From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tito Subject: ssh tunnel to port forwarded over localhost Date: Wed, 14 Oct 2009 13:11:05 +0200 Message-ID: <4AD5B1C9.6020609@gmail.com> Reply-To: f.disclosure@gmail.com Mime-Version: 1.0 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="utf-8"; format="flowed" To: netfilter@vger.kernel.org Hello, =46irst, I would like to say that I have searched really long time thro= ugh=20 historical list archive of netfilter and other forums but I was not abl= e=20 to find the functionality I was searching for! I have found only this =E2=80=9Cport forwarding through localhost =E2=80= =9D http://marc.info/?t=3D116984915600001&r=3D1&w=3D2 but it is not exactly= that! Here is the situation: Host A (Germany - my home laptop =E2=80=93 Windows XP) Router (Bulgaria - public ip ) =E2=80=93 Linux openSuse 11.1 Xen Linux=20 clients-pools 2.6.27.29-0.1-xen #1 SMP 2009-08-15 17:53:59 +0200 x86_64= =20 x86_64 x86_64 GNU/Linux Host B (192.168.1.10 which is a Xen virtual host installed on a Router= =20 itself - Windows XP )Host B can ping any public ip address and can=20 reslov dns names. The Router have 2 open port: 55431 openSSH 54322 forwarded to HostB - 192.168.1.10 to port 3389 for remote deskt= op! Now, the port forwarding is working just great, I can reach the remote= =20 desktop of Host B from Host A, but I want to close that port and let=20 everything be forwarded over a ssh tunnel. I have done this for squid=20 and or apache which are on Router itself and it works just perfectly.=20 But when closed the port 54322 I tried to the same for the for the host= =20 B than I run into several problems. Putty tunnel, forwards the port 54322 on Router to my localhost (HostA)= =20 port 60000 So the remote desktop from HostA is done like this: localhsot:60000=20 which forwards the traffic no to eth1 but to the local loop (lo) -A PREROUTING -d 1.1.1.1 /32 -i eth1 -p tcp -m tcp --dport 54322 -j DNA= T=20 --to-destination 192.168.1.10:3389 On the router side I can see that tcp segment coming in the localloop=20 with tcpdump router:~ # tcpdump -vvv -i lo port 3389 tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 96 = bytes 12:52:26.348931 IP (tos 0x0, ttl 64, id 26881, offset 0, flags [DF],=20 proto TCP (6), length 60) localhost.46449 > localhost.ms-wbt-server: S,= =20 cksum 0x21d4 (correct), 463172374:463172374(0) win 32792 12:52:26.348954 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto=20 TCP (6), length 40) localhost.ms-wbt-server > localhost.46449: R, cksum= =20 0x606d (correct), 0:0(0) ack 463172375 win 0 My question is what rule should I write in order to redirect this packe= t=20 to the host 192.168.1.10 on port 3389 and catch that paket on the way=20 back. I do not want to use socat(user space) for this although it is=20 working. I have enclosed the output of my iptables-save > firewall command below= :=20 just have changed my public ip to 1.1.1.1 and the output of ifconfig=20 of the router # Generated by iptables-save v1.4.2-rc1 on Wed Oct 14 10:27:35 2009 *mangle :PREROUTING ACCEPT [125872:58570748] :INPUT ACCEPT [64138:10436284] :FORWARD ACCEPT [61857:48161272] :OUTPUT ACCEPT [60175:25422321] :POSTROUTING ACCEPT [121952:73579737] COMMIT # Completed on Wed Oct 14 10:27:35 2009 # Generated by iptables-save v1.4.2-rc1 on Wed Oct 14 10:27:35 2009 *nat :PREROUTING ACCEPT [2178:203421] :POSTROUTING ACCEPT [3440:199081] :OUTPUT ACCEPT [9561:742897] -A PREROUTING -d 1.1.1.1 /32 -i eth1 -p tcp -m tcp --dport 54322 -j DNA= T=20 --to-destination 192.168.1.10:3389 -A PREROUTING -d 1.1.1.1 /32 -i eth0 -p tcp -m tcp --dport 54322 -j DNA= T=20 --to-destination 192.168.1.10:3389 -A PREROUTING -d 1.1.1.1 /32 -i tap5_0 -p tcp -m tcp --dport 54322 -j=20 DNAT --to-destination 192.168.1.10:3389 -A PREROUTING -d 1.1.1.1 /32 -i vif5_0 -p tcp -m tcp --dport 54322 -j=20 DNAT --to-destination 192.168.1.10:3389 -A POSTROUTING -o eth1 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o tap5_0 -j MASQUERADE -A POSTROUTING -o vif5_0 -j MASQUERADE COMMIT # Completed on Wed Oct 14 10:27:35 2009 # Generated by iptables-save v1.4.2-rc1 on Wed Oct 14 10:27:35 2009 *raw :PREROUTING ACCEPT [315487:154134329] :OUTPUT ACCEPT [221189:110128847] -A PREROUTING -i lo -j NOTRACK -A OUTPUT -o lo -j NOTRACK COMMIT # Completed on Wed Oct 14 10:27:35 2009 # Generated by iptables-save v1.4.2-rc1 on Wed Oct 14 10:27:35 2009 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :forward_ext - [0:0] :forward_int - [0:0] :input_ext - [0:0] :input_int - [0:0] :reject_func - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT -A INPUT -p icmp -m state --state RELATED -j ACCEPT -A INPUT -i br0 -j input_int -A INPUT -i eth1 -j input_ext -A INPUT -i eth0 -j input_ext -A INPUT -i tap5_0 -j input_ext -A INPUT -i vif5_0 -j input_ext -A INPUT -j input_ext -A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET= =20 " --log-tcp-options --log-ip-options -A INPUT -j DROP -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS=20 --clamp-mss-to-pmtu -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT -A FORWARD -i br0 -j forward_int -A FORWARD -i eth1 -j forward_ext -A FORWARD -i eth0 -j forward_ext -A FORWARD -i tap5_0 -j forward_ext -A FORWARD -i vif5_0 -j forward_ext -A FORWARD -m limit --limit 3/min -j LOG --log-prefix=20 "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options -A FORWARD -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR "=20 --log-tcp-options --log-ip-options -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp=20 --icmp-type 0 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp=20 --icmp-type 3 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp=20 --icmp-type 11 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp=20 --icmp-type 12 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp=20 --icmp-type 14 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp=20 --icmp-type 18 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp=20 --icmp-type 3/2 -j ACCEPT -A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp=20 --icmp-type 5 -j ACCEPT -A forward_ext -i eth1 -o br0 -m state --state RELATED,ESTABLISHED -j=20 ACCEPT -A forward_ext -i eth0 -o br0 -m state --state RELATED,ESTABLISHED -j=20 ACCEPT -A forward_ext -i tap5_0 -o br0 -m state --state RELATED,ESTABLISHED -j= =20 ACCEPT -A forward_ext -i vif5_0 -o br0 -m state --state RELATED,ESTABLISHED -j= =20 ACCEPT -A forward_ext -d 192.168.1.10/32 -p tcp -m limit --limit 3/min -m tcp=20 --dport 3389 -m state --state NEW -j LOG --log-prefix=20 "SFW2-FWDext-ACC-REVMASQ " --log-tcp-options --log-ip-options -A forward_ext -d 192.168.1.10/32 -p tcp -m tcp --dport 3389 -j ACCEPT -A forward_ext -s 192.168.1.10/32 -p tcp -m state --state=20 RELATED,ESTABLISHED -j ACCEPT -A forward_ext -m limit --limit 3/min -m pkttype --pkt-type multicast -= j=20 LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options=20 --log-ip-options -A forward_ext -m pkttype --pkt-type multicast -j DROP -A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags=20 =46IN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT "=20 --log-tcp-options --log-ip-options -A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix=20 "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_ext -p udp -m limit --limit 3/min -j LOG --log-prefix=20 "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_ext -m limit --limit 3/min -m state --state INVALID -j LOG=20 --log-prefix "SFW2-FWDext-DROP-DEFLT-INV " --log-tcp-options=20 --log-ip-options -A forward_ext -j DROP -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp=20 --icmp-type 0 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp=20 --icmp-type 3 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp=20 --icmp-type 11 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp=20 --icmp-type 12 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp=20 --icmp-type 14 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp=20 --icmp-type 18 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp=20 --icmp-type 3/2 -j ACCEPT -A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp=20 --icmp-type 5 -j ACCEPT -A forward_int -i br0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED=20 -j ACCEPT -A forward_int -i br0 -o eth0 -m state --state NEW,RELATED,ESTABLISHED=20 -j ACCEPT -A forward_int -i br0 -o tap5_0 -m state --state NEW,RELATED,ESTABLISHE= D=20 -j ACCEPT -A forward_int -i br0 -o vif5_0 -m state --state NEW,RELATED,ESTABLISHE= D=20 -j ACCEPT -A forward_int -d 192.168.1.10/32 -p tcp -m limit --limit 3/min -m tcp=20 --dport 3389 -m state --state NEW -j LOG --log-prefix=20 "SFW2-FWDint-ACC-REVMASQ " --log-tcp-options --log-ip-options -A forward_int -d 192.168.1.10/32 -p tcp -m tcp --dport 3389 -j ACCEPT -A forward_int -s 192.168.1.10/32 -p tcp -m state --state=20 RELATED,ESTABLISHED -j ACCEPT -A forward_int -m limit --limit 3/min -m pkttype --pkt-type multicast -= j=20 LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options=20 --log-ip-options -A forward_int -m pkttype --pkt-type multicast -j DROP -A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags=20 =46IN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT "=20 --log-tcp-options --log-ip-options -A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix=20 "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_int -p udp -m limit --limit 3/min -j LOG --log-prefix=20 "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_int -m limit --limit 3/min -m state --state INVALID -j LOG=20 --log-prefix "SFW2-FWDint-DROP-DEFLT-INV " --log-tcp-options=20 --log-ip-options -A forward_int -j reject_func -A input_ext -m pkttype --pkt-type broadcast -j DROP -A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT -A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 54321=20 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP= =20 " --log-tcp-options --log-ip-options -A input_ext -p tcp -m tcp --dport 54321 -j ACCEPT -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 54322=20 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP= =20 " --log-tcp-options --log-ip-options -A input_ext -p tcp -m tcp --dport 54322 -j ACCEPT -A input_ext -p udp -m udp --dport 54321 -j ACCEPT -A input_ext -m limit --limit 3/min -m pkttype --pkt-type multicast -j=20 LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options=20 --log-ip-options -A input_ext -m pkttype --pkt-type multicast -j DROP -A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags=20 =46IN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT "=20 --log-tcp-options --log-ip-options -A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix=20 "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_ext -p udp -m limit --limit 3/min -j LOG --log-prefix=20 "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_ext -m limit --limit 3/min -m state --state INVALID -j LOG=20 --log-prefix "SFW2-INext-DROP-DEFLT-INV " --log-tcp-options=20 --log-ip-options -A input_ext -j DROP -A input_int -m pkttype --pkt-type broadcast -j DROP -A input_int -p icmp -m icmp --icmp-type 4 -j ACCEPT -A input_int -p icmp -m icmp --icmp-type 8 -j ACCEPT -A input_int -p tcp -m limit --limit 3/min -m tcp --dport 3389=20 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-ACC-TCP= =20 " --log-tcp-options --log-ip-options -A input_int -p tcp -m tcp --dport 3389 -j ACCEPT -A input_int -p tcp -m limit --limit 3/min -m tcp --dport 443=20 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-ACC-TCP= =20 " --log-tcp-options --log-ip-options -A input_int -p tcp -m tcp --dport 443 -j ACCEPT -A input_int -p udp -m udp --dport 3389 -j ACCEPT -A input_int -p udp -m udp --dport 443 -j ACCEPT -A input_int -m limit --limit 3/min -m pkttype --pkt-type multicast -j=20 LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options=20 --log-ip-options -A input_int -m pkttype --pkt-type multicast -j DROP -A input_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags=20 =46IN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-DROP-DEFLT "=20 --log-tcp-options --log-ip-options -A input_int -p icmp -m limit --limit 3/min -j LOG --log-prefix=20 "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_int -p udp -m limit --limit 3/min -j LOG --log-prefix=20 "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options -A input_int -m limit --limit 3/min -m state --state INVALID -j LOG=20 --log-prefix "SFW2-INint-DROP-DEFLT-INV " --log-tcp-options=20 --log-ip-options -A input_int -j reject_func -A reject_func -p tcp -j REJECT --reject-with tcp-reset -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable -A reject_func -j REJECT --reject-with icmp-proto-unreachable COMMIT # Completed on Wed Oct 14 10:27:35 2009 router:~ # ifconfig br0 Link encap:Ethernet HWaddr 00:17:31:66:E0:96 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255= =2E0 inet6 addr: fe80::217:31ff:fe66:e096/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:33617 errors:0 dropped:0 overruns:0 frame:0 TX packets:39485 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:9899695 (9.4 Mb) TX bytes:40149850 (38.2 Mb) eth0 Link encap:Ethernet HWaddr 00:17:31:66:E0:96 UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:23 Base address:0xd000 eth1 Link encap:Ethernet HWaddr 00:C0:26:2B:FD:BF inet addr:1.1.1.1 Bcast:1.1.1.63 Mask:255.255.255.224 inet6 addr: fe80::2c0:26ff:fe2b:fdbf/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:242550 errors:0 dropped:0 overruns:0 frame:0 TX packets:201341 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:109289170 (104.2 Mb) TX bytes:84870831 (80.9 Mb) Interrupt:17 Base address:0xa000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:72536 errors:0 dropped:0 overruns:0 frame:0 TX packets:72536 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:40991838 (39.0 Mb) TX bytes:40991838 (39.0 Mb) tap5.0 Link encap:Ethernet HWaddr AA:95:EA:BF:C1:5B inet6 addr: fe80::a895:eaff:febf:c15b/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:32308 errors:0 dropped:0 overruns:0 frame:0 TX packets:38395 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:10396937 (9.9 Mb) TX bytes:40082135 (38.2 Mb) vif5.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:2930 overruns:0 carrier:0 collisions:0 txqueuelen:32 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Can anyone help me with this, Konstantin