Port Forward Reverse SSH Tunnel

[wgcampbell]

I have a small network behind a wireless router that I don't control. I pick up the signal with my own wireless router, then run a small internal network from my wireless network. I have a wireless web cam (on my own internal network) that I would like to view from the outside.

I have set up a reverse ssh tunnel so that I can remote desktop into my linux box and view the camera from my remote desktop connection, but I want to do better - I'd like to be able to view the camera from the outside with a browser.

I can set up a reverse ssh tunnel to my internal linux machine to handle the camera port (5003) requests coming in, but how then do I redirect it internally to the camera ip?

I suspect that the answer is some sort of port forwarding but reading about IPTABLES makes my head swirl. I'm only concerned about one port - when "camera port" comes in to "linux box ip", I want it redirected to "camera ip". I'm not too concerned about further protecting my "linux box" as it is behind my internal network router with no ports open. I have tried:
iptables -t nat -A PREROUTING -p tcp --dport 5003 -j DNAT --to-destination 192.168.0.41
...but there must be more to it.

...or maybe I'm totally on the wrong track!

[matonb]

Hi wgcampbell,

You say that you connect to the "maintained" wireless router with your own wireless router.

Doesn't your router allow you to setup NAT routes or port forwarding?

[wgcampbell]

Yes, my internal router has those capabilities. But I can't "see" my router from the outside and I have no control over the "maintained" router (as you call it).

If I could get my internal router to initiate the reverse ssh connection, then I guess I could take it from there, but I don't know how to do that.

[matonb]

Nope your definitely on the right track.

My iptables are a bit rusty as I've got lazy in my old age and use Firewall Builder instead of using the command line...

When ever I've done this sort of thing in the past though I've always given it an original destination other parameters in italics or optional extras,

Code:

iptables -t nat -A PREROUTING -m tcp -p tcp -i ethX -d <ipaddress> --dport 5003 -j DNAT --to-destination <private host>[:port]

-m tcp
just matches tcp requests only (i.e. ignore udp)

-i ethX
The network interface you expect to see the requests on, more useful if you don't want to re-route local traffic coming in on a different NIC.

-d <ipaddress>
Address you expect to receive the request, I'm guessing that would be the host your reverse tunneling to rather than the public ip address. You could try 0/0 here which equates to "anywhere"

<private host>
Your webcam ip address

[: port]
Optional destination port

Other thing to check is that Forwarding is allowed

Code:

sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

If it's not = 1 you can temporarily (until reboot) turn it on with:

Code:

sysctl -w net.ipv4.ip_forward=1

Permemant change edit /etc/sysctl.conf and add or change:

Code:

net.ipv4.ip_forward = 1

[wgcampbell]

First, thank you for your help.

OK - I tried as you suggested:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -m tcp -p tcp -i eth0 -d 0/0 --dport 5003 -j DNAT --to-destination 192.168.1.70:5003

I get no errors, but the browser hangs - I should be able to test this from the internal network from another browser, right?

Here's my iptables after the above commands:

:$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

:$ sudo iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:5003 to:192.168.1.70:5003

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I read somewhere I needed to enable NAT, so I tried adding the following:
:$ iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

That changes my nat tables to:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:5003 to:192.168.1.70:5003

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

...but it still doesn't work?

[matonb]

Your problem isn't a straight forward one tbh. Easy to get confused on what's going where and how. I'm no network expert but I'll try my best!

As you have no control over the outside router (public ip address) and I assume that you can't get someone who does to open the port for you, you will have to create another reverse ssh tunnel for the webcam feed.

Not sure how you set the first one up but here's a link to a page on setting up a reverse tunnel on a different port to the standard ssh 22 (I'll assume port 5003).

With out that, no outside traffic will know where it's supposed to be going.

Once that's setup, requests to 5003 on the remote host should now be arriving on your local host (private ip) on the inside of the routers.

Now you need to redirect the incoming request to your webcam, so you need a rule that will translate requests on port 5003 destined to your local host ip (private) to the webcam address.

(there are tools such as wireshark that you can use to watch detailed iptraffic on your nics, although iptraf is much smaller and will see if there are any incoming connections on port 5003)

So far that gets the traffic IN.

[matonb]

Right!

Redirecting the traffic to the webcam:

Now we have the tunnel in place the requests will be coming to the local host <ip address> so we need a NAT rule to redirect that traffic.

I've assumed 192.168.1.1 for your local host in this example.

Code:

iptables -t nat -A PREROUTING -m tcp -p tcp -i eth0 -d 192.16.1.1/24 --dport 5003 -j DNAT --to-destination 192.168.1.70:5003

In theory, that should work. The grey area is the return path (which is probably why your test failed), I'm hoping that your webcam will simply reply to the request without trying to open another connection in which case the response will just go back the way the request came in and masqueading / nat'ing will get taken care of as it returns.

However if the webcam creates a new connection there is a good chance that it won't know where to send the reply as it won't have the originating ip address (hanging browser, waiting for an answer it's never going to get).


That's a rather "fluffy" skating over a lot and missing swathes explanation...

[wgcampbell]

Thanks again for your time and assistance.

OK - I've got the reverse ssh tunnel working just fine. In order to "uncomplicate" things, I'm now just trying to get my internal host to port forward. I have another box set as a simple web server - and simply trying to port forward port 80 to that box, and that doesn't work.

So I feel that I'm missing something basic - like does the internal host require 2 nics?

If I could just get ANY port forwarding to work, then I could at least know if the problem is with the camera or not. BTW, the camera simply serves up a web page and has the option of setting an optional port.

[wgcampbell]

Additional:
To test the camera, I hung a box on the "public" side of the router, port forwarded only port 5003, and was able to connect and communicate.

[matonb]

I'll setup a port forwarding rule on one of my sandboxes when I get to the office tomorrow. Probably just forgotten or missing something daft...