0

I have a need to catch all packets going to an external IP/Port redirected to an ssh tunnel. Can't use VPN, it as to go via ssh tunnel. This will be citrix redirection

I have an iptables rule that allow me to do the redirection

iptables -t nat -A OUTPUT -p tcp -d w.x.y.z --dport 1494 -j DNAT --to-destination 127.0.0.1:2494

I have to mention that I did also have the sysctl setting to make the iptables rules working

sysctl -w net.ipv4.conf.eth0.route_localnet=1

When I test the citrix connection with telnet, I do get the ICA prompt from both 

telnet w.x.y.z 1494 telnet 127.0.0.1 2494

But when I start citrix from an ica file with the server IP being at w.x.y.z:2494, I cannot get the connection. On the other side, if I use the same configuration file and change the IP to 127.0.0.1:1494 it does work.

I do miss something but simply do not know what.

Any idea ??

Improve this question
2
  • Can you confirm these questions. Is this running on your main firewall which is also the default route for the network and is running NAT? It's machines inside the network (behind the NAT router) that need transparent redirection to the ssh tunnel? Is the router/firewall on a static IP or dynamic? Commented Sep 22, 2015 at 23:59
  • The computer is behind a firewall in my house, and not secured by iptables beside the rules I try to implement. It is a single workstation connecting to the corporate network via ssh. My config file define many tunnels to access systems and services. I simply want to catch and IP/Port (not on the same subnet) going out on eth0, to be redirected to a tunnel I define, in short 192.48.48.201:1494 -> 127.0.0.1:2494. The rule mentionned allow me to do a telnet from the former and see the citrix prompt , it is when I try to run citrix with the config that hang. The config have 192.48.48.201:1494. Commented Sep 23, 2015 at 4:04

2 Answers 2

Reset to default
0

The only thing this does - it rewrites the IP packet header to 127.0.0.1 and TCP header to port 2494, but this happens too late - routing decision is already made, so this way you simply produce an invalid packet on an interface, and the next router drops it.

Take a look at this picture, it describes a packet flow. So you need to modify your rules accordingly to it.

In the end I must say that this approach is a perfect example of a most crippled and weird way of achieving the goal, from the point of network enginerr, though it may seem as mere and logical from the point of a beginner.

Improve this answer
2
  • It all depend on the condition why we have to implement such. I have to log on a webpage to put a credential via a tunneled proxy. Once I've been authenticated, I will receive an ICA file used by citrix and containing an encryption key. The IP provided in the file have to be tunnelled, so we need to edit the file and change the server IP to be a tunnelled IP in order to work with SSH. Commented Sep 22, 2015 at 18:41
  • it does not. nothing can justify such nonsense. Commented Sep 22, 2015 at 18:44
0

At a guess, this may work

iptables -t nat -A PREROUTING -p tcp -d w.x.y.z --dport 1494 -j REDIRECT --to 2494

I'd probably tighten that up a bit by specifiying the source address being your internal network. I'm also assuming that the proxy is also listening on the internal network card.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.