mancubus77/gist:926a4de23bd20861c4292cf6295c4f55

## gistfile1.txt
Q: How to provide Internet access to servers restricted via firewall rules?
A: Use SSH Tunnel and iptables

Create SSH tunnel to remote host
 ssh -R9000:127.0.0.1:1025 <username>@<remote_server>

This command will listen port 9000 on remote machine (ssh server) and forward all packets via ssh tunnel to port 1025 on client machine (ssh client).

So the tunnel is done, but we need to make traffic pipeline. Let's configure our remote server which is located in well protected intranet. We need to forward all HTTP (or any other?) traffic on originated on remote server to the SSH tunnel. There are several ways to do this:

a)
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:9000
 Add your source to the rule and tailor it according your needs. Probably you'll want forward certain destination ports. Bad news that you need ROOT access

b)
export http_proxy=http://127.0.0.1:9000
That's nice if you are working with console applications, which pick environment variables. No need to have sudo or root.

We done with remote server, let's make backend on local server (which is our internet gateway). On backend we need to accept connections on 1025 and forward or NAT them to other network. I assume that you know what the docker is and what you are doing.

Let's make work dir

mkdir nginx_docker && cd nginx_docker

Make config file for nginx. It will work in transparent proxy mode, thus we assume that docker network is configured correctly and docker container will have access to Internet

vi default.conf

i # remove if you are not lazy copypaster or know how vi works
server {
       resolver        8.8.8.8;
       access_log      off;
       listen  *:1025;
      location / {
	                proxy_pass      $scheme://$http_host$uri$is_args$args;
        	        proxy_buffers   256 4k;
                        proxy_max_temp_file_size        0k;
                        }
                }

vi Dockerfile

i # remove if you are not lazy copypaster or know how vi works
FROM nginx
RUN apt-get update && apt-get install -y curl
COPY default.conf /etc/nginx/conf.d/default.conf

Build docker image
docker build -t my-nginx .

Run docker image
docker run -d  -p1025:1025 --name=my-nginx my-nginx

Check docker image
docker ps | grep my-haproxy

Check that tunnel
ssh -R9000:127.0.0.1:1025 <user>@<server> "curl -s --proxy 127.0.0.1:9000 http://ifconfig.co"


This solution works only for HTTP, for https exist another option with MITM proxy. Run it on ssh server
for interactive mode:
docker run --rm -it --name=mitm -p 8080:8080 mitmproxy/mitmproxy
for daemon mode:
docker run -d --name=mitm -p 8080:8080 mitmproxy/mitmproxy

Port may be adjusted according your needs
for example:
docker run -d --name=mitm -p 8080:8080 mitmproxy/mitmproxy
ssh -R9000:127.0.0.1:8080 <user>@<server> "curl --insecure -s --proxy 127.0.0.1:9000 https://ifconfig.co"
	Q: How to provide Internet access to servers restricted via firewall rules?
	A: Use SSH Tunnel and iptables

	Create SSH tunnel to remote host
	ssh -R9000:127.0.0.1:1025 <username>@<remote_server>

	This command will listen port 9000 on remote machine (ssh server) and forward all packets via ssh tunnel to port 1025 on client machine (ssh client).

	So the tunnel is done, but we need to make traffic pipeline. Let's configure our remote server which is located in well protected intranet. We need to forward all HTTP (or any other?) traffic on originated on remote server to the SSH tunnel. There are several ways to do this:

	a)
	iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:9000
	Add your source to the rule and tailor it according your needs. Probably you'll want forward certain destination ports. Bad news that you need ROOT access

	b)
	export http_proxy=http://127.0.0.1:9000
	That's nice if you are working with console applications, which pick environment variables. No need to have sudo or root.

	We done with remote server, let's make backend on local server (which is our internet gateway). On backend we need to accept connections on 1025 and forward or NAT them to other network. I assume that you know what the docker is and what you are doing.

	Let's make work dir

	mkdir nginx_docker && cd nginx_docker

	Make config file for nginx. It will work in transparent proxy mode, thus we assume that docker network is configured correctly and docker container will have access to Internet

	vi default.conf

	i # remove if you are not lazy copypaster or know how vi works
	server {
	resolver 8.8.8.8;
	access_log off;
	listen *:1025;
	location / {
	proxy_pass $scheme://$http_host$uri$is_args$args;
	proxy_buffers 256 4k;
	proxy_max_temp_file_size 0k;
	}
	}

	vi Dockerfile

	i # remove if you are not lazy copypaster or know how vi works
	FROM nginx
	RUN apt-get update && apt-get install -y curl
	COPY default.conf /etc/nginx/conf.d/default.conf

	Build docker image
	docker build -t my-nginx .

	Run docker image
	docker run -d -p1025:1025 --name=my-nginx my-nginx

	Check docker image
	docker ps \| grep my-haproxy

	Check that tunnel
	ssh -R9000:127.0.0.1:1025 <user>@<server> "curl -s --proxy 127.0.0.1:9000 http://ifconfig.co"



	This solution works only for HTTP, for https exist another option with MITM proxy. Run it on ssh server
	for interactive mode:
	docker run --rm -it --name=mitm -p 8080:8080 mitmproxy/mitmproxy
	for daemon mode:
	docker run -d --name=mitm -p 8080:8080 mitmproxy/mitmproxy

	Port may be adjusted according your needs
	for example:
	docker run -d --name=mitm -p 8080:8080 mitmproxy/mitmproxy
	ssh -R9000:127.0.0.1:8080 <user>@<server> "curl --insecure -s --proxy 127.0.0.1:9000 https://ifconfig.co"