Friday, 26 August 2011

Check machine firewall if you are configuring network firewall

I have wasted 2 days of my time trying to figure out what is really happening with my firewall config. The story is like this. I tried to configure a 3 NIC firewall machine for my office using Shorewall. For the DMZ zone, I put a test machine with Apache HTTPD installed to test if I can connect to it. With example from this site: http://www.shorewall.net/three-interface.htm . I can have my laptop in the local area to surf the Internet by configuring NAT/MASQ. I can SSH to the test web server, I can ping the server, but what really bugging me is that I cannot access the test web page hosted on the server.

When I tried to connect from firewall to the web server in DMZ by using links/elinks, the application returned error "No route to host". Weird. I tried to check my routing table, and search the Internet for clue. Tried to play around with default gateway for the DMZ, but in the end, I still cannot connect to the web server.

I even scrapped the whole thing and start again from scratch by following the example from this website: http://wiki.debian.org/HowTo/shorewall . Still cannot access.

Then, while searching for solution on the Internet again, I found a forum that ask a poster whether the firewall on the machine itself is turned on. That struck me like lightning. I straight away SSH to the web server in the DMZ and issue the command "service iptables stop".

Going back to my laptop and hit refresh in the web browser, voila!! The page is there!!

I slapped my forehead 3 times for this silly mistake :D

So, moral of the story, if you are configuring firewall for your network, make sure you turn off firewall on the machine so that you are not being fooled into thinking that your firewall configuration is problematic.

2 day wasted, but really priceless experienced learned :)

By the way, Shorewall really rocks :)

Tuesday, 2 August 2011

SSH reverse tunnel one way connection with HTTP proxy

Wow..  the title is so long. But I think I need to title this post like that so that Google or other search engine can find it easily.

Now, let's proceed with the blog post.

Consider this scenario:
  • You need to connect to a CentOS Linux server on your customer's data center
  • The server outgoing connection is blocked by external firewall beyond your control, which means you cannot SSH to other server on the Internet
  • You need to update the software installed on the server by using Yum
  • You are connected to the CentOS Linux server by using Windows desktop and Putty
How are you going to solve the issue?

Most solution on the Internet shows the SSH reverse tunnel method with the assumption that you can SSH to external server on the Internet, and use that tunnel to forward whatever port that you want to use. That might not always be the case.

This is the solution that I have created that will show you how to solve the scenario above. It will require:
  1. Windows desktop
  2. Putty SSH client
  3. AnalogX proxy
The idea is to create port 8080 on CentOS Linux server, that will be forwarded to the Windows desktop on port 6588. AnalogX will use the port 6588 to proxy the Internet connection on the Windows desktop.

So, how to configure this stuff?

1. Configure Putty

Launch your Putty SSH client and click Session. Fill in your CentOS Linux server domain name or IP address. Make sure the port is correct.



Now, click Tunnels under SSH under Connection. Fill in the information as in the image below. Make sure you select the Remote option. Click Add.


After you click Add, your setting will be like this image.


Now, click Open, and login to the server as root. If you run the command
# netstat -nap |grep 8080

you will found out that port 8080 is available on the server and in LISTEN mode, as shown in the image below.


Left it there for a moment, while we setup the AnalogX proxy.


2. AnalogX proxy

AnalogX proxy is a freeware simple proxy software for Windows. You can download the software from its website at http://analogx.com/contents/download/Network/proxy/Freeware.htm

Install the software as normal, and launch it after installation. You will see the AnalogX proxy icon on your Windows taskbar.


Right click the icon, and click Configure. You will be shown the configuration as below. Make sure at least HTTP is ON.


With AnalogX proxy running, you have establish outgoing connection from the Linux server to your desktop by using SSH tunnel.
3. Configure Yum

Now, in order to update the software installed on the Linux server, Yum must know how to connect to the Yum repositories that contain updates.

Luckily, Yum only need to know the http proxy available, and an update can be performed easily.

To make Yum use http proxy, type this command as root

# export http_proxy=http://localhost:8080

This command will configure system-wide proxy setting for the Linux server.

When you issue the command

# yum check-update

Yum will use the http proxy connection that you have created through SSH tunnel from your Windows desktop, to the AnalogX proxy running on your desktop, to the Internet.


Conclusion
The solution that I have created above will help you to achieve your goal to update the CentOS Linux server with the latest update. This setup will also work for apt tools in Debian and Debian-derivatives

If you are using Linux desktop, you can change AnalogX proxy with 3proxy, Squid, or nginx. The SSH remote port can be configured by using simple SSH options. The details is for you to figure out ;)