ssh tunnel to port forwarded over localhost

ssh tunnel to port forwarded over localhost

[Tito]

Hello,

First, I would like to say that I have searched really long time through 
historical list archive of netfilter and other forums but I was not able 
to find the functionality I was searching for!
I have found only this “port forwarding through localhost ”

http://marc.info/?t=116984915600001&r=1&w=2 but it is not exactly that!

Here is the situation:

Host A (Germany - my home laptop – Windows XP)
Router (Bulgaria - public ip ) – Linux openSuse 11.1 Xen Linux 
clients-pools 2.6.27.29-0.1-xen #1 SMP 2009-08-15 17:53:59 +0200 x86_64 
x86_64 x86_64 GNU/Linux
Host B (192.168.1.10  which is a Xen virtual host installed on a Router 
  itself - Windows XP )Host B can ping any public ip address and can 
reslov dns names.

The Router  have 2 open port:
  55431  openSSH
  54322 forwarded to HostB - 192.168.1.10 to port 3389 for remote desktop!

Now, the port forwarding is working just great, I can reach  the remote 
desktop of Host B from Host A, but I want to close that port and let 
everything be forwarded over a ssh tunnel. I have done this for squid 
and or apache which are on Router itself and it works just perfectly. 
But when closed the port 54322 I tried to the same for the for the host 
B than I run into several problems.
Putty tunnel, forwards the port 54322 on Router to my localhost (HostA) 
port 60000
So the remote desktop from HostA is done like this: localhsot:60000 
which forwards the traffic no to eth1 but to the local loop (lo)
-A PREROUTING -d 1.1.1.1 /32 -i eth1 -p tcp -m tcp --dport 54322 -j DNAT 
--to-destination 192.168.1.10:3389

On the router side I can see that tcp segment coming in the localloop 
with tcpdump

router:~ # tcpdump -vvv -i lo port 3389
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
12:52:26.348931 IP (tos 0x0, ttl 64, id 26881, offset 0, flags [DF], 
proto TCP (6), length 60) localhost.46449 > localhost.ms-wbt-server: S, 
cksum 0x21d4 (correct), 463172374:463172374(0) win 32792 <mss 
16396,sackOK,timestamp 37886487 0,nop,wscale 7>
12:52:26.348954 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
TCP (6), length 40) localhost.ms-wbt-server > localhost.46449: R, cksum 
0x606d (correct), 0:0(0) ack 463172375 win 0

My question is what rule should I write in order to redirect this packet 
to the host 192.168.1.10 on port 3389 and catch that paket on the way 
back. I do not want to use socat(user space) for this although it is 
working.


I have enclosed the output of my iptables-save > firewall command below: 
  just have changed my public ip to 1.1.1.1 and the output of ifconfig 
of the router

# Generated by iptables-save v1.4.2-rc1 on Wed Oct 14 10:27:35 2009
*mangle
:PREROUTING ACCEPT [125872:58570748]
:INPUT ACCEPT [64138:10436284]
:FORWARD ACCEPT [61857:48161272]
:OUTPUT ACCEPT [60175:25422321]
:POSTROUTING ACCEPT [121952:73579737]
COMMIT
# Completed on Wed Oct 14 10:27:35 2009
# Generated by iptables-save v1.4.2-rc1 on Wed Oct 14 10:27:35 2009
*nat
:PREROUTING ACCEPT [2178:203421]
:POSTROUTING ACCEPT [3440:199081]
:OUTPUT ACCEPT [9561:742897]
-A PREROUTING -d 1.1.1.1 /32 -i eth1 -p tcp -m tcp --dport 54322 -j DNAT 
--to-destination 192.168.1.10:3389
-A PREROUTING -d 1.1.1.1 /32 -i eth0 -p tcp -m tcp --dport 54322 -j DNAT 
--to-destination 192.168.1.10:3389
-A PREROUTING -d 1.1.1.1 /32 -i tap5_0 -p tcp -m tcp --dport 54322 -j 
DNAT --to-destination 192.168.1.10:3389
-A PREROUTING -d 1.1.1.1 /32 -i vif5_0 -p tcp -m tcp --dport 54322 -j 
DNAT --to-destination 192.168.1.10:3389
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o tap5_0 -j MASQUERADE
-A POSTROUTING -o vif5_0 -j MASQUERADE
COMMIT
# Completed on Wed Oct 14 10:27:35 2009
# Generated by iptables-save v1.4.2-rc1 on Wed Oct 14 10:27:35 2009
*raw
:PREROUTING ACCEPT [315487:154134329]
:OUTPUT ACCEPT [221189:110128847]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT
# Completed on Wed Oct 14 10:27:35 2009
# Generated by iptables-save v1.4.2-rc1 on Wed Oct 14 10:27:35 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i br0 -j input_int
-A INPUT -i eth1 -j input_ext
-A INPUT -i eth0 -j input_ext
-A INPUT -i tap5_0 -j input_ext
-A INPUT -i vif5_0 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET 
" --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS 
--clamp-mss-to-pmtu
-A FORWARD -m physdev  --physdev-is-bridged -j ACCEPT
-A FORWARD -i br0 -j forward_int
-A FORWARD -i eth1 -j forward_ext
-A FORWARD -i eth0 -j forward_ext
-A FORWARD -i tap5_0 -j forward_ext
-A FORWARD -i vif5_0 -j forward_ext
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix 
"SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " 
--log-tcp-options --log-ip-options
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp 
--icmp-type 0 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp 
--icmp-type 3 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp 
--icmp-type 11 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp 
--icmp-type 12 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp 
--icmp-type 14 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp 
--icmp-type 18 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp 
--icmp-type 3/2 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp 
--icmp-type 5 -j ACCEPT
-A forward_ext -i eth1 -o br0 -m state --state RELATED,ESTABLISHED -j 
ACCEPT
-A forward_ext -i eth0 -o br0 -m state --state RELATED,ESTABLISHED -j 
ACCEPT
-A forward_ext -i tap5_0 -o br0 -m state --state RELATED,ESTABLISHED -j 
ACCEPT
-A forward_ext -i vif5_0 -o br0 -m state --state RELATED,ESTABLISHED -j 
ACCEPT
-A forward_ext -d 192.168.1.10/32 -p tcp -m limit --limit 3/min -m tcp 
--dport 3389 -m state --state NEW -j LOG --log-prefix 
"SFW2-FWDext-ACC-REVMASQ " --log-tcp-options --log-ip-options
-A forward_ext -d 192.168.1.10/32 -p tcp -m tcp --dport 3389 -j ACCEPT
-A forward_ext -s 192.168.1.10/32 -p tcp -m state --state 
RELATED,ESTABLISHED -j ACCEPT
-A forward_ext -m limit --limit 3/min -m pkttype --pkt-type multicast -j 
LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options 
--log-ip-options
-A forward_ext -m pkttype --pkt-type multicast -j DROP
-A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags 
FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " 
--log-tcp-options --log-ip-options
-A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix 
"SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p udp -m limit --limit 3/min -j LOG --log-prefix 
"SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -m limit --limit 3/min -m state --state INVALID -j LOG 
--log-prefix "SFW2-FWDext-DROP-DEFLT-INV " --log-tcp-options 
--log-ip-options
-A forward_ext -j DROP
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp 
--icmp-type 0 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp 
--icmp-type 3 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp 
--icmp-type 11 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp 
--icmp-type 12 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp 
--icmp-type 14 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp 
--icmp-type 18 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp 
--icmp-type 3/2 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp 
--icmp-type 5 -j ACCEPT
-A forward_int -i br0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED 
-j ACCEPT
-A forward_int -i br0 -o eth0 -m state --state NEW,RELATED,ESTABLISHED 
-j ACCEPT
-A forward_int -i br0 -o tap5_0 -m state --state NEW,RELATED,ESTABLISHED 
-j ACCEPT
-A forward_int -i br0 -o vif5_0 -m state --state NEW,RELATED,ESTABLISHED 
-j ACCEPT
-A forward_int -d 192.168.1.10/32 -p tcp -m limit --limit 3/min -m tcp 
--dport 3389 -m state --state NEW -j LOG --log-prefix 
"SFW2-FWDint-ACC-REVMASQ " --log-tcp-options --log-ip-options
-A forward_int -d 192.168.1.10/32 -p tcp -m tcp --dport 3389 -j ACCEPT
-A forward_int -s 192.168.1.10/32 -p tcp -m state --state 
RELATED,ESTABLISHED -j ACCEPT
-A forward_int -m limit --limit 3/min -m pkttype --pkt-type multicast -j 
LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options 
--log-ip-options
-A forward_int -m pkttype --pkt-type multicast -j DROP
-A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags 
FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " 
--log-tcp-options --log-ip-options
-A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix 
"SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p udp -m limit --limit 3/min -j LOG --log-prefix 
"SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -m limit --limit 3/min -m state --state INVALID -j LOG 
--log-prefix "SFW2-FWDint-DROP-DEFLT-INV " --log-tcp-options 
--log-ip-options
-A forward_int -j reject_func
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 54321 
--tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP 
" --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 54321 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 54322 
--tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP 
" --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 54322 -j ACCEPT
-A input_ext -p udp -m udp --dport 54321 -j ACCEPT
-A input_ext -m limit --limit 3/min -m pkttype --pkt-type multicast -j 
LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options 
--log-ip-options
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags 
FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " 
--log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix 
"SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -j LOG --log-prefix 
"SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -m limit --limit 3/min -m state --state INVALID -j LOG 
--log-prefix "SFW2-INext-DROP-DEFLT-INV " --log-tcp-options 
--log-ip-options
-A input_ext -j DROP
-A input_int -m pkttype --pkt-type broadcast -j DROP
-A input_int -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_int -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_int -p tcp -m limit --limit 3/min -m tcp --dport 3389 
--tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-ACC-TCP 
" --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 3389 -j ACCEPT
-A input_int -p tcp -m limit --limit 3/min -m tcp --dport 443 
--tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-ACC-TCP 
" --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 443 -j ACCEPT
-A input_int -p udp -m udp --dport 3389 -j ACCEPT
-A input_int -p udp -m udp --dport 443 -j ACCEPT
-A input_int -m limit --limit 3/min -m pkttype --pkt-type multicast -j 
LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options 
--log-ip-options
-A input_int -m pkttype --pkt-type multicast -j DROP
-A input_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags 
FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " 
--log-tcp-options --log-ip-options
-A input_int -p icmp -m limit --limit 3/min -j LOG --log-prefix 
"SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_int -p udp -m limit --limit 3/min -j LOG --log-prefix 
"SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_int -m limit --limit 3/min -m state --state INVALID -j LOG 
--log-prefix "SFW2-INint-DROP-DEFLT-INV " --log-tcp-options 
--log-ip-options
-A input_int -j reject_func
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Wed Oct 14 10:27:35 2009


router:~ # ifconfig
br0       Link encap:Ethernet  HWaddr 00:17:31:66:E0:96
           inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
           inet6 addr: fe80::217:31ff:fe66:e096/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:33617 errors:0 dropped:0 overruns:0 frame:0
           TX packets:39485 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:9899695 (9.4 Mb)  TX bytes:40149850 (38.2 Mb)

eth0      Link encap:Ethernet  HWaddr 00:17:31:66:E0:96
           UP BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
           Interrupt:23 Base address:0xd000

eth1      Link encap:Ethernet  HWaddr 00:C0:26:2B:FD:BF
           inet addr:1.1.1.1  Bcast:1.1.1.63  Mask:255.255.255.224
           inet6 addr: fe80::2c0:26ff:fe2b:fdbf/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:242550 errors:0 dropped:0 overruns:0 frame:0
           TX packets:201341 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:109289170 (104.2 Mb)  TX bytes:84870831 (80.9 Mb)
           Interrupt:17 Base address:0xa000

lo        Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:72536 errors:0 dropped:0 overruns:0 frame:0
           TX packets:72536 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:40991838 (39.0 Mb)  TX bytes:40991838 (39.0 Mb)

tap5.0    Link encap:Ethernet  HWaddr AA:95:EA:BF:C1:5B
           inet6 addr: fe80::a895:eaff:febf:c15b/64 Scope:Link
           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
           RX packets:32308 errors:0 dropped:0 overruns:0 frame:0
           TX packets:38395 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:500
           RX bytes:10396937 (9.9 Mb)  TX bytes:40082135 (38.2 Mb)

vif5.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
           inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:2930 overruns:0 carrier:0
           collisions:0 txqueuelen:32
           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Can anyone help me with this,

Konstantin

Re: ssh tunnel to port forwarded over localhost

[/dev/rob0]

[reply-to ignored, posted to the list where I read the OP]

On Wednesday 14 October 2009 06:11:05 Tito wrote:
> First, I would like to say that I have searched really long time
> through historical list archive of netfilter and other forums but
> I was not able to find the functionality I was searching for!

Was any of your searching done in man pages? Specifically
ssh_config(5):

    GatewayPorts
             Specifies whether remote hosts are allowed to connect
             to local forwarded ports.  By default, ssh(1) binds
             local port forwardings to the loopback address.  This
             prevents other remote hosts from connecting to
             forwarded ports.  GatewayPorts can be used to specify
             that ssh should bind local port forwardings to the
             wildcard address, thus allowing remote hosts to
             connect to forwarded ports.  The argument must be
             ``yes'' or ``no''.  The default is ``no''.


> I have found only this “port forwarding through localhost ”
>
> http://marc.info/?t=116984915600001&r=1&w=2 but it is not exactly that!
>
> Here is the situation:
>
> Host A (Germany - my home laptop – Windows XP)
> Router (Bulgaria - public ip ) – Linux openSuse 11.1 Xen Linux
> clients-pools 2.6.27.29-0.1-xen #1 SMP 2009-08-15 17:53:59 +0200 x86_64
> x86_64 x86_64 GNU/Linux
> Host B (192.168.1.10  which is a Xen virtual host installed on a Router
>   itself - Windows XP )Host B can ping any public ip address and can
> reslov dns names.
>
> The Router  have 2 open port:
>   55431  openSSH
>   54322 forwarded to HostB - 192.168.1.10 to port 3389 for remote desktop!
>
> Now, the port forwarding is working just great, I can reach  the remote
> desktop of Host B from Host A, but I want to close that port and let
> everything be forwarded over a ssh tunnel. I have done this for squid
snip

(I had started this reply 3 weeks ago, it was forgotten, but here it
is now, in the hope that it might be useful.)
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header