# simple tunel

## teper

Hello!

I used FreeLSD previously and bounce.c as a simple port tunel.

(normal connection)

My_Host -> foregin_IP:port

(bounced connection)

MY_HOST-> server_IP:INC-PORT [FeeBSD] -> foregin_IP:port

What should i use in gentoo linux as a bounce.c substitute or what should i use to compile that simple program 

standard cc,gcc won't work

Wojciech Teperski

teper@polsl.gliwice.pl

----------

## Target

This feature is built into iptables' preroute/forward/postroute rules, but since I use ssh whenever I tunnel anywhere (I'm an encryption nut), any examples I give you may need a lot of tweaking to get working.

First, you'll either need to load the netfilter (iptables) kernel module if you have it, or compile a kernel with it built-in. Then emerge iptables to get the userspace tools.

We'll assume you have two network cards in the bounce host with eth0 as the external interface and eth1 as the internal. Card references can just as easily be replaced with IPs and IP ranges, though.

Let's also assume you want to reach remote port 2000 on host 101.101.101.101, and that just for the hell of it you'll actually be bouncing through 2002 on your own server.

First we set forwarding's default policy to deny... we don't want people coming in from the outside and tunneling right back out.

```
iptables -P FORWARD DROP
```

We'll want to allow packets we've actually requested to get forwarded through to us:

```
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
```

Allow all safe/needed forms of tcp connections on port 2002 to be forwarded out the external interface:

```
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 2002 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
```

Now that the ground rules have been established, we set up the NAT table to do the dirty work of routing the server's internal port 2002 to the remote host's port 2000:

```
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 2002 -j DNAT --to 101.101.101.101:2000
```

I'm not 100% sure about that last one... you may need to specify your internal IP instead of the interface because the NAT table is treated a little differently.

Generally, I'd reccomend taking things a step further and setting up a whole firewall. You can never be too careful, and the tools to do it are the same ones you use to bounce/forward ports.

If you're looking to do full SNAT, iptables has a full-blown masquerading subsystem.[/code]

----------

## teper

 *Target wrote:*   

> This feature is built into iptables' preroute/forward/postroute rules, but since I use ssh whenever I tunnel anywhere (I'm an encryption nut), any examples I give you may need a lot of tweaking to get working.
> 
> 

 

THX for answer but one thing - i don't need NAT

i can use 

```
 ssh -R listenport:remote_host:port localhost 
```

sytuation is like this

my friend connets to internet by  tpsa_provider

he is plaing network games on game_server

but he has teribble lag since game_server is in different backbone net.

my host is in the same backbone net with game_server and i have fast connecion with my friend. 

Idea: use my server as a bouncer (proxy server)

thx for answer ill try ipchains.

----------

