Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to create a tunnel from my home computer to a linux server by SSH, then i can use the tunnel as a tcp forwarding proxy(SOCK 5) to access the web via the linux server.
But i got "Internet Explorer cannot display the webpage" on my home computer, and when i check the "/var/log/secure" in the linux server(fedora), I found:
"sshd[17926]: error: connect to xx.xx.xx.xx port 80 failed: Permission denied"
I just use the ssh server included in fedora.
"service sshd start".
Then i use the "putty" or "myentunnel" in the home computer.
I can use putty login in the fedora server via ssh, and i set the tunnel in the putty config .
I also try the "myentunnel" as the ssh client, and the log show :
"[15:43:53 05/16] plink.exe: Sent password
[15:43:53 05/16] plink.exe: Access granted
[15:43:53 05/16] plink.exe: Local port 7070 SOCKS dynamic forwarding
[15:44:00 05/16] Connection is stable
"
But when i use browser via the proxy 127.0.0.1:7070, it doesn't work.
I check the log file in the fedora server,the i found:
"sshd[17926]: error: connect to xx.xx.xx.xx port 80 failed: Permission denied"
If you use SOCKS, this must be setup in the browser network setup instead of specifying a port for the URL. Are you just forwarding port 7070 to a remote machine or setting up SOCKS in putty?
If you use SOCKS, this must be setup in the browser network setup instead of specifying a port for the URL. Are you just forwarding port 7070 to a remote machine or setting up SOCKS in putty?
Yes, I use the network setup in the browser opetion-network-proxy setup, and in putty, i just set the tunnel as a Dynamic prot of 7070.
As the server's log tell me :""sshd[17926]: error: connect to xx.xx.xx.xx port 80 failed: Permission denied"
I think that the request has been received by the server, but it can't open the destination web page for some reason and it can return the client machine the correct result.
But i don't know why the server can't open the remote web page and return to the proxy of putty in the client machine.
Do you perchance have any sort of firewall, such as iptables running on this system that would prevent outbound traffic? It wouldn't necessarily be port 80, but could be on a higher order port.
Do you perchance have any sort of firewall, such as iptables running on this system that would prevent outbound traffic? It wouldn't necessarily be port 80, but could be on a higher order port.
The following is iptables,i don't know whether it matters:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I would try removing this rule, at least as an experiment. So far it is the only thing that I can see from the discussion that could relate to the permission denied error. I think the FORWARD chain is probably the least understood of the three iptables chains which makes it difficult to say whether or not it would make a difference. With the SSH proxy, you are effectively translating from one network to another, so in that regards it is plausible that it could cause problems, but my thinking is that the proxy is happening at a software level.
I also notice you have a rule "ACCEPT all -- anywhere anywhere" is this perchance on the loop back interface? If not, the other rules below it are nullified. If it is, one thing that occurred to me is that with a socks proxy works on a higher port, but the thing is that this is on the local machine, not the server. In other words, this shouldn't impact the ability to proxy via SSH. Again, the more I think about it, with your iptables policy to ACCEPT, which is fine, you might want to temporarily flush all the rules and see if that is the behind the difficulties.
Last edited by Noway2; 05-17-2011 at 04:13 AM.
Reason: fixed quote tag
I would try removing this rule, at least as an experiment. So far it is the only thing that I can see from the discussion that could relate to the permission denied error. I think the FORWARD chain is probably the least understood of the three iptables chains which makes it difficult to say whether or not it would make a difference. With the SSH proxy, you are effectively translating from one network to another, so in that regards it is plausible that it could cause problems, but my thinking is that the proxy is happening at a software level.
I also notice you have a rule "ACCEPT all -- anywhere anywhere" is this perchance on the loop back interface? If not, the other rules below it are nullified. If it is, one thing that occurred to me is that with a socks proxy works on a higher port, but the thing is that this is on the local machine, not the server. In other words, this shouldn't impact the ability to proxy via SSH. Again, the more I think about it, with your iptables policy to ACCEPT, which is fine, you might want to temporarily flush all the rules and see if that is the behind the difficulties.
I try to remove all the rules in iptables , now my iptable is :
"
Chain INPUT (policy ACCEPT)
target prot opt source destination
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.