Overlay network solutions like nebula or tailscale and VPN (IPsec using strongSwan, or WireGuard) are better solutions. IMPORTANT: This works fine as a PoC or temporary workaround but NOT suitable as highly-available, secure, reliable and scalable long term solution. However, the Linux server can ssh to the EC2 instance (via NAT gateway) in the reverse direction. NOTE: In this case the SSH client (laptop) CANNOT directly access the Linux server (SSH port 22) behind firewall (no access to edge router or gateway to configure port forwarding). Then in the already established SSH session (on the EC2 instance), open a tmux session and connect to port 22222 bind to the loopback address: ssh -p 22222 public key or host-based authentication is configured, you should be now into the Linux Server through the middle man -D On the laptop, establish SSH connection to the EC2 instance (optionally acts as SOCKS server using -D which does dynamic application level port forwarding) ssh -D 1080 applications can use localhost:1080 as SOCKS5 proxy, communication between laptop and the EC2 instance is encrypted and secure. Iptables -A INPUT -p tcp -i -m multiport -dport 12222,22222 -j DROP NOTE: if the same trick has been used multiple times, occupying port 12222, 22222, etc iptables -A INPUT -p tcp -i -dport 22222 -j DROP Ssh -R 22222:localhost:22 access to port 22222 on public facing network interfaces (elastic IP, this can be done by using security group, too, but at a different layer - Linux bridge iptables in hypervisor dom0) by using iptables, e.g. Ssh -R 22222:*:22 want to save step 3? bind to loopback only # * indicates that the port should be available from all interfaces On the Linux Server behind firewall (reverse direction) On the middle EC2 instance (Linux), set GatewayPorts yes in sshd_config /etc/ssh/sshd_config, restart sshd ( systemctl restart rvice).Įstablish SSH connection from Linux Server (behind firewall) to the EC2 instance Sshd EC2 Instance Linux Server (behind NAT) Use SSH Port Forwarding (Tunnel) To Access Server Behind Firewall / NAT Gateway Otherwise, use Proxy Switchy! extension to switch proxy settings. %userprofile%\AppData\Local\Google\Chrome\Application\chrome.exe -proxy-server=socks5://localhost:port Application/Google\ Chrome.app/Contents/MacOS/Google\ Chrome -proxy-server=socks5://host:port Google-chrome -proxy-server=socks5://localhost:port Option 2: pass the parameter when launching chrome, create a launcher or shortcut IMPORTANT NOTE: For DNS to be encrypted as well, consider running dnscrypt-proxy locally, or use DNS over TLS / DNS over HTTPS (e.g. If NOT in PRC, it protects your privacy -) This is normally used to avoid GFW DNS pollution/spoofing in China mainland. Note: set _remote_dns to true, use remote socks5 proxy (SSH Host) to lookup DNS instead of local DNS. How to browse via the secure tunnel (SOCKS5 proxy)? NOTE: If you feel the options are too hard to remember, just use a simple version: Above Transport layer, below presentation. NOTE: SOCKS5 operates in layer 5 (session) of the OSI model. In addition, putty-tools package provides plink which is very useful, here is a simple sample which shares the tunnel with all other hosts in the LAN. In addition on a slow connection you can gain performance by enabling compression with the -C option. g Allows remote hosts to connect to local forwarded ports, share the SOCKS5 proxy across the network ( GatewayPorts in ssh_config) D specifies a local "dynamic" application level port forwarding ( DynamicForward in ssh_config) This MUST be used when ssh is running in the background. n Redirects stdin from /dev/null (actually, prevents reading from stdin). This is useful if ssh is going to ask for passwords or passphrases, but the user wants it in the background. f Requests ssh to go to background just before command execution. When a connection is made to this port, the connection is forwarded over the secure tunnel, and the application protocol is then used to determine where to connect to from the remote hostīy default the local port is bound in accordance with the GatewayPorts setting SSH Dynamic Application Level Port Forwarding via SOCKS5Įstablish SSH connection to target host ( sshd)ĭynamic application-level port forwarding by allocating a socket to listen to port on the local side, optionally bound to bind_address
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |