5

I have the following network:

 ___________          ___________          ===========================
|   HostA   |        |   HostB   |        || www.internetservice.com ||
|-----------| <===== |-----------| =====> ||=========================||
|10.11.12.13|        |66.77.88.99|        ||    151.141.12.10:123    ||
|___________|        |___________|         ===========================
  • HostB can access to HostA (e.g. ping 10.11.12.13 succeeds)
  • HostB can access to the www.internetservice.com on 151.141.12.10:123 (e.g. telnet www.internetservice.com 123 and telnet 151.141.12.10 123 succeed)
  • HostA cannot access to HostB (e.g. ping 66.77.88.99 fails)
  • and of course HostA cannot access to www.internetservice.com on 151.141.12.10:123 (telnet www.internetservice.com 123 and telnet 151.141.12.10 123 are also failing)

Of course what I want is to make the the Internet on 151.141.12.10:123 available from HostA!

I already have a solution but it doesn't quite suit me; I wish I had something better. My solution is to create from HostB, a reverse SSH tunnel on HostA to the InternetService:

myuserB@HostB:~ ssh -N  -R 123:www.internetservice.com:123 myuserA@HostA

Doing so, myuserA on HostA can open a connection to www.internetservice.com:123 by running:

myuserA@HostA:~ telnet localhost 123

This works fine; almost perfect... except that I would prefer to run

myuserA@HostA:~ telnet www.internetservice.com 123

or at least

myuserA@HostA:~ telnet 151.141.12.10 123

In order to obtain what I want, I tried (in vain) to initialize the SSH tunnel by running

myuserB@HostB:~ ssh -N  -R www.internetservice.com:123:www.internetservice.com:123 myuserA@HostA

I also tried

myuserB@HostB:~ ssh -N  -R 151.141.12.10:123:151.141.12.10:123 myuserA@HostA

but when doing so, I am not able to telnet neither www.internetservice.com:123 nor 151.141.12.10 123 from HostA

Any idea about what I should do?

Dave M
  • 13,250
Philippe MESMEUR
  • 151

1 Answers1

7

Plain OpenSSH tunnels can only listen for connections on the machine it's running on – they cannot automatically intercept connections made to external addresses. There are several options though:

  • Edit HostA's /etc/hosts to remap www.internetservice.com to the 127.0.0.1 address.

    127.0.0.1 localhost
127.0.0.1 internetservice.com
127.0.0.1 www.internetservice.com

    (See man hosts. This will affect most programs, except for dig/host/nslookup.)

  • Use iptables on HostA to create a REDIRECT rule that intercepts and all connections made to 151.141.12.10:123 and redirects them to 127.0.0.1:123 instead. (This can also rewrite the port number if needed.)

    iptables -t nat -I OUTPUT \
    -d 151.141.12.10 -p tcp --dport 123 \
    -j REDIRECT --to-ports 123

    (See man iptables-extensions. The REDIRECT target is basically the same as DNAT, only with 127.0.0.1 assumed as the new destination address.)

  • Instead of 'simple' tunnels, use -R 1234 to create a dynamic tunnel – the specified port on the remote side will become a SOCKS proxy listener, then you can configure your web browser to use a SOCKS proxy at 127.0.0.1:1234 and it will tunnel everything (including visits to http://www.internetservice.com through the SSH connection.)

    This works best with browsers, but there are "SOCKS wrapper" tools to force other programs to connect to a SOCKS proxy as well.

    The "local" equivalent is -D 1234 (not -L).

grawity
  • 501,077