Web lists-archives.com

TCP proxy for host on subnet




List, good morning,

I'm looking for a way to provide a tcp proxy, which can run as a service on a Wheezy-LTS host, for a single (higher-order) port. I have looked at two packages, but neither is quite suitable.

Connect-proxy ( https://packages.debian.org/wheezy/connect-proxy ) works well except that it only runs by cli command (not as a service), and it exits quite quickly - possibly when there is no activity.

Balance ( https://packages.debian.org/wheezy/balance) looked very interesting, not least because it is mainly aimed at sharing traffic across multiple uplinks and with failover, but suffers from a flaw(?) which means that it does not accept incoming IPv4 traffic from another machine on its local subnet ( https://sourceforge.net/p/balance/bugs/9/ ); it does work when accepting connections from localhost, as per the work-around in that report. But in our case the inbound traffic is from another host on the subnet; on testing we encountered exactly the problem described in that report.

I have to rule out an SSH tunnel solution (which would, otherwise, work) because SSH actually provides a 'continuous' operating 'channel' to the destination host and, since the LAN hosting these subnets is on a WAN with a dynamically assigned IP address, an SSH connection will keep dropping each time the IP address is re-assigned. (IP re-assignments seem to be happening every overnight, at present.)

Reading around, I think that various folks have hacked a specific solution to this kind of problem using IPtables, but I don't really want to do that because I didn't want to alter whatever IP routing Debian has installed - neither do I understand it enough. I'd prefer, if possible, to use a package; we only need to add this particular one-off port-to-host forwarding, and only in that direction, there'll be no inbound traffic (other than replies in a transaction sequence).

I realise that a router with almost totally restricted capability (except for this one port) would also solve this problem but that is quite a big solution for what ought really be a simple proxy.

Has anyone any experience or suggestions for a single port TCP proxy solution that would be always-on?

regards, Ron