Help with reverse proxy for all TCP ports/protocols

Hey all,

I am attempting to do (I think this is the right term) a reverse proxy
for any TCP port/protocol, not just HTTP.

Essentially, I want:
ssh/telnet/ftp/etc internet.server1.com ==> WANIP_ADDRESS ==>
10.10.10.1
ssh/telnet/ftp/etc internet.server2.com ==> WANIP_ADDRESS ==>
10.10.10.2

So all ports that come in from internet.server1.com go to my WAN IP
ADDRESS, and redirects it to 10.10.10.1 and all ports from
internet.server2.com go to my WAN IP ADDRESS, and redirects it to
10.10.10.2.

Anyone know the best solution and have a quick tutorial on how to set
this up? I have used a reverse proxy for just HTTP host headers
(using pound), but I am looking for something a bit more robust in
which protocols are accepted and forwarded.


Thanks for any information,

Jeff

Am Sat, 15 Nov 2008 07:44:17 -0800 schrieb j.g.tooley:

> Hey all,
>
> I am attempting to do (I think this is the right term) a reverse proxy
> for any TCP port/protocol, not just HTTP.
>
> Essentially, I want:
> ssh/telnet/ftp/etc internet.server1.com ==> WANIP_ADDRESS ==>
> 10.10.10.1
> ssh/telnet/ftp/etc internet.server2.com ==> WANIP_ADDRESS ==>
> 10.10.10.2
>
> So all ports that come in from internet.server1.com go to my WAN IP
> ADDRESS, and redirects it to 10.10.10.1 and all ports from
> internet.server2.com go to my WAN IP ADDRESS, and redirects it to
> 10.10.10.2.
>
> Anyone know the best solution and have a quick tutorial on how to set
> this up? I have used a reverse proxy for just HTTP host headers
> (using pound), but I am looking for something a bit more robust in
> which protocols are accepted and forwarded.

iptables SNAT?

On Nov 15, 4:44*pm, j.g.too...@gmail.com wrote:
> Hey all,
>
> I am attempting to do (I think this is the right term) a reverse proxy
> for any TCP port/protocol, not just HTTP.
>
> Essentially, I want:
> ssh/telnet/ftp/etc internet.server1.com ==> WANIP_ADDRESS ==>
> 10.10.10.1
> ssh/telnet/ftp/etc internet.server2.com ==> WANIP_ADDRESS ==>
> 10.10.10.2
>
> So all ports that come in from internet.server1.com go to my WAN IP
> ADDRESS, and redirects it to 10.10.10.1 and all ports from
> internet.server2.com go to my WAN IP ADDRESS, and redirects it to
> 10.10.10.2.

Do you mean ...
- you are running a linux box? ...
- acting as a gateway? ...
- between your local network and the internet? ...
- and you want that any tcp connection being initiated by
datagrams coming from the internet? ...
- shall be forwarded to specific IP addresses on the local network ?
- depending on the IP address of the *source* of this connection
attempt?

Ooops, I shall now suppose the anser to the above questions is *no*.

You want to distinguish incoming connection requests based on the
"domain name" of the *target server*? This is what reverse proxies
do, as far as I can understand.

It looks like you need a quick intro to Internet and TCP terminology,
so you can think in terms of the actual mechanims, and also be able to
ask questions in such terms. Notice how the SYN, FIN, and ACK flags on
datagrams are used during establishment of connections.

Also be aware that in the http world, there are possible steps that
are not possible with random protocols.

In the http world, the client computer extracts a host name from a
URL, eg. "server1.domain.com" from "http://server1.domain.com/path/to/
file.html", then queries some DNS server about the IP address of
"server1.domain.com", then sends a TCP datagram with the SYN flag set,
to that IP address. However, the IP address may belong to a server
that actually serves a number of "domains", e.g. "www.sexndrugs.com"
and "www.carsnbikes.org". The server responds by completing the
establishment of a TCP connection without knowing yet what domain the
connection is for. Once completed, the client sends further TCP
datagrams containing various pieces of text, included the server name
"server1.domain.com". Only at this point can the server decide what
"domain" it is going to serve.

But other protocols, like ssh, do not work like that. In general,
protocols do not care about domains and host names. If you have a
single WAN IP address, ssh connections are to that WAN IP address.
Still clients can start with "domain names" but use them only to look
up the IP address in DNS. If multiple names translate to the same IP,
your WAN IP, there is no (easy) way your "reverse proxy server" can
know what domain name the client started with.

If you are still with us, read about iptables, and about NAT (Network
Address Translation). This will not work with domain names
(internet.server1.com), but with IP addresses and tcp ports. It can
make decisions based on both the source and destination IP addresses
and ports. However, in the typical "reverse proxy" scenario, this will
not do what you want because it cannot do a sufficiently deep
inspection of the contents of the traffic.

I am not excluding that there may exist some product out there that
does what you want for several of the protocols you have in mind.

Regards

On Nov 15, 12:24*pm, Cacadril <en...@online.no> wrote:
> On Nov 15, 4:44*pm, j.g.too...@gmail.com wrote:
>
> > Hey all,
>
> > I am attempting to do (I think this is the right term) a reverse proxy
> > for any TCP port/protocol, not just HTTP.
>
> > Essentially, I want:
> > ssh/telnet/ftp/etc internet.server1.com ==> WANIP_ADDRESS ==>
> > 10.10.10.1
> > ssh/telnet/ftp/etc internet.server2.com ==> WANIP_ADDRESS ==>
> > 10.10.10.2
>
> > So all ports that come in from internet.server1.com go to my WAN IP
> > ADDRESS, and redirects it to 10.10.10.1 and all ports from
> > internet.server2.com go to my WAN IP ADDRESS, and redirects it to
> > 10.10.10.2.
>
> Do you mean ...
> *- you are running a linux box? ...
> *- acting as a gateway? ...
> *- between your local network and the internet? ...
> *- and you want that any tcp connection being initiated by
> * *datagrams coming from the internet? ...
> *- shall be forwarded to specific IP addresses on the local network ?
> *- depending on the IP address of the *source* of this connection
> attempt?
>
> Ooops, I shall now suppose the anser to the above questions is *no*.
>


Thanks for your reply, and your assumption is incorrect. I am running
a linux box...acting as a gateway...between my local network and the
internet...and want that any tcp connection being initiated by
datagrams coming from the internet...shall be forwarded to the
specific IP address on the local network...depending on the DOMAIN
NAME that the source of this connection is attempt to come through.

So now that you got that off your chest feeling better? Good. Now
since the request is made more readable, anyone out there can help
further?

Thanks,

Noisome

On Nov 16, 3:53*pm, Noisome <Noiso...@gmail.com> wrote:
> On Nov 15, 12:24*pm, Cacadril <en...@online.no> wrote:
> > On Nov 15, 4:44*pm, j.g.too...@gmail.com wrote:
>
> > > Hey all,
>
> > > I am attempting to do (I think this is the right term) a reverse proxy
> > > for any TCP port/protocol, not just HTTP.
>
> > > Essentially, I want:
> > > ssh/telnet/ftp/etc internet.server1.com ==> WANIP_ADDRESS ==>
> > > 10.10.10.1
> > > ssh/telnet/ftp/etc internet.server2.com ==> WANIP_ADDRESS ==>
> > > 10.10.10.2
>
> > > So all ports that come in from internet.server1.com go to my WAN IP
> > > ADDRESS, and redirects it to 10.10.10.1 and all ports from
> > > internet.server2.com go to my WAN IP ADDRESS, and redirects it to
> > > 10.10.10.2.
>
> > Do you mean ...
> > *- you are running a linux box? ...
> > *- acting as a gateway? ...
> > *- between your local network and the internet? ...
> > *- and you want that any tcp connection being initiated by
> > * *datagrams coming from the internet? ...
> > *- shall be forwarded to specific IP addresses on the local network ?
> > *- depending on the IP address of the *source* of this connection
> > attempt?
>
> > Ooops, I shall now suppose the anser to the above questions is *no*.
>
> Thanks for your reply, and your assumption is incorrect. *I am running
> a linux box...acting as a gateway...between my local network and the
> internet...and want that any tcp connection being initiated by
> datagrams coming from the internet...shall be forwarded to the
> specific IP address on the local network...depending on the DOMAIN
> NAME that the source of this connection is attempt to come through.
>
> So now that you got that off your chest feeling better? *Good. *

Sorry for sounding condescending.

The domain name that the source is attempting to come THROUGH,
what does that mean?

Is it the name that the source has used to locate your WAN IP address?
That would be the typical case of a reverse proxy. If so, the answer
to my question would be no, and my stated assumption (that the answer
is no) would be right, since in my question I asked if the routing
would depend on a domain name associated with the source itself.

The telnet protocol, for instance, does not have any provision for
transmitting any domain names. The client, or source, uses a domain
name to determine an IP address, your WAN IP. This happens locally, in
the client computer, or communicating with a dns server, but without
communication with your local network or your gateway. Once the client
has determined the IP address, it uses that IP address, not the domain
name, to establich the connection with your gateway or server or proxy
server. During the connection establishment, there is no exchange of
text strings like domain names. If your proxy server is to learn what
domain name the client used to determine the WAN IP, this must happen
through some other means than the telnet protocol. This is of course
possible, but not within the telnet protocol itself. It could well be
some method that uses the telnet connection, once established with
your gateway, to transmit the domain name using some other protocol
running inside the telnet protocol. That means that if you want
something that works automatically and transparently for random telnet
clients anywhere in the world, no, that is not possible. Guaranteed
not possible. But if you can use a method where the user of the telnet
client takes som extra steps, before or after, especially after,
establishment of the telnet connection, then it is possible. But I
don't know about any ready-made tool. You, or I, for that matter,
would have to make one. I don't think it would be hard. That would be
a tool that works for the telnet protocol. Other protocols would be
separate problems.

I said "guaranteed not possible" because the datagrams arriving at
your gateway are *identical* bit for bit, whether the client started
with looking up "internet.server1.com" or "internet.server2.com".
There would be nothing any system installed in your gateway could use
to base its decision on. The only data available to a telnet server is
the WAN IP of the client and the WAN IP of the server, the port number
used by the client as source port, and the port number used by the
client as the destination port. However, this information cannot be
varied in any way, in the general, automatic and transparent case.

If the clients are related to you, not random people anywhere in the
world, but rather people you can make special arrangements with, then
all this changes. Then you could use e.g. nonstandard destination
ports, or even artificially modified source port numbers.

The easiest way in the latter case would perhaps be to use virtual
lans.

Regards.