• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 999
  • Last Modified:

SSH Tunneling with multiple hops

Hi experts,

I would like to set up a multi-hop SSH tunnel to anonymize web browsing in such a way that none of the hops might know both the originating IP and the http request at the same time.
Ideally speaking (in a Client > Server1 > Server2> website.com setup):

Server1 can see the originating client's IP but not the http request in clear.
Server2 can see the http request, but sees Server1 as the originator and doesn't see Client's IP at all.
website.com receives the http request and just sees Server2 as the originator.

The tricky part for me is the first one, as I know how to set up an SSH tunnel over multiple servers, but I don't know how to hide from Server1 the http request.

I'm using Ubuntu with OpenSSH on the servers and PuTTY on the client.

Any hints?

Many thanks in advance,
Jay
0
jiiins2
Asked:
jiiins2
  • 8
  • 7
1 Solution
 
pmasottaCommented:
I think you can do this with iptables SNAT+DNAT simultaneously on Server1

the prerouting DNAT rule will replace the destination IP allowing external requests to reach your server2
and the postrouting SNAT rule will hide the request source IP address replacing it with Server1's own IP
0
 
jiiins2Author Commented:
I think I'm achieving the same result by using the second SSH tunnel (between Server1 and Server2) and Squid on Server1. But I'm a newbie... does your solution makes it impossible for Server1 to see the http request?

Thanks!
0
 
pmasottaCommented:
yes... it would just pass  trough encrypted,,,,
plus your solution is way slower by using squid

give it a try, it takes just 2 rules on iptables
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
jiiins2Author Commented:
Ok, sorry for my ignorance, but I think I'm missing something:
Since the http request is encrypted by the SSH tunnelling which runs from Client to Server1, how would Server2 be able to decrypt it?
0
 
pmasottaCommented:
let say we browse some https page, the traffic gets crypted at your browser and decrypted at your server and viceversa...
but what it gets crypted is the IP payload and not the IP addressing schema that allows the packet to be delivered correctly.
that's why we need some "man-in-the middle" performming your additional security requierements.
as I said I think in your case iptables is your best bet...
0
 
jiiins2Author Commented:
But what about plain http pages?
0
 
pmasottaCommented:
plain http pages are not crypted and you decide what to do with them at Server1 you can route them to Server2, drop them or what ever you want to do.

bottom line if I want security on traffic payload I use HTTPS, SSH, etc  and there's only one crypt/decrypt proces per communication
0
 
jiiins2Author Commented:
But that's my problem... for example client needs to be able to google some info and Server1 must not be able to see "http://www.google.com/search?q=some+info", but forward it "blindly" to Server2 where it gets decrypted and handled.

Thanks for your patience...
0
 
pmasottaCommented:
not a prooblem...

even with a double tunnel Server1 will see the contend plus it is very ineficient decrypting/encrypting again...
what about some VPN, but that implies your client does not relies on standadrd https/ssh protocols and they have to log into the VPN first! plus you have to add the iptables thing in order to mask the IPs....
0
 
jiiins2Author Commented:
So the VPN could go through Server1 without revealing its content?
0
 
pmasottaCommented:
yes that's what a VPN does but the client needs more than just open a browser and go to a link...
then if you want this for a massive access to some sort of service it won't suit your needs.
on the other hand if you want this for a reduced set of users it will
VPN is used let say by Corporations that want their employes accessing the company network w/o exposisng that traffic on the net
But the employes have to log in into the vpn first, many times this involve the use of dongles providing sequency acces codes etc...
0
 
jiiins2Author Commented:
Alright, so how does it work? Suppose I use OpenVPN, how can I configure it so that it goes through Server1 before ending in Server2?
0
 
pmasottaCommented:
Now take your time and learn about VPNs
read how to set up a VPN on server2, Server1 has nothing to do with the VPN but it "has to be in the middle" as a kind of  "router/proxy", Server1 will only deal with DNAT, SNAT.

I want you to understad, that I haven't done this particular set-up before, I'm just guiding you based on previous knowledge of similar set-ups but not identical
0
 
jiiins2Author Commented:
That's the actual solution...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now