Skip to content

How to proxy tcp traffic from one box to another

Sometimes you have this networking issue when a new network needs to be whitelisted in order to have access to some other network.
In some cases we could use a workaround given target network is accessible via third party network:

A -> no access -> B
A -> access -> C
C -> access -> B
A -> C -> B

This is from actual story that happened when proper implementation required cisco firewall changes by network admin, who wasn’t around at a time and it was a burning urgent requirement.

So you have this guy in some network who has access to any host within 10.190.68.0/24 range on port 443, but he cant reach a database which is in the network range 10.190.69.0/24 on port 1511.
Resolution to this problem is simple if you have a free port 443 (nothing actually listening on that port) on any of those machines where he has access to and given root access exists:

1. enable IP forwarding:

sysctl -w net.ipv4.ip_forward=1

2. create iptables rule that will forward all requests from ip and port we do have access to the one we do not:

iptables -t nat -A PREROUTING  -d 10.190.68.1 -p tcp --dport 443 -j DNAT --to-destination 10.190.69.1:1511 

Now instead of sending requests to 10.190.69.1:1511 (which looks like an orable db) we will send it to 10.190.68.1:443 and that machine will forward it to the right destination.

You can also use an actual tcp proxy like HAproxy, but chances of having iptables on the box is much higher 🙂