Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Redirecting SSH tunnel data via iptables
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
biatch0
n00b
n00b


Joined: 25 May 2004
Posts: 40
PostPosted: Wed Dec 12, 2007 12:35 am    Post subject: Redirecting SSH tunnel data via iptables Reply with quote
This is my current setup at home:

[Windows Userbox] --- [VMWare Gentoo Proxy] -- [INTERNET] --- [Target Server]

In this current setup, I merely add a static route to my Gentoo proxy since it's on the local network. On the Gentoo proxy, this is basically what I've done:

Code:
iptables -t nat -A PREROUTING -p tcp -d target.server.ip --dport 3724 -j REDIRECT --to-ports 50000

socat -d -d -d TCP4-LISTEN:50000,nodelay,fork,reuseaddr,su=nobody TCP4:target.server.ip:3724,nodelay


I did a simple "route add target.server.ip gateway vmware.proxy.ip" on Windows. iptables then catches the data bound for target.server.ip:3724 and redirects it locally to port 50000 where socat picks up the stream and modifies it before sending it out to the original source. The entire setup works perfectly.

I am now trying to implement this on my server which is sitting in a datacenter.

[Windows Userbox] --- [INTERNET] --- [Proxy Server] --- [Target Server]

I'm facing trouble getting iptables/socat to properly process the traffic I'm sending, which is currently either via a putty SSH tunnel... or directly to the server via dante-sockd. I'm fairly certain that the socat switches should work properly... so at the moment I'm quite certain that my iptables rule isn't catching the traffic and redirecting it as it should.

Does anyone have any idea what my iptables rule should look like or did I overlook something else?
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23062
PostPosted: Wed Dec 12, 2007 4:21 am    Post subject: Reply with quote
What are you trying to accomplish with the second configuration? Your traffic would already cross the Internet unencrypted to reach the proxy server.
Back to top
View user's profile Send private message
biatch0
n00b
n00b


Joined: 25 May 2004
Posts: 40
PostPosted: Wed Dec 12, 2007 9:28 am    Post subject: Reply with quote
(1) Disabling Nagle's algorithm.
(2) Enabling tcp-nodelay.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23062
PostPosted: Thu Dec 13, 2007 3:14 am    Post subject: Reply with quote
According to the manpage, those two options are the same thing. All you need to do is call setsockopt and enable TCP_NODELAY on the relevant socket(s). However, most applications that benefit from this already enable it, so you might make things worse if you go tampering with it.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy