How to Route All Network Traffic Through a Gateway Host in Linux (SSH Tunneling, IP Forwarding & iptables Setup)


2 views

When working in corporate environments with restricted network access, we often encounter situations where only specific hosts have internet access. Here's how to route all traffic from an isolated host (Host B) through an internet-connected host (Host A) using standard Linux networking tools.

First, ensure both hosts can communicate and that Host A has proper internet access:

# On Host A:
sysctl -w net.ipv4.ip_forward=1
echo 1 > /proc/sys/net/ipv4/ip_forward

We'll create a persistent SSH tunnel for all traffic routing:

# On Host B (run as root):
ssh -f -N -D 0.0.0.0:1080 user@HostA

Host A needs proper NAT rules to forward traffic:

# On Host A:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

For a more comprehensive solution, consider setting up a TUN device:

# On Host A:
openvpn --mktun --dev tun0
ip link set tun0 up
ip addr add 10.8.0.1/24 dev tun0

# On Host B:
ip route add default via 10.8.0.1 dev tun0

If connectivity fails, check:

  • Firewall rules on both hosts
  • Correct interface names (eth0/eth1 might differ)
  • Corporate network policies blocking unusual traffic patterns

To make these changes permanent:

# On Host A:
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
iptables-save > /etc/iptables.rules

In corporate environments, we often encounter situations where only specific machines have external network access. Let's examine a practical solution using two Linux hosts:

Host A (Gateway):
- Has internet access
- IP: 192.168.1.100 (example)
- Can reach Host B

Host B (Restricted):
- No internet access  
- IP: 192.168.1.101
- Can reach Host A

First, we need to enable IP forwarding on Host A:

# Temporary enablement
echo 1 > /proc/sys/net/ipv4/ip_forward

# Permanent solution (add to /etc/sysctl.conf)
net.ipv4.ip_forward = 1

# Apply changes
sysctl -p

Configure iptables rules for NAT masquerading:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

On Host B, set the default route to go through Host A:

# Remove existing default route if exists
ip route del default

# Add new default route
ip route add default via 192.168.1.100 dev eth0

# Verify routing
ip route show

For cases where you can't modify routing tables:

# Create a SOCKS proxy tunnel
ssh -D 1080 -f -C -q -N user@hostA

# Configure applications to use the proxy
export http_proxy="socks5://127.0.0.1:1080"
export https_proxy="socks5://127.0.0.1:1080"

If connectivity fails, check these:

# Test basic connectivity
ping 192.168.1.100

# Check NAT rules
iptables -t nat -L -n -v

# Verify forwarding
cat /proc/sys/net/ipv4/ip_forward

# Test DNS resolution
dig google.com @8.8.8.8

To make changes survive reboots:

# On Host A
iptables-save > /etc/iptables.rules
echo "iptables-restore < /etc/iptables.rules" >> /etc/rc.local

# On Host B
echo "ip route add default via 192.168.1.100 dev eth0" >> /etc/rc.local