socat connect-connect "proxy" two inbound TCP connections to expose a firewalled service?

firewall port tcp redirection socat

7,981

Solution 1

Something like

On "Server":

socat TCP4-LISTEN:10000 TCP4-LISTEN:4200

On "Client A"

socat TCP4:Server:10000 TCP4:localhost:4200

On "Client B"
Configure the client to connect to Server:4200

Alternatively, have a look at SSH port forwarding.

Solution 2

You can also use PortFusion which I originally developed personally for this type of scenario, specifically for RDP.

  server> PortFusion                ] 10000        [
client-a> PortFusion 4200 localhost - 10000 server [ 4200

Now client-b can connect to server:4200 for RDP.

IMPORTANT NOTE!!

You should start PortFusion on client-a (or socat or anything else for that matter) as a different user AND ALSO NOT from within the graphical session of the user you want to connect as - otherwise you will get a black screen or a drop, etc.

Hope my answer can be of help.

7,981

cjones26

Updated on September 18, 2022

Comments

cjones26 over 1 year
I'm struggling a bit trying to see how to use socat (or a similar TCP port redirector) to expose a firewalled service on a PC.

Here's the scenario: I have a server PC which will be acting as a listen-listen "proxy" / redirector between two client machines. The server can have as many firewall ports open as needed and has a public IP. On the first "client" (as in establishing an outbound connection to the proxy server), Client A, I am hosting a service on port 4200. This PC is behind a firewall which only allows inbound TCP connections based on a previous outbound connection. The same is true of the firewall Client B is behind.

What I need to do is have Client B able to access port 42000 on Client A through the internet-facing TCP proxy server. The problem is that I can only initiate outbound TCP connections from Client A. How can I redirect the TCP connections through the server when both of the relay's clients are behind firewalls which only allow outbound connections? Please see the diagram below & let me know if clarification is in order.
```
                  ------------
                 |   Server   |
                 |w/ public IP|
                  ------------
                 /            \
          {|<Firewall>|}    {|<Firewall>|}
                |                 |
          ----------          ----------        
         | Client A |        | Client B |
          ----------          ----------
       (hosting a service    (wanting to access
         on port 4200)         Client A port 4200)
```
I would greatly appreciate any advice, thanks.
cjones26 about 13 years

Thanks for the answer! It was perfect :). The one issue I'm having is, say I set up the chain as you've stated above & say the service is actually RDP. The connection immediately drops for some reason, after the first few packets are sent. Maybe this is a misunderstanding on my part of how to use socat?
RedGrittyBrick about 13 years

socat has lots (really really lots) of options. I expect you need to find the right options to suit the needs of RDP. I'm not enough of an expert in socat or RDP to work it out easily. Have a look at dest-unreach.org/socat/doc/socat-gender.txt which is related to this task and the man page which I find moderately intimidating.
cjones26 over 12 years

Easier than socat, thanks! Can this be used in a commercial application if it's attributed?
Ghouse over 12 years

Yes! It can be used in any type of applications. I would love to hear about the application in which you use it :)