Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to create a private proxy for internet browsing using SSH port forwarding. I have a server and I know how to configure my local browser for this.
If I do a port forwarding do I need to open any port or do anything special (install software??) on the server or can I simply configure my browser network settings ie 127.0.0.1:5000 then ssh -L 5000:127.0.0.1:8080 account@machine.net and it will be ready to go?
I am asking this because it is not working, the browser does nothing when I attempt to use it with this set up and I am getting this message on Firefox:
The SSH tunnel command should be "-L[localport]:[remotehost]:[remoteport]" and ports equal or below 1024 are considered "reserved". Try changing your tunnel port and remote host IP address?
The SSH tunnel command should be "-L[localport]:[remotehost]:[remoteport]" and ports equal or below 1024 are considered "reserved". Try changing your tunnel port and remote host IP address?
Thank you for confirming my SSH tunnel command and ports, printed above on my post, are correct.
Now that these two possible failures have been troubleshooted, I accept more suggestions of what could be wrong.
Distribution: Slackware from 94-09, Debian Since March 09
Posts: 28
Rep:
Quote:
Originally Posted by malcarada
I want to create a private proxy for internet browsing using SSH port forwarding. I have a server and I know how to configure my local browser for this.
If I do a port forwarding do I need to open any port or do anything special (install software??) on the server or can I simply configure my browser network settings ie 127.0.0.1:5000 then ssh -L 5000:127.0.0.1:8080 account@machine.net and it will be ready to go?
I am asking this because it is not working, the browser does nothing when I attempt to use it with this set up and I am getting this message on Firefox:
Your ssh commands are correct, but you are not running anything yet on port 8080 of your server to allow the browser to connect to it's intended destination.
You need to install a proxy server on your server machine. I recommend micro_proxy. Install that on your server, then set it up to run via xinetd. (or inetd if you use that instead.)
Here is my xinetd configuration for micro_proxy:
Code:
service microproxy
{
disable = no
bind = 127.0.0.1
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/micro_proxy
}
service microproxyssl
{
disable = no
bind = 127.0.0.1
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/micro_proxy
}
I don't know exactly which distro you use, but if you need assistance getting it installed, just say the word.
From what I can see, this is most likely the only missing piece in your configuration.
Thank you, I am starting to understand the problem...
I am using Debian 64 on the server, this is a brand new server, which means it had nothing installed. But I can access the internet with Lynx.
I have installed micro-proxy and xinetd, everything there is default, the only thing I have changed is my xinetd.conf file, I have added the settings you have given me, it is not working yet, I do not know why.
I am using port 5000 on localhost and port 8080 on the server. I believe port 8080 on the server is open because lynx is working, but I do not know how to make sure of this.
My FULLxinetd.conf file posted below, just in case you or anyone else sees any mistake there:
Quote:
# Simple configuration file for xinetd
#
# Some defaults, and include /etc/xinetd.d/
defaults
{
# Please note that you need a log_type line to be able to use log_on_success
# and log_on_failure. The default is the following :
# log_type = SYSLOG daemon info
}
service microproxy
{
disable = no
bind = 127.0.0.1
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/micro_proxy
}
service microproxyssl
{
disable = no
bind = 127.0.0.1
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/micro_proxy
}
includedir /etc/xinetd.d
PS: I realise the micro-proxy settings are for the root user only, and I am logging in as root. I have also double checked that /usr/sbin/micro_proxy exists on that exact location.
Distribution: Slackware from 94-09, Debian Since March 09
Posts: 28
Rep:
Quote:
Originally Posted by malcarada
Thank you, I am starting to understand the problem...
I am using Debian 64 on the server, this is a brand new server, which means it had nothing installed. But I can access the internet with Lynx.
I have installed micro-proxy and xinetd, everything there is default, the only thing I have changed is my xinetd.conf file, I have added the settings you have given me, it is not working yet, I do not know why.
I am using port 5000 on localhost and port 8080 on the server. I believe port 8080 on the server is open because lynx is working, but I do not know how to make sure of this.
My FULLxinetd.conf file posted below, just in case you or anyone else sees any mistake there:
Ok, then let's make sure we have all the information we need:
You say port 8080 is open on the server because lynx works, but that does not prove 8080 is open.
You need to be much more specific. Here is how I would test to see if port 2280 is listening on my server:
The line it returns is showing "LISTEN" for port 2280. You can just change the port in the grep statement to look for 8080 instead.
One thing I suggest is that the microproxy config be placed into it's own file and placed in the /etc/xinetd.d/ directory. This just keeps things easier to manage later on.
Oh, I just realized something I missed that is critical to getting xinetd to start the service for you. You have to define it in /etc/services. Here is the snippet from mine that sets it up:
Code:
microproxy 2280/tcp
microproxyssl 2243/tcp
Please note that I use ports 2280 and 2243 for the services... all you need to do is change them to match your intended ports, and make sure you comment out any existing entries in /etc/services that try to define the same service ports.
After you restart xinetd, you should see these two ports listening.
Now to really test it...
You mention that you already know how to configure your browser to use it, but in the interest of saving a couple of blind posts, and possibly informing others that may be looking on, here is how you should configure your browser to use the proxy over the ssh tunnel:
On the client, establish your ssh tunnel using the port-forwarding syntax you specified above
On the client, set your http proxy for localhost port 5000
On the client, set your https proxy for localhost port 5043
To test the success of your new proxy-via-ssh, point your browser to http://whatismyip.org/ and take a peek at the ip it gives you back. It should be from the ISP at your server location, and not from your current location.
For easily switching the proxy configuration on and off, there are several proxy management applications for firefox you can install to it from the firefox addons website.
Let me know how it turns out.
PS: In response to your PS above, the micro-proxy settings do not limit it to root-only. Anyone that can ssh into your server will be able to use this proxy. The "user=root" statement simply shows who the proxy is run as when it is executed.
Dang, I just realized yet another modification you'll need for ssl purposes. Use the following ssh command to ensure both http and https work:
The tests above I believe confirm that everything has been set up correctly,
the only thing I have not done is to place microproxy config on its own folder,
I will do that once I have the thing working.
So far I am not getting lucky, I think there must be something really screwed
on the server...
I am also getting this very weird reading with nmap.
Quote:
malcarada# nmap localhost
Starting Nmap 4.62 ( http://nmap.org ) at 2009-03-30 05:21 UTC
Failed to resolve given hostname/IP: localhost. Note that you can't use '/mask' AND '1-4,7,100-' style IP ranges
WARNING: No targets were specified, so 0 hosts scanned.
Distribution: Slackware from 94-09, Debian Since March 09
Posts: 28
Rep:
Quote:
Originally Posted by malcarada
You were actually correct, port 8080 was closed, lynx was using port 80
After quite a while I have managed to get 2280 and 2243 listening with
some tweaking at iptables.
The tests above I believe confirm that everything has been set up correctly,
the only thing I have not done is to place microproxy config on its own folder,
I will do that once I have the thing working.
So far I am not getting lucky, I think there must be something really screwed
on the server...
I am also getting this very weird reading with nmap.
Code:
malcarada# nmap localhost
Starting Nmap 4.62 ( http://nmap.org ) at 2009-03-30 05:21 UTC
Failed to resolve given hostname/IP: localhost. Note that you can't use '/mask' AND '1-4,7,100-' style IP ranges
WARNING: No targets were specified, so 0 hosts scanned.
The /etc/hosts file is usually responsible for defining "localhost". I'd look in there to make sure there is an entry for it. Typically, it's pointed to 127.0.0.1. It's important to have that entry in /etc/hosts. If it is missing, then there will be many strange problems across your server.
For a quick test to see if micro-proxy is functioning properly at the server side, set up lynx to use micro-proxy for all it's outbound connections, and test surfing with it:
That should allow you to test the functionality of micro-proxy from the server.
If that is working, you are creating your ssh tunnels correctly, and you are configuring your browser on the client correctly, everything should function as expected. Here's a quick summary-rundown of all required steps:
On the server --
edit /etc/services to include the following lines:
Code:
microproxy 2280/tcp
microproxyssl 2243/tcp
set up xinetd to use the following configuration
Code:
service microproxy
{
disable = no
bind = 127.0.0.1
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/micro_proxy
}
service microproxyssl
{
disable = no
bind = 127.0.0.1
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/micro_proxy
}
Restart xinetd and make sure the ports are listening:
Code:
lsof -i -nN -P | grep "2280\|2243"
On the client --
Set your browser to use the following proxy configuration:
Code:
http - 127.0.0.1 port 5000
https - 127.0.0.1 port 5043
Create an ssh tunnel to the server, and forward the correct ports:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
SSH port forwarding query
