don't need NAT
i can use
| Code: | | ssh -R listenport:remote_host:port localhost |
sytuation is like this
my friend connets to internet by tpsa_provider
he is plaing network games on game_server
but he has teribble lag since game_server is in different backbone net.
my host is in the same backbone net with game_server and i have fast connecion with my friend.
Idea: use my server as a bouncer (proxy server)
thx for answer ill try ipchains.
_________________
Wojciech Teperski
foton@idea.net.pl |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
