linux routing outbound port 80 traffic via ssh tunnel, iptables, or a simple route

1

I have two hosts, A and B. Host A hosts services on port 8080 and has outbound internet firewall rules allowing port 80 and 443 access to Host C.

Host B is on the same subnet as Host A. Host B is blocked from reaching internet Host C. Host A, however, has outbound rules on an external firewall that allows port 80 and 443 outbound to Host C.

Host B runs a software client with hardcoded URLS to download from Host A (http port 8080), and Host C (http port 80). Again, Host B is blocked from reaching Host C via firewall. The client on Host B does not support SOCKS or any other proxy capability. The only way I can possibly reach Host C:80 is by redirecting or tunneling via Host A.

I have root access to Host A and Host B. How can Host B reach Host C via Host A on port 80?

Why does this not work on host B?

ssh -L 80:hostC:80 root@hostA -N

I've enabled AllowTCPForwarding and GatewayPorts on Host A. Is right for this or is there an iptables trick that I can use?

This image is a diagram of want to do with what I have: http://i.imgur.com/rOhQ9Us.png

Brett Bonner

Posted 2013-04-20T03:51:59.713

Reputation: 111

1I think a picture may help this question. – Natalie Adams – 2013-04-20T04:36:41.370

I have added an image outlining what I want to do with what I have. – Brett Bonner – 2013-04-20T12:57:25.057

The -vvv parameter may display something interesting - can you post what is outputted with that? – Natalie Adams – 2013-04-20T16:22:43.483

The only thing interesting is:

debug1: Local connections to LOCALHOST:80 forwarded to remote address hostc:80 \n

debug3: channel_setup_fwd_listener: type 2 wildcard 0 addr NULL \n

debug1: Local forwarding listening on 127.0.0.1 port 80. \n – Brett Bonner – 2013-04-20T18:00:32.307

iptables -t nat -A OUTPUT -o HostA -j REDIRECT ? – BatchyX – 2013-04-20T19:46:12.450

Answers

0

As @Nathan Adams said, a picture would be particularly useful in solving this problem. I've not come across what you are trying to do before, but after creating a diagram for myself and reading up on the -L command for SSH, I suspect the problem is that you need to run it as root, as the port you are trying to bind is a privileged port (ie < 1025).

davidgo

Posted 2013-04-20T03:51:59.713

Reputation: 49 152

I'm running as root on Host A and Host B. I've added a diagram that may help with an answer for what I'm trying to do. – Brett Bonner – 2013-04-20T13:35:15.530

0

Where is the firewall, on B itself or external?

Your ssh command isn't working because it binds port 80 on B to forward to C through A. From your description, you have a hardcoded address, which means B isn't trying to connect to port 80 on itself. The hardcoded address is key to your problem. Does the URL contain a logical address, or an actual hardcoded IP address?

If the firewall is on B, you'd have to avoid having packets go out addressed to C. I assume this isn't the case, since you have root on B. However, a solution in this case also should work no matter what, namely find a way to get connections to C to go to A instead. You might be able to do this by manipulating DNS, or with a firewall rewrite rule.

Another trick would be to have A as your default route for B. Assuming C is external and will hit the firewall when trying to return packets to B, you'd want to have A do NAT for B. A really crude approach is to have A respond to ARP requests to trick traffic into going through it, but that is unlikely to be viable except in very small setups.

Hod

Posted 2013-04-20T03:51:59.713

Reputation: 136

the Firewall is external to A and B. The hardcoded URL contains a fqdn, so yes, a logical address. I can edit the hostsfile on B. – Brett Bonner – 2013-04-20T19:56:02.273

@LaughNowButWe'llBeInCharge Were you able to get this to work? You'd have to be sure to have host file entries take precedent over DNS lookup. – Hod – 2013-04-29T05:33:33.930

0

Saw this looking for something else, but thought I'd answer even though it's old:

On Host B:

ssh -L 8080:hostC:80 user@hostA -N -f
sudo iptables -t nat -A OUTPUT -d hostC -p tcp --dport 80 -j DNAT --to 127.0.0.1:8080

The software on Host B is hardcoded to connect to HostC:80 (per the question), so you must redirect the connection to go through the SSH tunnel you created. Also with the above changes, you shouldn't need to run anything as root.

Michael Kropat

Posted 2013-04-20T03:51:59.713

Reputation: 735

Asked: 2013-04-20T03:51:59.713

Viewed: 1 673 times

Active: 2013-10-16T17:18:29.707