Unix & Linux Asked by user3573987 on November 6, 2021
I have a Raspberry Pi which establishes an SSH connection to a remote server (VPS) and opens a port on the Pi so I can use it as a SOCKS5 proxy. This is the command I use to establish the tunnel:
ssh -D 1080 -f -C -q -N user@hostname
The reason for this is that the network blocks VPN using DPI but not SSH. So I have setup a VPN on the LAN and setup a SOCKS5 proxy (same Pi). The problem is, if the proxy is down, then the VPN outbound traffic (so where it is no longer VPN traffic but just regular HTTP(S)) will not use it and attempt to send those requests through the network firewall anyway. I want to stop this from happening so that if the proxy is down, the VPN will not allow any connection outbound.
This shows you how it is supposed to work
______________________________
| |
| Client |
|______________________________|
|
| L2TP over IPSEC
________________|_______________ __
| | |
| VPN (192.168.1.XXX) | |
|________________________________| |
________________|_______________ |-RaspberryPi
| | |
| SOCKS5 (127.0.0.1:1080) | |
|________________________________|__|
|
| SSH tunnel
________________|________________
| |
| VPS (Amazon EC2) |
|_________________________________|
|
/
/
the internet
These are my iptables:
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.42.0/24 -o eth+ -j MASQUERADE
-A POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o eth+ -j ACCEPT
-A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
-A FORWARD -d 192.168.43.0/24 -i eth+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.43.0/24 -o eth+ -j ACCEPT
-A FORWARD -j DROP
COMMIT
This was the script used to make the VPN https://github.com/hwdsl2/setup-ipsec-vpn
So my question is: How can I change these iptables to force the VPN clients to only use a SOCKS5 proxy on the LAN? (otherwise DROP their non-proxy destined packets)
What you're looking for is called a transparent proxy. Transparent proxies are intended to be placed on gateways, but they don't have to be; so long as packets get routed through a node (as they are in your example), you can use iptables on that node to REDIRECT their traffic to whatever process on that node is handling proxies for you.
A quick search for "transparent socks proxy" on Google turns up something called redsocks. You might give that a try; you'll be running your ssh SOCKS5 session and redsocks instance on the same node, with redsocks passing traffic into ssh. Instructions on the linked site look reasonably complete for getting you going.
Answered by Michael Mol on November 6, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP