Provide Internet to a Server behind firewall/NAT
Provide Internet to a Server (Destination) behind firewall/NAT == SUCCESS
(Note : Dont use port 80. There may be apache running on Destination server and causing issues)
Requirement == Provide internet access to a server (Destination) which is Behind a Firewall/NAT.
ONly mode of access to Destination is SSH to Public IP ==> NAT ==> Private IP (Destination)
on Proxy server (Source)
apt-get install tinyproxy
ssh username@publicIp(Destination IP) -R 8888:127.0.0.1:8888
Keep this shell open/running.
Log in into Destination Server :
a)
root@Node:~# diff /etc/wgetrc /etc/wgetrc_orig
< http_proxy =" http://127.0.0.1:8888/" use_proxy =" on"> #use_proxy = on
b)
tail /etc/bash.bashrc
export http_proxy=http://127.0.0.1:8888/
c)
root@Node:~# more /etc/apt/apt.conf
ACQUIRE
{
http::proxy "http://127.0.0.1:8888/";
}
I hope you enjoyed this !!! Now the node should be able to reach Internet via ssh Tunnel
Proxy with SSH
This article will be interesting for those who didn't know it already -- you can turn any Linux computer into a SOCKS5 (and SOCKS4) proxy in just one command:
ssh -N -D 0.0.0.0:1080 localhost
And it doesn't require root privileges. The ssh command starts up dynamic -D port forwarding on port 1080 and talks to the clients via SOCSK5 or SOCKS4 protocols, just like a regular SOCKS5 proxy would! The -N option makes sure ssh stays idle and doesn't execute any commands on localhost.
If you also wish the command to go into background as a daemon, then add -f option:
#ssh -f -N -D 0.0.0.0:1080 localhost
To use it, just make your software use SOCKS5 proxy on your Linux computer's IP, port 1080, and you're done, all your requests now get proxied.
Access control can be implemented via iptables. For example, to allow only people from the ip 1.2.3.4 to use the SOCKS5 proxy, add the following iptables rules:
#iptables -A INPUT --src 1.2.3.4 -p tcp --dport 1080 -j ACCEPT
#iptables -A INPUT -p tcp --dport 1080 -j REJECT
The first rule says, allow anyone from 1.2.3.4 to connect to port 1080, and the other rule says, deny everyone else from connecting to port 1080.
Another possibility is to use another computer instead of your own as exit node. What I mean is you can do the following:
#ssh -f -N -D 1080 other_computer.com
This will set up a SOCKS5 proxy on localhost:1080 but when you use it, ssh will automatically tunnel your requests (encrypted) via other_computer.com. This way you can hide what you're doing on the Internet from anyone who might be sniffing your link. They will see that you're doing something but the traffic will be encrypted so they won't be able to tell what you're doing.
SSH Port Forwarding
ssh -L Local_port:Host_IP:Host_port username@IP
If you give the -G switch, The port will be forward to the entire subnet
Howto Linux / UNIX setup SSH with DSA/RSA public key authentication (password less login)
#1 machine : your laptop called Gladiator
#2 machine : your remote server called vxdatacenter
@@@Command to type on Gladiator/Laptop@@@
- ssh-keygen -t dsa/rsa
- make sure chmod 755 ~/.ssh
@@@Copy Public key @@@
scp ~/.ssh/id_dsa.pub user@google.com.ssh/authorized_keys
@@@ Login Test ssh/scp from your Laptop/Gladiator @@@
Make sure the server/vxdatacenter chmod 600 ~/.ssh/authorized_keys
@@@How do i login from client without typing the passphrase @@@
exec /usr/bin/ssh-agent $SHELL
ssh-add
Enter the passphrase... So that it won't ask when you login to remote server with public_key
I hope you got this article little informative !!!
Thank you for visiting my blog...
No comments:
Post a Comment