Last active
April 26, 2017 23:42
-
-
Save mancubus77/926a4de23bd20861c4292cf6295c4f55 to your computer and use it in GitHub Desktop.
SSH Tunnels
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Q: How to provide Internet access to servers restricted via firewall rules? | |
A: Use SSH Tunnel and iptables | |
Create SSH tunnel to remote host | |
ssh -R9000:127.0.0.1:1025 <username>@<remote_server> | |
This command will listen port 9000 on remote machine (ssh server) and forward all packets via ssh tunnel to port 1025 on client machine (ssh client). | |
So the tunnel is done, but we need to make traffic pipeline. Let's configure our remote server which is located in well protected intranet. We need to forward all HTTP (or any other?) traffic on originated on remote server to the SSH tunnel. There are several ways to do this: | |
a) | |
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:9000 | |
Add your source to the rule and tailor it according your needs. Probably you'll want forward certain destination ports. Bad news that you need ROOT access | |
b) | |
export http_proxy=http://127.0.0.1:9000 | |
That's nice if you are working with console applications, which pick environment variables. No need to have sudo or root. | |
We done with remote server, let's make backend on local server (which is our internet gateway). On backend we need to accept connections on 1025 and forward or NAT them to other network. I assume that you know what the docker is and what you are doing. | |
Let's make work dir | |
mkdir nginx_docker && cd nginx_docker | |
Make config file for nginx. It will work in transparent proxy mode, thus we assume that docker network is configured correctly and docker container will have access to Internet | |
vi default.conf | |
i # remove if you are not lazy copypaster or know how vi works | |
server { | |
resolver 8.8.8.8; | |
access_log off; | |
listen *:1025; | |
location / { | |
proxy_pass $scheme://$http_host$uri$is_args$args; | |
proxy_buffers 256 4k; | |
proxy_max_temp_file_size 0k; | |
} | |
} | |
vi Dockerfile | |
i # remove if you are not lazy copypaster or know how vi works | |
FROM nginx | |
RUN apt-get update && apt-get install -y curl | |
COPY default.conf /etc/nginx/conf.d/default.conf | |
Build docker image | |
docker build -t my-nginx . | |
Run docker image | |
docker run -d -p1025:1025 --name=my-nginx my-nginx | |
Check docker image | |
docker ps | grep my-haproxy | |
Check that tunnel | |
ssh -R9000:127.0.0.1:1025 <user>@<server> "curl -s --proxy 127.0.0.1:9000 http://ifconfig.co" | |
This solution works only for HTTP, for https exist another option with MITM proxy. Run it on ssh server | |
for interactive mode: | |
docker run --rm -it --name=mitm -p 8080:8080 mitmproxy/mitmproxy | |
for daemon mode: | |
docker run -d --name=mitm -p 8080:8080 mitmproxy/mitmproxy | |
Port may be adjusted according your needs | |
for example: | |
docker run -d --name=mitm -p 8080:8080 mitmproxy/mitmproxy | |
ssh -R9000:127.0.0.1:8080 <user>@<server> "curl --insecure -s --proxy 127.0.0.1:9000 https://ifconfig.co" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment