Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SSH Tunneling with multiple hops

Posted on 2011-05-03
15
Medium Priority
?
987 Views
Last Modified: 2012-05-11
Hi experts,

I would like to set up a multi-hop SSH tunnel to anonymize web browsing in such a way that none of the hops might know both the originating IP and the http request at the same time.
Ideally speaking (in a Client > Server1 > Server2> website.com setup):

Server1 can see the originating client's IP but not the http request in clear.
Server2 can see the http request, but sees Server1 as the originator and doesn't see Client's IP at all.
website.com receives the http request and just sees Server2 as the originator.

The tricky part for me is the first one, as I know how to set up an SSH tunnel over multiple servers, but I don't know how to hide from Server1 the http request.

I'm using Ubuntu with OpenSSH on the servers and PuTTY on the client.

Any hints?

Many thanks in advance,
Jay
0
Comment
Question by:jiiins2
  • 8
  • 7
15 Comments
 
LVL 11

Expert Comment

by:pmasotta
ID: 35512898
I think you can do this with iptables SNAT+DNAT simultaneously on Server1

the prerouting DNAT rule will replace the destination IP allowing external requests to reach your server2
and the postrouting SNAT rule will hide the request source IP address replacing it with Server1's own IP
0
 

Author Comment

by:jiiins2
ID: 35517913
I think I'm achieving the same result by using the second SSH tunnel (between Server1 and Server2) and Squid on Server1. But I'm a newbie... does your solution makes it impossible for Server1 to see the http request?

Thanks!
0
 
LVL 11

Expert Comment

by:pmasotta
ID: 35534000
yes... it would just pass  trough encrypted,,,,
plus your solution is way slower by using squid

give it a try, it takes just 2 rules on iptables
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jiiins2
ID: 35568599
Ok, sorry for my ignorance, but I think I'm missing something:
Since the http request is encrypted by the SSH tunnelling which runs from Client to Server1, how would Server2 be able to decrypt it?
0
 
LVL 11

Expert Comment

by:pmasotta
ID: 35687592
let say we browse some https page, the traffic gets crypted at your browser and decrypted at your server and viceversa...
but what it gets crypted is the IP payload and not the IP addressing schema that allows the packet to be delivered correctly.
that's why we need some "man-in-the middle" performming your additional security requierements.
as I said I think in your case iptables is your best bet...
0
 

Author Comment

by:jiiins2
ID: 35687677
But what about plain http pages?
0
 
LVL 11

Expert Comment

by:pmasotta
ID: 35687718
plain http pages are not crypted and you decide what to do with them at Server1 you can route them to Server2, drop them or what ever you want to do.

bottom line if I want security on traffic payload I use HTTPS, SSH, etc  and there's only one crypt/decrypt proces per communication
0
 

Author Comment

by:jiiins2
ID: 35688074
But that's my problem... for example client needs to be able to google some info and Server1 must not be able to see "http://www.google.com/search?q=some+info", but forward it "blindly" to Server2 where it gets decrypted and handled.

Thanks for your patience...
0
 
LVL 11

Expert Comment

by:pmasotta
ID: 35688335
not a prooblem...

even with a double tunnel Server1 will see the contend plus it is very ineficient decrypting/encrypting again...
what about some VPN, but that implies your client does not relies on standadrd https/ssh protocols and they have to log into the VPN first! plus you have to add the iptables thing in order to mask the IPs....
0
 

Author Comment

by:jiiins2
ID: 35688694
So the VPN could go through Server1 without revealing its content?
0
 
LVL 11

Expert Comment

by:pmasotta
ID: 35688761
yes that's what a VPN does but the client needs more than just open a browser and go to a link...
then if you want this for a massive access to some sort of service it won't suit your needs.
on the other hand if you want this for a reduced set of users it will
VPN is used let say by Corporations that want their employes accessing the company network w/o exposisng that traffic on the net
But the employes have to log in into the vpn first, many times this involve the use of dongles providing sequency acces codes etc...
0
 

Author Comment

by:jiiins2
ID: 35688818
Alright, so how does it work? Suppose I use OpenVPN, how can I configure it so that it goes through Server1 before ending in Server2?
0
 
LVL 11

Expert Comment

by:pmasotta
ID: 35689167
Now take your time and learn about VPNs
read how to set up a VPN on server2, Server1 has nothing to do with the VPN but it "has to be in the middle" as a kind of  "router/proxy", Server1 will only deal with DNAT, SNAT.

I want you to understad, that I haven't done this particular set-up before, I'm just guiding you based on previous knowledge of similar set-ups but not identical
0
 

Accepted Solution

by:
jiiins2 earned 0 total points
ID: 35791753
0
 

Author Closing Comment

by:jiiins2
ID: 35814231
That's the actual solution...
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month20 days, 19 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question