Linux – How to route traffic from ssh server to the local machine

linuxnetworkingroutingssh

I am a student at a college. In my school, we have this strange rule that after 12 midnight, there is an internal LAN Ban. That means I am able to connect to the internet (external traffic) while sitting in my room, but I can't access most of the internal servers (say B) through the LAN, except for one server (say A). I can ssh to that machine (A) and ping other internal servers (B) and even ssh to them.

My College has its own hosted mirrors (B) for various distributions (http://mirror.cse.iitk.ac.in). I have configured package managers to use this mirror and during the day time, it works flawlessly and downloads happen at a whopping 10+ MB/s (its LAN), but during the nights when the LAN Ban is in action, I have to use other Indian Mirrors to download/update packages which is pathetically slow compared to the former.

What I want to achieve is write a script to route the traffic from server A to my local machine since A can access the mirror (B) even during the LAN Ban hours. I googled it up but didn't get what I wanted to do. In short, I want to setup a reverse-proxy like thing that makes my local machine access the mirror(B) by routing the traffic from A.

Is it possible? I am still a newbie and learning things. Any kind of help would be greatly appreciated.

Thanks in advance!

Best Answer

Let's cover all possible bases.

Method 1

Firstly, for the mirror. mirror.cse.iitk.ac.in is an external mirror, and has an external IP. Which means you can access it with an external IP address. At the time of writing, this resolves to 202.3.77.108. Use that in your mirror configuration file, and you should get speeds as good as on LAN (in my experience).

Method 2

Now, coming to the server A (which I'm assuming is webhome.cc.iitk.ac.in). Use an ssh tunnel. In short:

ssh -L8000:mirror.cse.iitk.ac.in:80 <username>@webhome.cc.iitk.ac.in

Keep the above ssh running (you can deamonize the command with a combination of -N and -f). Now, in your configuration file, instead of

http://mirror.cse.iitk.ac.in/

use

http://localhost:8000/

I wrote an article on port forwarding when I learnt about it. So this should be helpful to understand how the above works.

Comments

Next doubt (from my experience) will be about keeping ssh connected in background (reconnect if disconnect). Look into adding KeepAlive, ServerAliveInterval parameters in .ssh/config file ;)

Edit

I noticed that in the comments you said port forwarding is out of the question since you don't have root access on the server. The above command does not require root access on the server because of several reasons.

The port is mapped on YOUR computer (not on the server). i.e. You will finally be listening on localhost:8000.
Listening on ports which are greater than 1024 (8000 in this case) does not anyway require root access.

Notes

If this was https, you'd be forwarding the requests to port 443 of mirror.cse.iitk.ac.in (instead of 80).
The request goes like this:

YOU --> localhost:8000 (your PC) --via-ssh-tunnel-> webhome (forwards it to mirror:80) --> mirror.cse.iitk.ac.in (and then the reverse)

Related Solutions

Networking – VNC via socks SSH proxy tunnel

If you're using the RealVNC viewer, as shown in the article you cited, then you should be able to do the following:

Use PuTTY to connect to login.abc.com and set the D8888 forwarding (which you said you've already been doing).
Start RealVNC viewer and click the Options... button.
Select the Connection tab.
Click the Use these proxy settings radio button.
Set Proxy type to SOCKS 5.
Set Proxy address and port to localhost:8888.
Now try connecting to the actual VNC server, e.g. vnc-server.abc.com:1. Don't use localhost:1, as you should be going through the SOCKS proxy.

Accessing localhost web server via reverse SSH tunnel and URL

-R 8080:localhost:80 is usually not enough. See man 1 ssh [emphasis mine]:

-R [bind_address:]port:host:hostport
[…]

Specifies that connections to the given TCP port or Unix socket on the remote (server) host are to be forwarded to the local side.

[…]

By default, TCP listening sockets on the server will be bound to the loopback interface only. This may be overridden by specifying a bind_address. An empty bind_address, or the address *, indicates that the remote socket should listen on all interfaces. Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)).

Your tries with 127.0.0.1:8080 on the server indicate the listening socket is bound to the loopback interface. Most likely it is not bound to any other interface.

You need to explicitly specify bind_address or to use * or to use an empty string as bind_address. The option with an empty bind_address looks like this (note the leading :):

-R :8080:localhost:80

Additionally the state of GatewayPorts in the sshd_config on the server is important. From man 5 sshd_config:

GatewayPorts

Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be no to force remote port forwardings to be available to the local host only, yes to force remote port forwardings to bind to the wildcard address, or clientspecified to allow the client to select the address to which the forwarding is bound. The default is no.

To achieve what you want the option must not be no. Note no is the default value, so unspecified GatewayPorts still means no. The value of yes will make -R 8080:localhost:80 work like -R :8080:localhost:80.

I advise GatewayPorts clientspecified in the server config and ssh -R :8080:localhost:80 … on the client.

Possible additional problems:

The firewall on the server may block connections to the 8080 port coming in from the Internet.
The local HTTP server may reject requests that use example.com (compare Why does the original site work, but port forwarding to the same site fails?).

Best Answer

Related Solutions

Networking – VNC via socks SSH proxy tunnel

Accessing localhost web server via reverse SSH tunnel and URL

Related Question