As long as I’ve been a [TelkomSpeedy](http://telkomspeedy.com/) customer, I’ve never been able to log on to any IM services. Yahoo! Messenger, MSN Messenger, Jabber, ICQ, AIM: all didn’t work at all. I’m not alone, other Speedy customers like [Devi](http://devigirsang.blogspot.com/2006/12/dial-up-to-adsl.html) and [Tya](http://blog.raditya.net/) also experienced the same problem. I’m still curious why they chose to filter all IM traffic on their router.
They do allow [SSH](http://en.wikipedia.org/wiki/SSH) though, and this is how I managed to ‘fix’ the problem by redirecting IM traffic over an SSH tunnel.
First, the prerequisite. I need a server, directly connected to the Internet, and a root access for it. This may be a tough requirement for casual users, but thankfully I do have root access on several dozens of servers.
Second, I need to prepare the server for [NAT](http://en.wikipedia.org/wiki/Network_address_translation). For my intent and purposes, this server will act as a (second) gateway for my computer. This needs to be done on the server:
iptables --table nat --flush iptables --table nat --delete-chain iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface ppp+ -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward
Not much different from my usual NAT setup, except this time it is the other way around: –out-interface is now eth0, and –in-interface is now ppp+, because eth0 is the interface connected directly to the Internet, and ppp0 becomes a link between the server and my computer.
And now, to create the tunnel itself. This needs to be done on my computer:
/usr/sbin/pppd updetach noauth silent nodeflate pty \ "/usr/bin/ssh email@example.com /usr/sbin/pppd \ nodetach notty noauth" ipparam vpn 10.0.0.1:10.0.0.2
Substitute `server.example.com` with the real server name. This should create a new ppp0 interface on both the server and my computer. I should now be able to ping 10.0.0.2 and it should respond back.
Next, I need to modify my routes. First I need a dedicated route to my current gateway, so that the tunnel doesn’t get dropped: `route add server.example.com gw 192.168.1.1` where `server.example.com` is the server hostname and `192.168.1.1` is my current gateway. And second, I need to change my default gateway to the tunnel: `route del default ; route add default gw 10.0.0.2`.
All done, now all traffic will be redirected to my server. Any connection that originates from my computer will be translated by the server, and the destination will see the server as the origin of connection, not my computer.
Please note that tonight they already fixed the problem and for the first time I can run IM without tunneling. I don’t know if my little chat with KWW yesterday has anything to do with this :).