Source address problem on ssh port forwarding

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

There are 3 computers (A,B and C). A and B are in the same subnet and
they are separated from computer C through the internet. I have only
access to computer B and C. I have built a ssh tunnel from B to C.
With it I forwarded the port 5555 from computer B to port 5555 of
computer C. I have allowed connections from other hosts to forwarded
ports of B (ssh -g -L 5555:IpAdr_CompC:5555 IpAdr_CompC).
A client program on computer A sends TCP packets to port 5555 on
computer B. This will be forwarded to computer C. The problem is, that
the source address field of the received TCP packets on computer C
contains the IP address of computer B and not the address of A. This
causes the server program on computer C to refuse the packets.
Is it possible to forward the TCP packets from A through the ssh
tunnel to C and keep the source address (IP address of A) ?

Thank you,

Re: Source address problem on ssh port forwarding

midiwidi wrote:
Quoted text here. Click to load it
No, it is physically impossible by the nature of TCP.  TCP requires
a connection; in order to complete transmission C must be able to
send packets back to the source of the incoming connection request,
that is, computer B.  It knows to send the SYN/ACK packet back here
because B is in the source field.  If you forge packets from B to
have a source of A, then C will send the SYN/ACK packet to A, where
it is dropped, and the attempt to establish a TCP connection will
fail.  It is theoretically possible to do something with UDP, since
two-way traffic is not required here, but whether ssh has facilities
for this, I know not, although I suspect it doesn't.   It doesn't do
you much good anyways if your application requires TCP.

Will C's server program accept packets from its own host?  If so,
you could set up a second ssh tunnel on C.  Set up B's tunnel to
send packets to a available port on C, say 5556, and then a
tunnel on C to route packets from 5556 to 5555 on C.  Now the
packets show up at the server program with a source address of C.

             Christopher Mattern

Thank you for noticing this new notice
Your noticing it has been noted
And will be reported to the authorities

Site Timeline