Transparently forward individual computers through SSH socks proxy

Discussion in 'Tomato Firmware' started by archtaku, Aug 5, 2012.

  1. archtaku

    archtaku Serious Server Member

    The dropbear ssh client on Tomato 1.28 doesn't appear to support the -D option for dynamic forwarding, so I'm trying to use an iptables rule to DNAT specific source IPs to go through another box on the network which has a tunnel already established.

    The command used to establish the tunnel was run like so:

    ssh -fgND 23432 user@host

    The iptables rule I am running from the router is:

    # iptables -t nat -A PREROUTING -p tcp -s -j DNAT --to

    In this scenario, is the computer whose connections I want to send through the tunnel, and is the box running the SSH tunnel.

    The problem with this, however, is that the connection doesn't actually get forwarded over the ssh tunnel. I'm not an iptables expert, but I believe this has to do with the fact that the source IP wasn't modified, so it looks like I am creating a loop here.

    Is there a good way around this problem?
  2. koitsu

    koitsu Network Guru Member

    Your theory about your iptables rule, re: src address not getting rewritten, is correct.

    You could install Entware and do "opkg install openssh-client" to get the standard OpenSSH client on the system (should end up in /opt somewhere). Alternately, you could download a statically-linked version of the OpenSSH client from here and use that.
  3. archtaku

    archtaku Serious Server Member

    Thanks for the recommendation, I was able to get the OpenSSH client installed.

    My iptables setup still needs work, though. My rule is now:

    iptables -t nat -A PREROUTING -p tcp -s -j DNAT --to

    However, the connection just sits there and hangs when I try to browse the web from the computer belonging to If I configure a web browser to use the tunnel I have set up, it works just fine, so it's not a problem with the tunnel. My understanding of iptables is novice at best, and there is something I am missing. I just don't know what.
  4. koitsu

    koitsu Network Guru Member

    I'm also not familiar enough with iptables (at least that part of it, re: PREROUTING, DNAT, etc.) to assist with this. I'm only familiar with the simple firewall parts, not the integrated NAT parts. :)

    Hopefully someone else will appear and assist.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice