Topic: Port forward network through SSH

[dtech]

Hi All;

I'd like to set up my SME 7.2 server so that all web browsing, usenet, and smtp traffic from my workstations go through a port forwarding ssh tunnel. I've already got HTTP stuff working by running privoxy and forwarding it through the tunnel. Privoxy accepts connections from inside my network, but I can't figure out how to have the server accept connections for NNTP and SMTP and have them go through the tunnel as well. To clarify; I run ssh like this on my server:

Code: [Select]

ssh -2 -N -f -lusername -L 8080:webproxy.example.com:3129 -L 119:news.example.com:119 -L 25:smtp.example.com:25 shellmachine.example.com
By the way, I turn off the HTTP squid proxy in SME.

Thanks in advance,

dtech

[arne]

I do not know the precise answer, but I still try to do some "load thinking" as there is no other answers.

What is tried to set up is tree different tunnels via ssh:

localhost:8080 to webproxy.example.com:3129 via shellmachine.example.com
localhost: 119 to news.example.com:119 via shellmachine.example.com
localhost:25 to smtp.example.com:25 via shellmachine.example.com

The only way a lan client will be able to communicate out from the gateways localhost is via a proxy that is running on the gateway (the ordinary snat function can not do this, right ??)

Squid is closed down but is replaced with "Privoxy", so there is a web proxy that can communicate via a tunnel with the adress localhost:8080

On the other side there is no proxy on the sme server (??) that can do the comunication for the news service, so this will just be an open tunnel with no traffic.

To set up a port localhost port 25 tunnel should not work at all as localhost:25 is already used by by Qmail. There would be needed another proxy function with some other adress than localhost:25.

Please correct me if it is something I have missunderstood.

Another interresting question is: Could it be possible to do a snat / masquerade out trough the lo interphase and then out trough the ssh tunnel. I have never heard about it, but it could be tried. (Would eventually require some other firewall arrangement than the one of the SME server.)

My first veiw impression it that tunnel no 2 and 3 can not be done on the SME server without a proxy that can do the "retransmition" of packets trough a localhost tunnel.

Once more, just correct me if my "load thinking" should an incorrect one.

******

When thinking it over ..

I believe that the source nat via the lo interphase will not work.

On the other a prerouting from internal network adpter to the lo interphase might work. If this method eventually should work there should then not be a requirement to have a proxy at all and all 3 ports should eventually be possible to "preroute directly" trough the ssh tunnel withouth the need og a gateway proxy. If this method should work the tunnel(s) should be possible to set up via any free ports on the localhost.  Don't know but will do a test.

 

[arne]

Nope.

I sat up a ssh tunnel and tried diverse ways to reroute the traffic from the lan card to the tunnel using iptables.

Were not able to get it work.

Looks like it need to be some kind of proxy on the gateway to make the ssh tunnel available for lan clients. 

[arne]

Well, I might have found a way after some testing, but i dont know is this is much of a practical solution.

I did this:

1. Established a tunnel from the gateway to the ssh server. Check that it works.

2. Established a new tunnel from the workstation and into the gateway and addressed gateway localhost (I used Putty). (Connect the tunnel from your client to the tunnel from the gateway.)

I addressed this way on my client localhost:portnumber this request is sendt further on to the localhost:portnumber on the gateway and from there trough the ssh server and out where it is addressed from the ssh server.

But would this help at all to connect two tunnels this way (Via the gateway) ? Possibly it would be just as easy to use one (tree) tunnel(s) from each workstation to the external ssh server ?

Adressing on my client for using the connected tunnels like this: http://localhost:83/

Two alternative ways:

client-ssh-tunnel-------Gateway---new ssh tunnel originated from gateway--ssh-server--target

client-ssh-tunnel-------Gateway---same ssh tunnel after nat--ssh server--target

Could not get this working:

client ----Gateway in--DNAT-to-tunnel--Gateway out---ssh-server--target


This is a description of the same limitations as I found, when playning a little bit:
http://utcc.utoronto.ca/~cks/space/blog/linux/IptablesLimitation