with SSH only: reverse tunnel web access via ssh SOCKS proxy
Once in a while i have to connect to a server where access is highly restricted.
Only inbound SSH via VPN is allowed by the DMZ firewall.
Outbound HTTP connections are blocked.
I'm looking for an easy way to tunnel web access through my SSH session, so i can install updates and software via yum / apt-get. Ideally, i would like to avoid installing additional software/services in the protected area.
What do you do in such a situation?
SSH has the -D <port>
SOCKS proxy option. But unfortunately it's only one-way from client to server and there is no reverse option.
I finally managed to accomplish this with ssh
only:
- start a local SOCKS proxy on your client machine (using
ssh -D
) EDIT: not necessary with SSH>7.6 - connect to remote server and setup a reverse port forwarding (
ssh -R
) to your local SOCKS proxy - configure the server software to use the forwarded proxy
1. Start local socks proxy in the background
EDIT SSH>7.6 allow a simpler syntax to start the proxy. Skip this and continue with step 2!
Connect to localhost via SSH and open SOCKS proxy on port 54321.
$ ssh -f -N -D 54321 localhost
-f
runs SSH in the background.
Note: If you close the terminal where you started the command, the proxy process will be killed. Also remember to clean up after yourself by either closing the terminal window when you are done or by killing the process yourself!
2. connect to remote server and setup reverse port forwarding
Bind remote port 6666 to local port 54321. This makes your local socks proxy available to the remote site on port 6666.
$ ssh root@target -R6666:localhost:54321
EDIT SSH>7.6 allows a simpler syntax to start the proxy! Step 1 is not needed then:
$ ssh root@target -R6666:localhost
3. configure the server software to use the forwarded proxy
Just configure yum, apt, curl, wget or any other tool that supports SOCKS to use the proxy 127.0.0.1:6666
.
Voilá! Happy tunneling!
4. optional: install proxychains to make things easy
proxychains
installed on the target server enables any software to use the forwarded SOCKS proxy (even telnet
). It uses a LD_PRELOAD
trick to redirect TCP and DNS requests from arbitrary commands into a proxy and is really handy.
Setup /etc/proxychains.conf
to use the forwarded socks proxy:
[ProxyList]
# SSH reverse proxy
socks5 127.0.0.1 6666
Tunnel arbitrary tools (that use TCP) with proxychains
:
$ proxychains telnet google.com 80
$ proxychains yum update
$ proxychains apt-get update
Newer versions of SSH allow to use the very simple option of ssh-R <[bind_address:]port>
. Using only the port on the host and maybe the bind address, but not specifying the client side port will create a reverse SOCKS proxy.
This is also stated in the man pages of newer SSH versions:
[...] if no explicit destination was specified, ssh will act as a SOCKS 4/5 proxy and forward connections to the destinations requested by the remote SOCKS client.
You can test this with curl connecting to a simple "give me my IP"-API like http://ifconfig.io.
$ curl ifconfig.io
vs
$ curl --socks5 localhost:<PORT> ifconfig.io