Re: Some routing advice (connecting through SSH)
On 26 Oct 2001, Adam Warner wrote: > On Fri, 2001-10-26 at 03:07, George Karaolides wrote: > > > Now to determine some more facts about the network geometry. I assume > > that machine R at your institution has one interface connected to the > > Internet, with a public IP address, and one on the institution's LAN with > > a private IP address. > > Just one public IP address. But after Code Red they unilaterally > firewalled all incoming connections, even to the Dept's web servers! > (something I had to alert people about). I'm not serving public content > on this machine. OK, so machine R has one public IP address, routed through your institution's gateway/firewall. > It's well firewalled locally (iptables). I'm pretty sure no one will be > able to connect from anywhere else (I'm employing IP address checking, > port blocking and of course password protection). Ping is global but > that's because I believe people should be able to check if a machine > connected to a public IP address is functioning. Your security sounds OK, bit do look at some kernel settings in /proc. For example, enabling syncookies is a good idea, and disabling replies to broadcast pings: echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > > > Also, that the services you want to access are also on the institution's > > LAN. > > I think access to services is determined by network card mac address. > I think the following would work: 1. Set up an IP tunnel between machines H and R. Now I haven't done this before but I know it can be done. Look for "IP:tunneling" (CONFIG_NET_IPIP) in the kernel configuration options, under "Networking options". Quoting from the help on this: "This particular tunneling driver implements encapsulation of IP within IP, which sounds kind of pointless, but can be useful if you want to make your (or some other) machine appear on a different network than it physically is...check out http://anchor.cs.binghamton.edu/~mobileip/LJ/index.html"; which kind of sounds like what you need. As I said, I haven't tried this before, but I am virtually sure that you use this to set up a network interface representing the "entrance" of the tunnel. 2. Set up the routing table on machine H to route all traffic destined for your institution's network IP address space (get that from your friendly admin, if you haven't got it already) to use the tunnel interface. 3. On machine R, enable IP masquerading, with the tunnel interface as the "internal" interface and the machine's actual publicly available interface as the "world" interface. This should be the basis for your solution. The routing on machine H will make it access the machines at your institution through the tunnel and machine R, not the Internet. Masquerading on R will make those machines think they are being accessed by R instead of H, which is what you want. They will reply to R, and the demasquerading will then forward everything back to H. Linux networking magic at its best. I am also virtually sure you can build this to work for all machines in your private LAN at home, with machine H as gateway. Though I have no hands-on experience of this, I will, of course, try and help out with any questions of yours which might arise if you do try it, to the best of my ability. Do let me know how you get on! Best regards, George Karaolides 8, Costakis Pantelides St., tel: +35 79 68 08 86 Strovolos, email: [EMAIL PROTECTED] Nicosia CY 2057, web: www.karaolides.com Republic of Cyprus
Success: Some routing advice (connecting through SSH)
I wrote: > I haven't worked out the > correct format of ssh -L yet, but I'm sure I'll figure that out. Phenomenal. It works perfectly. It really is impressive. And connecting is just so easy. My browser is set with HTTP Proxy 127.0.0.1 and port x The connection command is nothing more difficult than typing from the local computer: ssh -l -L x::x It just works so seemlessly. It's amazing. Regards, Adam
Re: Some routing advice (connecting through SSH)
On Fri, 2001-10-26 at 13:16, Dan Christensen wrote: > Dan Christensen <[EMAIL PROTECTED]> writes: > > > Hans Ekbrand <[EMAIL PROTECTED]> writes: > > > >> On Thu, Oct 25, 2001 at 11:54:56PM +1300, Adam Warner wrote: > >>> I want to route some traffic though a remote computer (R) to my home > >>> computer (H). > > > > [web traffic] > > > >> Another way of doing it, a bit more unsecure maybe, would be to > >> install a proxyserver on R and only accept connections from H. > > > > Yes. For example, just install junkbuster or webwasher on R, > > and set your browser on H to use R as a proxy. I've done this > > (for the same reasons as the original poster) several times. > > I should have said that this can be combined with ssh port > forwarding. You have ssh forward H:1234 to R:5678, run a > proxy on R listening on 5678, and set your browser to use > H:1234 as a proxy. Thanks Dan. I'm beginning to understand this all now. Here are three very good pieces of information: http://www.webtechniques.com/archives/2000/09/webm/ In particular the "Port Forwarding" section. And these two answers: http://plaguesplace.dyndns.org/proxy-elites-faq/x89.html http://plaguesplace.dyndns.org/proxy-elites-faq/x97.html A Debian package search using apt-cache search has turned up this excellent choice of proxy server: tinyproxy Description: A lightweight, non-caching, optionally anonymizing http proxy An anonymizing http proxy which is very light on system resources, ideal for smaller networks and similar situations where other proxies (such as Squid) may be overkill and/or a security risk. Tinyproxy can also be configured to anonymize http requests (allowing for exceptions on a per-header basis). OK I think I understand this now. I install tinyproxy and configure it to a port (I've set it up securely so that only localhost can access the proxy). I then use ssh -L to tunnel the proxy traffic to my home machine. And I set up my web browser to access the appropriate localhost port (when I want to be able to access the appropriate resources). Using Lynx I have been able to verify that the proxy is working (by setting the http_proxy environment variable). I haven't worked out the correct format of ssh -L yet, but I'm sure I'll figure that out. I'm very pleased with this solution. It appears to be extremely secure. Thanks all, Adam
Re: Some routing advice (connecting through SSH)
Dan Christensen <[EMAIL PROTECTED]> writes: > Hans Ekbrand <[EMAIL PROTECTED]> writes: > >> On Thu, Oct 25, 2001 at 11:54:56PM +1300, Adam Warner wrote: >>> I want to route some traffic though a remote computer (R) to my home >>> computer (H). > > [web traffic] > >> Another way of doing it, a bit more unsecure maybe, would be to >> install a proxyserver on R and only accept connections from H. > > Yes. For example, just install junkbuster or webwasher on R, > and set your browser on H to use R as a proxy. I've done this > (for the same reasons as the original poster) several times. I should have said that this can be combined with ssh port forwarding. You have ssh forward H:1234 to R:5678, run a proxy on R listening on 5678, and set your browser to use H:1234 as a proxy. Dan
Re: Some routing advice (connecting through SSH)
On Fri, 2001-10-26 at 03:07, George Karaolides wrote: > Sorry again, I didn't get exactly what you were trying to do from > your first message. That's alright. If some people were thinking that, it's best I had the opportunity to clarify. > Now to determine some more facts about the network geometry. I assume > that machine R at your institution has one interface connected to the > Internet, with a public IP address, and one on the institution's LAN with > a private IP address. Just one public IP address. But after Code Red they unilaterally firewalled all incoming connections, even to the Dept's web servers! (something I had to alert people about). I'm not serving public content on this machine. It's well firewalled locally (iptables). I'm pretty sure no one will be able to connect from anywhere else (I'm employing IP address checking, port blocking and of course password protection). Ping is global but that's because I believe people should be able to check if a machine connected to a public IP address is functioning. > Also, that the services you want to access are also on the institution's LAN. I think access to services is determined by network card mac address. Thanks also to the two other people (Dan and Hans) who recommended a proxy server. I'm not sure how that would work beginning with an SSH connection. Regards, Adam
Re: Some routing advice (connecting through SSH)
Hans Ekbrand <[EMAIL PROTECTED]> writes: > On Thu, Oct 25, 2001 at 11:54:56PM +1300, Adam Warner wrote: >> I want to route some traffic though a remote computer (R) to my home >> computer (H). [web traffice] > Another way of doing it, a bit more unsecure maybe, would be to > install a proxyserver on R and only accept connections from H. Yes. For example, just install junkbuster or webwasher on R, and set your browser on H to use R as a proxy. I've done this (for the same reasons as the original poster) several times. Dan
Re: Some routing advice (connecting through SSH)
Hi, On 26 Oct 2001, Adam Warner wrote: > > On Fri, 2001-10-26 at 01:04, George Karaolides wrote: > > > > Hi, > > > > I need a bit more info. to start thinking about your question. > > I'm still up, barely :-) > > > How do you connect from H to R? Through the Internet? > > Yes. > > > If so, does your Internet connection (that you use to connect H to the > > Internet) have a > > static IP address or a dynamic one? > > Static, permanent connection. Good, that makes things somewhat easier. > > > Another point: It seems to me as if you'll be trying to use a > > server hosted at an ISP as a masquerading gateway for your home LAN. > > Hey, hold on a minute! You're _way_ off base. What? Server hosted at an > ISP? No! > > > You > > may well be able to do it, and the ISP may well not catch you at it, > > for a while anyway, but if the ISP sees this as violating the service > > agreement they have with whoever they're hosting the server for (you?) and > > they do find out, you are in for trouble. > > For what? I won't be in trouble for anything. Please don't jump to > conclusions. If I was trying to do something naughty I wouldn't be using > my real name (and please note that I use my real name in _all_ my > communications). Sorry if I offended you, but I said "It sounds like..." and "If..." I didn't think you were delliberately trying to swindle an ISP. I had your best interests in mind. > Thanks anyway for being concerned. I only want to implement a very > limited system for only specific browser traffic so I can perform > searches on databases accessible at my Institution from my home computer > (just like having a remote desktop, but as I say I'd like it to be more > efficient). And I discussed it with my Department's computer support > (his suggestion was to tunnel X through SSH). Even though I've never > done that before I'd like to try and do it more efficiently (and also > work more productively--If you go to save a document on a remote desktop > it has only been saved to that computer. Then I'd need to use something > like sftp to download it to my computer. Much better if I could operate > as if I was at that machine). > > > The traffic won't be difficult > > to spot; servers are expected to be serving out a lot of stuff, not to > > have a lot of incoming traffic. > > Did I say there would be a lot of traffic or did I specifically say "for > just some chosen traffic"? My Institution will be able to see all > traffic going to my "R" computer. I would be very foolish to route > personal traffic through my Institution's network. Sorry again, I didn't get exactly what you were trying to do from your first message. Now to determine some more facts about the network geometry. I assume that machine R at your institution has one interface connected to the Internet, with a public IP address, and one on the institution's LAN with a private IP address. Also, that the services you want to access are also on the institution's LAN and also have private IP addresses. Is that correct? Best regards (it's still afternoon here), George Karaolides 8, Costakis Pantelides St., tel: +35 79 68 08 86 Strovolos, email: [EMAIL PROTECTED] Nicosia CY 2057, web: www.karaolides.com Republic of Cyprus
Re: Some routing advice (connecting through SSH)
On Thu, Oct 25, 2001 at 11:54:56PM +1300, Adam Warner wrote: > Hi all, > > I just need to understand where I should look and how I should approach > this challenge. > > I want to route some traffic though a remote computer (R) to my home > computer (H). In particular I want to have the ability to surf the Web > as if I was sitting at computer R. Right now I can already do that using > the text browser Lynx after connecting via SSH. > > R is a somewhat puny 133MHz Pentium with 72MB of RAM and ~100MB of free > disk space. It is running Debian GNU/Linux with a 2.4.13 kernel (that > took a rather long time to compile). X is not installed (the display > card is also not compatible, but I imagine that wouldn't matter with a > remote connection). > > I can SSH from H to R. All other ports to R are blocked. So to connect > to another port on R, R itself would have to open the connection to H. > > Instead of using X or VNC I would like to somehow use IP Masquerading > for just some chosen traffic (it would be the most efficient solution). > However I can't see how it would work yet. > > So thanks for any preliminary help. Another way of doing it, a bit more unsecure maybe, would be to install a proxyserver on R and only accept connections from H. Hans Ekbrand pgp6V71pnTUkl.pgp Description: PGP signature
Re: Some routing advice (connecting through SSH)
On Fri, 2001-10-26 at 01:04, George Karaolides wrote: > > Hi, > > I need a bit more info. to start thinking about your question. I'm still up, barely :-) > How do you connect from H to R? Through the Internet? Yes. > If so, does your Internet connection (that you use to connect H to the > Internet) have a > static IP address or a dynamic one? Static, permanent connection. > Another point: It seems to me as if you'll be trying to use a > server hosted at an ISP as a masquerading gateway for your home LAN. Hey, hold on a minute! You're _way_ off base. What? Server hosted at an ISP? No! > You > may well be able to do it, and the ISP may well not catch you at it, > for a while anyway, but if the ISP sees this as violating the service > agreement they have with whoever they're hosting the server for (you?) and > they do find out, you are in for trouble. For what? I won't be in trouble for anything. Please don't jump to conclusions. If I was trying to do something naughty I wouldn't be using my real name (and please note that I use my real name in _all_ my communications). Thanks anyway for being concerned. I only want to implement a very limited system for only specific browser traffic so I can perform searches on databases accessible at my Institution from my home computer (just like having a remote desktop, but as I say I'd like it to be more efficient). And I discussed it with my Department's computer support (his suggestion was to tunnel X through SSH). Even though I've never done that before I'd like to try and do it more efficiently (and also work more productively--If you go to save a document on a remote desktop it has only been saved to that computer. Then I'd need to use something like sftp to download it to my computer. Much better if I could operate as if I was at that machine). > The traffic won't be difficult > to spot; servers are expected to be serving out a lot of stuff, not to > have a lot of incoming traffic. Did I say there would be a lot of traffic or did I specifically say "for just some chosen traffic"? My Institution will be able to see all traffic going to my "R" computer. I would be very foolish to route personal traffic through my Institution's network. Regards and good night, Adam
Re: Some routing advice (connecting through SSH)
Hi, I need a bit more info. to start thinking about your question. How do you connect from H to R? Through the Internet? If so, does your Internet connection (that you use to connect H to the Internet) have a static IP address or a dynamic one? Is is "permanent" (DSL, Frame Relay, ATM etc.) or dialup (PSTN, ISDN etc.)? Another point: It seems to me as if you'll be trying to use a server hosted at an ISP as a masquerading gateway for your home LAN. You may well be able to do it, and the ISP may well not catch you at it, for a while anyway, but if the ISP sees this as violating the service agreement they have with whoever they're hosting the server for (you?) and they do find out, you are in for trouble. The traffic won't be difficult to spot; servers are expected to be serving out a lot of stuff, not to have a lot of incoming traffic. Best regards, George Karaolides 8, Costakis Pantelides St., tel: +35 79 68 08 86 Strovolos, email: [EMAIL PROTECTED] Nicosia CY 2057, web: www.karaolides.com Republic of Cyprus On 25 Oct 2001, Adam Warner wrote: > Hi all, > > I just need to understand where I should look and how I should approach > this challenge. > > I want to route some traffic though a remote computer (R) to my home > computer (H). In particular I want to have the ability to surf the Web > as if I was sitting at computer R. Right now I can already do that using > the text browser Lynx after connecting via SSH. > > R is a somewhat puny 133MHz Pentium with 72MB of RAM and ~100MB of free > disk space. It is running Debian GNU/Linux with a 2.4.13 kernel (that > took a rather long time to compile). X is not installed (the display > card is also not compatible, but I imagine that wouldn't matter with a > remote connection). > > I can SSH from H to R. All other ports to R are blocked. So to connect > to another port on R, R itself would have to open the connection to H. > > Instead of using X or VNC I would like to somehow use IP Masquerading > for just some chosen traffic (it would be the most efficient solution). > However I can't see how it would work yet. > > So thanks for any preliminary help. > > Regards, > Adam > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Some routing advice (connecting through SSH)
Hi all, I just need to understand where I should look and how I should approach this challenge. I want to route some traffic though a remote computer (R) to my home computer (H). In particular I want to have the ability to surf the Web as if I was sitting at computer R. Right now I can already do that using the text browser Lynx after connecting via SSH. R is a somewhat puny 133MHz Pentium with 72MB of RAM and ~100MB of free disk space. It is running Debian GNU/Linux with a 2.4.13 kernel (that took a rather long time to compile). X is not installed (the display card is also not compatible, but I imagine that wouldn't matter with a remote connection). I can SSH from H to R. All other ports to R are blocked. So to connect to another port on R, R itself would have to open the connection to H. Instead of using X or VNC I would like to somehow use IP Masquerading for just some chosen traffic (it would be the most efficient solution). However I can't see how it would work yet. So thanks for any preliminary help. Regards, Adam
