0

Even after long searching and trying I'm not able to solve the following puzzle:

Client A --------------------------> Server B (172.26.15.15/24)
  ssh -L 4321:localhost:4321         Server C (172.26.15.16/24)
  • Client 'A' has a ssh tunnel, forwarding a:4321 to b (localhost):4321
  • 'Server B' should forward all packets received on localhost:4321 to 'Server C:4321'

Can this be done with iptables and, if so, can anybody give me a clue how?

squillman
  • 37,618
  • 10
  • 90
  • 145
Jaap Prickartz
  • 11
  • 1

2 Answers2

3

You are trying to make this more complicated then it needs to be. Put in the IP of server C instead of localhost.

ssh -L 4321:172.26.15.16:4321

The -L option [localaddress:]localport:remoteaddress:remoteport

  • [localaddress:] (Optional specify the local IP SSH will bind to. By default it will bind to all IPs.
  • localport the local TCP port that SSH will bind the tunnel to
  • remotehost - ip address, or DNS reachable from the SSH server and resolved by the SSH server.
  • remoteport - a TCP port that is the other end of the tunnel.
Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • Forget to mention; i have many 'A' clients, and 'Server C' is not static. Administrating the whole system will be a lot easier if i only have to change a few rules on 'Server B' instead of changing all clients. – Jaap Prickartz Sep 26 '13 at 23:40
  • What do you mean by not static? Just use a DNS name instead? Add the name to the servers /etc/hosts file or something? – Zoredache Sep 26 '13 at 23:42
  • the address of 'Server C' changes sometimes on the network on the '172.26.15.0' network; adjusting this on all clients (200+) will be a lot of work. I already (think) i figured out that the incoming traffic from the tunnel (as seen from B side) does not hit the prerouting chain. – Jaap Prickartz Sep 26 '13 at 23:45
  • Right, so DNS is the method that lets you map names to addresses, and can be updated easily. – Zoredache Sep 26 '13 at 23:48
  • OK, so you suggest to use on the client something like: ssh -L4321:4321 and have FQDN resolve to the 'Server c' address? Can i use a domain name in a -L statement? – Jaap Prickartz Sep 26 '13 at 23:53
  • 2
    Yes, **I tell you three times and done**. Use DNS, dns works as an option for -L the name is resolved by the server. – Zoredache Sep 26 '13 at 23:56
0

Forwarding traffic originating at localhost with destination localhost can be done with a port forwarding daemon, e.g. xinetd.

I solved my problem with:

/etc/xinetd.conf:

service local_forward
{
flags = IPv4
socket_type = stream
wait = no
user = root
redirect = 172.26.15.16 4321
}

/etc/services:

local_forward   4321/tcp
Jaap Prickartz
  • 11
  • 1