TCP proxy for host on subnet
- Date: Mon, 05 Jun 2017 12:37:48 +0100
- From: Ron Leach <ronleach@xxxxxxxxx>
- Subject: TCP proxy for host on subnet
List, good morning,
I'm looking for a way to provide a tcp proxy, which can run as a
service on a Wheezy-LTS host, for a single (higher-order) port. I
have looked at two packages, but neither is quite suitable.
Connect-proxy ( https://packages.debian.org/wheezy/connect-proxy )
works well except that it only runs by cli command (not as a service),
and it exits quite quickly - possibly when there is no activity.
Balance ( https://packages.debian.org/wheezy/balance) looked very
interesting, not least because it is mainly aimed at sharing traffic
across multiple uplinks and with failover, but suffers from a flaw(?)
which means that it does not accept incoming IPv4 traffic from another
machine on its local subnet
( https://sourceforge.net/p/balance/bugs/9/ ); it does work when
accepting connections from localhost, as per the work-around in that
report. But in our case the inbound traffic is from another host on
the subnet; on testing we encountered exactly the problem described in
I have to rule out an SSH tunnel solution (which would, otherwise,
work) because SSH actually provides a 'continuous' operating 'channel'
to the destination host and, since the LAN hosting these subnets is on
a WAN with a dynamically assigned IP address, an SSH connection will
keep dropping each time the IP address is re-assigned. (IP
re-assignments seem to be happening every overnight, at present.)
Reading around, I think that various folks have hacked a specific
solution to this kind of problem using IPtables, but I don't really
want to do that because I didn't want to alter whatever IP routing
Debian has installed - neither do I understand it enough. I'd prefer,
if possible, to use a package; we only need to add this particular
one-off port-to-host forwarding, and only in that direction, there'll
be no inbound traffic (other than replies in a transaction sequence).
I realise that a router with almost totally restricted capability
(except for this one port) would also solve this problem but that is
quite a big solution for what ought really be a simple proxy.
Has anyone any experience or suggestions for a single port TCP proxy
solution that would be always-on?