2

We have access to a secure linux infrastructure through a Windows machine. The linux infra has no access to internet, but the Windows machine has.

On this windows machine, we have installed putty, and can connect to the linux infra with it. We can set up tunnels from the windows machine to the linux infra, in both directions (local and remote).

What I'm wondering is whether we could give the linux infra an internet access through the Windows host, via a remote tunnel using putty.

We only need http/https access, because this is for debian security updates and new machines provisioning (which right now cannot install any package due to lack of internet access).

The schema is quite clear in my mind, but I don't know how to implement it in practice:

enter image description here

I think I would need a sort of http proxy on the windows machine, that listens on the port that the remote tunnel directs to?

How to configure the frontal ssh machine so that other hosts using it as gateway connect through the ssh tunnel?

Also, how will DNS work in this case?

Thanks for pointers!

Gui13
  • 43
  • 1
  • 9
  • You can tunnel "Internet traffic" over SSH, but the better fit would be a proxy on the Windows or the 1st Linux box. Intranet -> 1stLinux (proxy) -> Windows (router), or Intranet -> 1stLinux (router) -> Windows (proxy + router), approximately. Are you _required_ to use SSH? – Lenniey Jan 23 '19 at 11:34
  • Yes, ssh is our only door to the linux infra. There is a stringent firewall in front of it. – Gui13 Jan 23 '19 at 11:38
  • Please be aware that what you're attempting maybe considered circumventing security policies and thus a *"career limiting move"*. Why don't you download the packages you need on that Windows machine and then copy them (with `scp`) from the Windows host to the Linux system(s) if no other method is allowed or design for the Linux systems to be patched? – HBruijn Jan 23 '19 at 11:58
  • It would be far better to have the necessary access set up legitimately in the firewall, rather than trying to break through the firewall. If it is not politically possible to have the firewall opened, then trying to do what you propose may well get you fired. – Michael Hampton Jan 23 '19 at 15:44

1 Answers1

1

If the SSH server allows it (which is the default setting for most Linux distributions) you can set up TCP forwarding with PuTTY (and any other SSH client).

  • Determine a port on the SSH server that is available and not in use, for instance 8080.

  • In PuTTY set up a rule that will tunnel TCP traffic from that port 8080 on the SSH server over SSH to your Windows system and forward that to your proxy server (proxy.example.com port 8080) :

PuTTY screenshot for remote port forwarding

  • On the SSH server set the http_proxy and https_proxy environment variables and many applications will then be able to use that proxy server over the ssh port forwarding (some applications will need their own settings modified to use a proxy): 

    export http_proxy="http://username:password@localhost:8080"
export https_proxy=$http_proxy

    and test with for instance: 

    curl -vv http://serverfault.com

  • On the other servers (firewall permitting) you can then use:

    export http_proxy="http://username:password@<ip-of-ssh-server>:8080"

This is config has not been tested.

HBruijn
  • 77,029
  • 24
  • 135
  • 201