Question about using SSH-tunnel / Frage zum Benutzen eines SSH-Tunnels

Question about using SSH-tunnel / Frage zum Benutzen eines SSH-Tunnels

[J. Zeidler]

English:

Hello,

I use a SSH-tunnel with Putty on Ubuntu 11.04. I want to achieve, that 
the network traffic over a specific port is redirected over the tunnel. 
I need this because of a strict firewall, which i can not configure. the 
tunnel runs on localhost:9999. i can use this as proxy with firefox, so 
the tunnel works. i tried this without success:

iptables -A OUTPUT -t nat -p udp -d 65.18.193.12 -j DNAT --to 127.0.0.1:9999

Can anybody help?

Thanks,
Jonius


German/Deutsch:

Ich nutze einen SSH-Tunnel mithilfe von Putty auf Ubuntu 11.04. Ich 
möchte mit iptables erreichen, dass der ausgehende Netzwerkverkehr auf 
bestimmten Ports über diesen Tunnel umgeleitet wird, um eine strenge 
Firewall zu umgehen, die ich nicht konfigurieren darf. Der Tunnel läuft 
auf localhost:9999. Mit Firefox kann ich diesen als Proxy nutzen, er 
funktioniert also. Ich habe es beispielsweise damit erfolglos versucht:

iptables -A OUTPUT -t nat -p udp -d 65.18.193.12 -j DNAT --to 127.0.0.1:9999

Kann mir jemand dabei helfen?

Danke im Voraus,
Jonius

Re: Question about using SSH-tunnel / Frage zum Benutzen eines SSH-Tunnels

[Rob Sterenborg (lists)]

On Fri, 2011-08-12 at 11:26 +0200, J. Zeidler wrote:
> English:
> 
> Hello,
> 
> I use a SSH-tunnel with Putty on Ubuntu 11.04. I want to achieve, that 
> the network traffic over a specific port is redirected over the tunnel. 
> I need this because of a strict firewall, which i can not configure. the 
> tunnel runs on localhost:9999. i can use this as proxy with firefox, so 
> the tunnel works. i tried this without success:
> 
> iptables -A OUTPUT -t nat -p udp -d 65.18.193.12 -j DNAT --to 127.0.0.1:9999

I think you should use REDIRECT instead.

man iptables:

REDIRECT
This target is only valid in the nat table, in the PREROUTING and OUTPUT
chains, and user-defined chains which are only called from those
chains.
It  redirects  the packet to the machine itself by changing the
destination IP to the primary address of the incoming interface
(locally-generated packets are mapped to the 127.0.0.1 address).

--to-ports port[-port]
This specifies a destination port or range of ports to use: without
this, the destination port is never altered.  This is only valid if the
rule also specifies -p tcp or -p udp.


--
Rob

Re: Question about using SSH-tunnel / Frage zum Benutzen eines SSH-Tunnels

[Jan Engelhardt]

On Friday 2011-08-12 11:26, J. Zeidler wrote:

> English:
>
> Hello,
>
> I use a SSH-tunnel with Putty on Ubuntu 11.04. I want to achieve, that the
> network traffic over a specific port is redirected over the tunnel. I need this
> because of a strict firewall, which i can not configure. the tunnel runs on
> localhost:9999. i can use this as proxy with firefox, so the tunnel works. i
> tried this without success:
>
> iptables -A OUTPUT -t nat -p udp -d 65.18.193.12 -j DNAT --to 127.0.0.1:9999

Since when does SSH do UDP?

Re: Question about using SSH-tunnel / Frage zum Benutzen eines SSH-Tunnels

[J. Zeidler]

Am 12.08.2011 12:00, schrieb Jan Engelhardt:
> On Friday 2011-08-12 11:26, J. Zeidler wrote:
>
>> English:
>>
>> Hello,
>>
>> I use a SSH-tunnel with Putty on Ubuntu 11.04. I want to achieve, that the
>> network traffic over a specific port is redirected over the tunnel. I need this
>> because of a strict firewall, which i can not configure. the tunnel runs on
>> localhost:9999. i can use this as proxy with firefox, so the tunnel works. i
>> tried this without success:
>>
>> iptables -A OUTPUT -t nat -p udp -d 65.18.193.12 -j DNAT --to 127.0.0.1:9999
> Since when does SSH do UDP?
>
I don't know, which protocol is used by the programm, i want to 
redirect. So i tried this with tcp and udp. Do you think,
i can only use the tunnel for tcp-packages?

Re: Question about using SSH-tunnel / Frage zum Benutzen eines SSH-Tunnels

[J. Zeidler]

Hello
> I think you should use REDIRECT instead.
I don't know how to use it. Using it instead of OUTPUT does not work:

sudo iptables -A REDIRECT -t nat -p tcp -d 65.18.193.12 -j DNAT --to 
127.0.0.1:9999

How to use it?

Re: Question about using SSH-tunnel / Frage zum Benutzen eines SSH-Tunnels

[Rob Sterenborg (lists)]

On Fri, 2011-08-12 at 12:25 +0200, J. Zeidler wrote:
> Hello
> > I think you should use REDIRECT instead.
> I don't know how to use it. Using it instead of OUTPUT does not work:

I missed the udp protocol Jan mentioned: SSH doesn't do udp tunneling.
There are tuturials on how to tunnel udp through an SSH tunnel using
tools like netcat, but I'm not sure if you're if you're up for that and
it's not something for this list either.

> sudo iptables -A REDIRECT -t nat -p tcp -d 65.18.193.12 -j DNAT --to 
> 127.0.0.1:9999
> 
> How to use it?

Read 'man iptables' again and search for REDIRECT. REDIRECT is a target,
not a chain so the above rule is incorrect. Example:

$ipt -t nat -A PREROUTING -p tcp -d <dest_ip> -j REDIRECT --to-ports
<local_port>


--
Rob

Re: Question about using SSH-tunnel / Frage zum Benutzen eines SSH-Tunnels

[Ed W]

On 12/08/2011 10:26, J. Zeidler wrote:
> English:
> 
> Hello,
> 
> I use a SSH-tunnel with Putty on Ubuntu 11.04. I want to achieve, that
> the network traffic over a specific port is redirected over the tunnel.
> I need this because of a strict firewall, which i can not configure. the
> tunnel runs on localhost:9999. i can use this as proxy with firefox, so
> the tunnel works. i tried this without success:

Try OpenVPN (or your favourite VPN package, possibly SSH with the
tun/tap whatever basic vpn mode?).  This is likely easier to setup and
tunnels all traffic out.  OpenVPN can also run over http connect with a
bit of configuration, so can slip out of fairly locked down firewalls...

Good luck

Ed W

Re: Question about using SSH-tunnel / Frage zum Benutzen eines SSH-Tunnels

[Javier Almillategui]

First of all, can you post the ssh tunnel syntax you are using?  In ssh you can specify which ip address will be used to bind the port tunnel. E.g: -L <local ip>:<local port>:<remote ip>:<remote port>.

Secondly, can you tell us the type of traffic you want transport over the tunnel? You can pass as many -L syntax as needed to ssh.

Best,

Javier Almillátegui
Cibernética S.A.

On Aug 12, 2011, at 6:12, Ed W <lists@wildgooses.com> wrote:

> On 12/08/2011 10:26, J. Zeidler wrote:
>> English:
>> 
>> Hello,
>> 
>> I use a SSH-tunnel with Putty on Ubuntu 11.04. I want to achieve, that
>> the network traffic over a specific port is redirected over the tunnel.
>> I need this because of a strict firewall, which i can not configure. the
>> tunnel runs on localhost:9999. i can use this as proxy with firefox, so
>> the tunnel works. i tried this without success:
> 
> Try OpenVPN (or your favourite VPN package, possibly SSH with the
> tun/tap whatever basic vpn mode?).  This is likely easier to setup and
> tunnels all traffic out.  OpenVPN can also run over http connect with a
> bit of configuration, so can slip out of fairly locked down firewalls...
> 
> Good luck
> 
> Ed W
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Question about using SSH-tunnel / Frage zum Benutzen eines SSH-Tunnels

[J. Zeidler]

> Read 'man iptables' again and search for REDIRECT. REDIRECT is a target,
> not a chain so the above rule is incorrect. Example:
>
> $ipt -t nat -A PREROUTING -p tcp -d<dest_ip>  -j REDIRECT --to-ports
> <local_port>
if i do this, it does not work:
iptables -A PREROUTING -t nat -p tcp -d 65.18.193.12 --dport 15000 -j 
REDIRECT --to 127.0.0.1:15000
answer:
iptables v1.4.10: REDIRECT: Bad value for "--to-ports" option: 
"127.0.0.1:15000"
Try `iptables -h' or 'iptables --help' for more information.

how can i find out, if a programm uses tcp or udp protocoll for connection?

Re: Question about using SSH-tunnel / Frage zum Benutzen eines SSH-Tunnels

[J. Zeidler]

> First of all, can you post the ssh tunnel syntax you are using?  In ssh you can specify which ip address will be used to bind the port tunnel. E.g: -L<local ip>:<local port>:<remote ip>:<remote port>.
I use ssh not in the terminal. i use putty for the connection. there is 
a setting "ssh-->tunnels-->Add forwarded port" There i set the 
sourceport e.g. at 9999 and as destination the ssh-server. i made it 
also dynamic. so i can use it as proxyserver e.g. in  firefox this way: 
(SOCKS: localhost:9999)
> Secondly, can you tell us the type of traffic you want transport over the tunnel? You can pass as many -L syntax as needed to ssh.
I think its tcp-packages from one programm on my computer which shell be 
sent to a server outside. The reason for using the ssh-tunnel is, that 
the firewall does not allow the port, the programm needs.

i hope it is clear

Re: Question about using SSH-tunnel / Frage zum Benutzen eines SSH-Tunnels

[J. Zeidler]

> Try OpenVPN (or your favourite VPN package, possibly SSH with the
> tun/tap whatever basic vpn mode?).  This is likely easier to setup and
> tunnels all traffic out.  OpenVPN can also run over http connect with a
> bit of configuration, so can slip out of fairly locked down firewalls...
But i would need a server outside, which routed my traffic to the 
destination
port. Is there any server, which provides this for free?

Re: Question about using SSH-tunnel / Frage zum Benutzen eines SSH-Tunnels

[/dev/rob0]

On Sat, Aug 13, 2011 at 12:13:10AM +0200, J. Zeidler wrote:
Rob said:
> >Read 'man iptables' again and search for REDIRECT.

*Do* this. Do not post again without reading the man page. You were 
directed to the specific section you need!

> REDIRECT is a target,
> >not a chain so the above rule is incorrect. Example:
> >
> >$ipt -t nat -A PREROUTING -p tcp -d<dest_ip> -j REDIRECT 
> >--to-ports <local_port>

That's the example. It's correct; reread it.

> if i do this, it does not work:
> iptables -A PREROUTING -t nat -p tcp -d 65.18.193.12 --dport 15000 -j
> REDIRECT --to 127.0.0.1:15000

This is NOT like the example!

> answer:
> iptables v1.4.10: REDIRECT: Bad value for "--to-ports" option:
> "127.0.0.1:15000"

Did you read this part? Find REDIRECT in the man page, and then find 
the "--to-ports" option.

> Try `iptables -h' or 'iptables --help' for more information.

Did you? "iptables -h -j REDIRECT" gives a syntax summary.

> how can i find out, if a programm uses tcp or udp protocoll for 
> connection?

What did you try? I suppose I would look in the program's 
documentation, and maybe check Wikipedia.

I'm betting this is all futile, because as noted, SSH tunnels are 
only capable of carrying TCP traffic. Furthermore, refer to the 
ssh_config(5) man page for the option "GatewayPorts". -j REDIRECT 
does not work with a process (such as a SSH tunnel) which is only 
bound to 127.0.0.1. (It works, but only with connections from 
127.0.0.1.)

The real solution might be had with OpenVPN as suggested upthread, or 
in a pinch, you can try something like PPP over SSH. Offer void where 
taxed or prohibited by law, or if Google fails to find "PPP over SSH" 
examples for you, or if you don't know how to use the tunnel once 
it's created.
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

Re: Question about using SSH-tunnel / Frage zum Benutzen eines SSH-Tunnels

[J. Zeidler]

sorry. i dont want to bother you! i read the man.

If i do with PREROUTING nothing happens.
Now i tried it this way:

     sudo iptables -A OUTPUT -t nat -p tcp -d 65.18.193.12 -j REDIRECT 
--to-ports 15000

and

     sudo watch -n 5 iptables -L -v -t nat

shows me

     Chain OUTPUT (policy ACCEPT 55 packets, 3889 bytes)
     pkts bytes target     prot opt in     out     source               
destination

     1    60 REDIRECT   tcp  --  any    any     anywhere             
wesnoth.wesnoth.org redir ports 15000

so it seems that one package is redirected. But the program tells me:

     "remote host disconnected"

I hope you can help me!