Redirect external IP request to localhost when routing through Socks Proxy and Redsocks

Question

Redirect external IP request to localhost when routing through Socks Proxy and Redsocks

Opened this issue 5 years ago · 0 comments

This is a question regarding Redsocks and iptables rules. Following is the scenario.

I have two servers server1 - 172.17.0.1, server2 - 172.17.0.2. I need to access JMX port (7199) on server1 from server2. Since I have disabled remote JMX on server1, I cannot access it from server2 via SSH local forwarding(need to access 7199 port with localhost from server2). So I have created SSH socks proxy and configured it with Redsocks. It's working fine.

# run socks proxy from service2
ssh -v -N -D 9999 user@172.17.0.1

# configure socks proxy with Redsocks in service2
redsocks {
    // redsocks listening port
    local_ip = 127.0.0.1;
    local_port = 12345;

    // socks proxy 
    ip = 127.0.0.1;
    port = 9999;

    type = socks5;
}

# configure iptable rules to route the packets to Redsocks in service2
sudo iptables -t nat -N REDSOCKS
sudo iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
sudo iptables -t nat -A OUTPUT -p tcp --dport 7199 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner <user id> -j REDSOCKS

Now if I connect to the 127.0.0.1:7199 from service2(e.g telnet localhost 7199) it will connect to the JMX port(7199) of server1. Redsocks route packets correctly to the server1 via socks proxy.

I have another requirement. When coming packets with IP address of the service1(e.g 172.17.0.1:7199), I need to redirect them to localhost(127.0.0.1:7199). For an example, if I connect with 172.17.0.1:7199 from service2, I need to redirect it to 127.0.0.1:7199 in order to access the JMX port in service1 via socks proxy. Normally IP address redirection can be done with one of the following iptables rules. Since there are other iptables rules existing(related to Redsocks) it does not work.

# redirect with host
iptables -t nat -A OUTPUT -p tcp -d 172.17.0.1 -j DNAT --to-destination 127.0.0.1

# redirect with host and port
iptables -t nat -A OUTPUT -p tcp -d 172.17.0.1 --dport 7199 -j DNAT --to-destination 127.0.0.1:7199

How IP address redirection to localhost can be done in this scenario?