[TriLUG] SSH question ( 14th )

Maxwell Spangler via TriLUG trilug at trilug.org
Mon Jun 14 18:33:16 EDT 2021 

On Mon, 2021-06-14 at 10:02 -0400, Brian McCullough via TriLUG wrote:
> To the Oracle:
> I am trying to work out an SSH Port Forwarding issue.
> I have three machines, A, B and C.
> 
> A is my local machine
> B is a machine that I can reach via a VPN
> C is a machine that B can reach but, due to firewall rules, I can not
> 
> 
> I am trying to look at a web site on C

Here's what works for me:

1. Establish a connection with an SSH host on the edge of your remote,
secure network that acts like a Bastion/Tunnel node and keeps port 9998
open as a SOCKS proxy.

2. Let that connection sit and it waits for traffic on localhost:9998
for traffic to forward

3. Use 'proxychains4' on the CLI to tell apps like curl that you want
them to go through the proxy not just out to the internet.
 'proxychains' and 'tsocks' (another "proxifier app") are nice because
you can take CLI apps not proxy-aware and use proxychains/tsocks as a
shim to make them go through a proxy. Not all CLI commands work, but
curl/wget should.

3P - You can get curl to go through the proxy without proxychains, too,
see below.

4. Use FoxyProxy, a Firefox or Chrome plugin, to identify patterns in
URLs and sends them through the proxy, while sending non-matching
patterns direct to the internet.
- Optionally you can control FoxyProxy and tell it to send everything
through the proxy.

* * *

When you are debugging this, start with the http server and make sure
it responds to HTTP/80, such as logging into it and doing 'curl
127.0.0.1'.

Then work your way away from it, such as SSH into your VPN node and
curl the name of the http server. (I see you've done this, good)

Then try variations of what I use as suggested below.

Here is a really nice web page on SSH tunnels with good diagrams:

https://robotmoon.com/ssh-tunnels/

This stuff is tricky because it relies on various things working and
when they don't work, it just don't work, it's not very helpful in
telling you why. But this is a good chance to learn more about the
components involved, so be patient.


Details =============

1. Configure a bastion host with Dynamic Forwarding -- This is the -D
option on the command line.  Here my bastion is an AWS node in a public
subnet that allows incoming SSH connections.

----- $HOME/.ssh/config -----

Host ohio-tunnel1 tunnel
User ec2-user
HostName ec2-99-999-999-999.us-east-2.compute.amazonaws.com
DynamicForward 9998
ServerAliveInterval 240
ServerAliveCountMax 4
LogLevel VERBOSE
IdentitiesOnly yes
IdentityFile ~/.ssh/aws-ohio.pem
------

2. Establish a connection with the tunnel and let it sit. This SSH
session listens on local workstation port 9998 for traffic to forward
through the tunnel.

$ ssh tunnel

The equivalent CLI command without the config file is something like
this.  This is what works for me.

$ ssh -o IdentitiesOnly=yes -o IdentityFile=~/.ssh/aws-ohio.pem -D
127.0.0.1:9998 ec2-user at ec2-99-999-999-999.us-east-2.compute.amazonaws.com

and the IdentitiesOnly/IdentitiesFiles stuff is pointing to a specific
SSH key, not related to proxy business.


3a. Proxychains + CLI

Create a proxychains.conf file in $HOME/.proxychains.conf

------ $HOME/.proxychains.conf ----

remote_dns_subnet 224 

# Some timeouts in milliseconds
tcp_read_time_out 15000
tcp_connect_time_out 8000

# Don't proxy my two local home networks
localnet 192.168.9.0:80/255.255.255.0
localnet 192.168.20.0:80/255.255.255.0

#
[ProxyList]
# Proxy through SSH tunnel to maxlabcloud VPC in AWS
# Yes, socks4
socks4 127.0.0.1 9998

-------

3b. Use proxychains4 on the command line to tell curl to forward
traffic through localhost port 9998. This tunnels it through the
bastion/tunnel host and out the other side to an internal server
running http.

(this is from my local workstation)

$ proxychains4 -f ~maxwell/.proxychains.conf curl ip-10-0-211-21.us-
east-2.compute.internal

[proxychains] config file found: /home/maxwell/.proxychains.conf
[proxychains] preloading /usr/lib64/proxychains-ng/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.13
[proxychains] Strict chain ... 127.0.0.1:9998 ... ip-10-0-211-21.us-
east-2.compute.internal:80 ... OK
<html>
<body>
<h1>Experimental Webserver!</h1>
<p>
Service: Public Webserver<br>
<p>
Instance ID: i-0bbc5990b26b0d678<br>
<p>
Local hostname: ip-10-0-211-21.us-east-2.compute.internal<br>
Local IPV4: 10.0.211.21<br>
...

3p. Here's the syntax for making curl go through an SSH proxy:

$ curl -x socks5h://127.0.0.1:9998 http://ip-10-0-211-21.us-east-2.compute.internal
<html>
<body>
<h1>Experimental Webserver!</h1>
<p>
Service: Public Webserver<br>
<p>
Instance ID: i-0bbc5990b26b0d678<br>
----

4. In Firefox, I use the FoxyProxy plugin to route traffic through the
tunnel.

- Configure a SOCKS5 type proxy.  Yes, SOCKS5.
- proxy ip 127.0.0.1
- proxy port 9998
- Enable option 'send DNS through SOCKS5 proxy'

Configure FoxyProxy to identify patterns I want proxied, such as
internal AWS Cloud EC2 instances and Load Balancers:

*.us-east-2.compute.internal*
internal-*.us-east-2.elb.amazonaws.com*

4b. Now if I put in the name of a private node within my AWS cloud
network, Foxyproxy recognizes the pattern, tunnels it through the SSH
session and transparently brings the content back.  I think this is
ultimately what you're looking for?

Firefox, Location: http://ip-10-0-211-21.us-east-2.compute.internal
(webpage)

There is a nice Log feature within FoxyProxy that will tell you what
URL's you've called that match and those that don't, so you can use it
to get a little assistance working out the wildcard patterns.

Hope this helps, good luck!

-- 
Maxwell Spangler
===================================================================
Denver, Colorado, USA
maxwellspangler.com

More information about the TriLUG mailing list