Hi,

Anyone have a good idea of how to make an udp tunnel from some of my friends computer on the internet to one of my servers behind my firewall?

I have Devil-Linux 0.5 firewall that NATs connections (iptables) and a Linux server running the service on a udp port.

There can be more than one computer that should be able to tunnel to my server. And almost all of them would be Windows machines. None of thease PCs have a firewall that does NAT (most have something like ZoneAlarm).

The catch is that the server only accepts local connections so to the server it would have to seem like the connection came from inside my LAN (from the firewall possibly). And if several users would use the service at the same time the packets should be routed correctly.

How could I do this? What Linux (or windows) host and windows (and/or linux) client could I use? Any other ideas? Is this even possible?

If anyone have an answer where only one client can be used at a time, that information would be helpful also.

Just came up with another possible option:
Could it be possible to somehow make a forwarded (NATted) connection to the server to seem like it came from inside the lan (from the same class c network)?

Ie. if someone is connecting from 123.123.123.123 it would seem to the server that it was comming from say 192.168.0.15 and the servers replies to 192.168.0.15 would be send (resent/transferred) to 123.123.123.123 .

Yet another possible solution:
Hmmm...would this work to solve the problem...
iptables -A POSTROUTING -t nat -p udp -d $EXTIP --deport 12345 -j SNAT --to 192.168.0.5:12345
and what other rules should I make? Would this be secure?
EXTIP is firewalls external ip address (dynamic assigned by ISP)
This would seem to come from the firewalls internal ip number...right?

Thanks,
-Haseldow

Did you get this to go??

Not yet...still pondering the optins...I would like to get some info before I try something (stupid)

-Haseldow

----quote-----
if someone is connecting from 123.123.123.123 it would seem to the server that it was comming from say 192.168.0.15 and the servers replies to 192.168.0.15 would be send (resent/transferred) to 123.123.123.123 .
-------------

One option could be poptop... Uses windows vpn clients. Would be a clean way of routing the payload with local ip addresses. A bit of a pain for
the users...

http://www.poptop.org

---quote---
iptables -A POSTROUTING -t nat -p udp -d $EXTIP --deport 12345 -j SNAT --to 192.168.0.5:12345
This would seem to come from the firewalls internal ip number...right?
-------
Yes that *should* work....
To make them look like they are from the firewall think that should be -j SNAT --to ip.of.int.if:12345
or is the ip .5? or 15? on the internal interface??
If it doesn't play nice with multiple connections from the same ip then ip alaising on the internal interface, with multiple SNAT rules *should* work. Would need to know all the remote machines before hand, makes dialup users a big pain in the butt...

For the idea behind which client would use a certain internal ip look at Cadillac84's plan:

http://linuxnewbie.org/forum/showthread.php?s=&threadid=69329
(Nice to see things come together for someone)

You'll just need to adapt it to POSTROUTING to use it in yours.... You'll still need the PREROUTING for the internet to server part of the connection....

Security is all in the writing of the rules, and your comfort level....

Hmmm...I see the problem with SNAT. If I do:

iptables -A POSTROUTING -t nat -p udp -d $EXTIP --dport 12345 -j SNAT --to 192.168.0.5:12345

and 192.168.0.5 would be the IP of the firewalls internal IF the connection will not actually go anywhere (since the sender of the packet can not target it to an IP inside my LAN). And I can't do another rule to make it reach another target inside my LAN. So sure it would seem to come from the firewalls internal IP, but no use if it's not really forwarded anywhere.

If I do one nat rule, I can't make another nat rule to make it actually reach any destination. Since the rules stop matching at the first matching nat rule (if I understood the man pages correctly).

Oh and sorry...I got mixed up with the firewall and server IP adresses in the previous posts. From now on lets say that the firewall has an internal IP of 192.168.0.5 and the server has .15 .

Poptop

The VPN solution sounds like the best option. I'll try that next, thanks for the idea!

You still need prerouting to forward to the server from the internet, postrouting changes the source address. A second "nat' rule will work as the destation (-d) will be different and not match the first rule.

SNATting packets going to the server would be the easiest solution since this wouldn't require any action on behalf of the friends using this service. Most of the friends don't know much about computers anyway ;) .

Sorry that I'm still a bit lost somewhere (getting close though). Would the correct form be:

iptables -A FORWARD -i $EXTIF -p udp -d $SERVER --dport 12345 -j ACCEPT
iptables -A PREROUTING -t nat -i $EXTIF -p udp --dport 12345 -j DNAT --to $SERVER
iptables -A POSTROUTING -t nat -p udp -d $INTIF --dport 12345 -j SNAT --to $INTIP

INTIP=firewalls internal ip number (192.168.0.5)
INTIF=firewalls internal interface
EXTIF=firewalls external interface
SERVER=server running a service on udp port 12345 (192.168.0.15)

? What I mean is that is the postrouting rule really checked after the prerouting since both applly to the same package? In the prerouting rule any udp packets to external IF port 12345 are "allready" sent to the server and thus no other nat rule is checked, right?

Or should I do some trick to make both rules being checked?

Thanks again,
-Haseldow

----quote----
? What I mean is that is the postrouting rule really checked after the prerouting since both applly to the same package?
---------
both will be checked... one for the inbound interface (PRE) one for the outbound (POST)

-----quote------
In the prerouting rule any udp packets to external IF port 12345 are "allready" sent to the server and thus no other nat rule is checked, right?
-------------------
No, PREROUTING changes where it is going, POSTROUTING changes where it came from. Both will be checked, to see if rules apply for those packets. The order of the options used can mess things up, these *should* work.

iptables -t nat -A PREROUTING -i $EXTIF -p udp --dport 12345 -j DNAT --to $SERVER

iptables -A FORWARD -i $EXTIF -o $INTIF -p udp -d $SERVER --dport 12345 -j ACCEPT

iptables -t nat -A POSTROUTING -o $INTIF -p udp --dport 12345 -d $SERVERIP -j SNAT --to $INTIP

This assumes that there is a POSTROUTING and forward rules elsewhere to mask the whole lan, or use:

iptables -A FORWARD -i $INTIF -o $EXTIF -p udp --sport 12345 -s $SERVER -j ACCEPT

iptables -t nat -A POSTROUTING -o $EXTIF -p udp --sport 12345 -s $SERVERIP -j SNAT --to $EXTIP


The forward chain controls what get passed, PRE and POST change them....