search

Intika-Linux-SSH / SSH-Tunnel-Manager-Py

GNU General Public License v2.0
2 stars 0 forks source link

Option to redirect traffic through the tunnel (Via IPTables) #3

Closed intika closed 5 years ago

intika commented 5 years ago

This may be out of scope for the project, but Tunnel Manager comes close to implementing many of the features needed for a project I've been thinking about doing. The following describes what I had in mind:

If I set up the ssh tunnel like this:

ssh -L 12345:localhost:5900 myhomemachine

And then use iptables to redirect the traffic like this:

iptables -t nat -A OUTPUT -p tcp --dport 5900 -d myhomemachine -m owner --uid-owner myusername -j REDIRECT --to-ports 12345

I can then access my VNC server on my home machine from my work machine (and only from processes owned by me) as if it is completely public. Wrap all this inside a GUI using random ports, and I could enable or disable the functionality with a button-toggle on the GNOME panel.

Since Tunnel Manager does most of the SSH side of things, I'd like to use it as the base and add on the redirection part. If I ever get around to doing this (which isn't guaranteed...), would you like me to send you the patches? Or is this all out of scope for your intentions and I should just create my own fork? Either way is fine with me.

John

intika commented 5 years ago

This sounds like something that would be handled nicely by Bug 283347 (Add support for start/stop commands). I'll leave this bug open for now, but I think the more generalized solution described in the other bug is probably the way to go. Please take a look at the other bug an tell me your thoughts.

intika commented 5 years ago

Notes

To enable forwarding and to do the NAT masquerading you'll need to execute echo 1 > /proc/sys/net/ipv4/ip_forward and then the iptables rules:

iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

And to redirect all web requests of your internal network clients to the proxy port you'll need:

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 9050
iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 9050

With these rules, the requests arrive to the port on which there must be "something" well configured to get working everything. Good luck! or if I got late to the post, maybe you can share with us how you dealed with this.

intika commented 5 years ago

Those redirect methods are not working on my sys... other possible alternative https://github.com/MohithReddy2439/Proxifier-For-Linux but what's most important is domain redirection not the whole connection