Routing all console traffic through SOCKS - unix

I'm running a couple of bash scripts from the console on my local computer, they need to access the internet, and I would like them to appear as if they're running on a server I own, so I set up a SOCKS connection:
ssh -D 8123 -f -C -q -N user#IP
but then when I check my IP with
curl https://ipinfo.io/ip
my IP is still the same.
What should I do so that all the traffic and all the scripts I run in the console use the socks tunnel once it has been created?

Use
export http_proxy=socks5://127.0.0.1:8123 https_proxy=socks5://127.0.0.1:8123
after you set up your socks tunnel

Related

Why can't I access a host port from my Docker container?

I've read this post which asks the same question, but the solutions there don't seem to work. Basically I'm trying to access a port on the host os from inside the docker, and I'm using the --net="host" flag as suggested in the linked post. However, I'm still unable to access the port. The only thing that works for me is to run my host web service on 0.0.0.0 and then access it from 192.168.###.###, but that address changes based on what Wifi I'm on, so I don't want to do that. Here's what I've tried:
Set up a test webserver that I can try to access from inside the container:
bash-3.2$ echo hi > index.html
bash-3.2$ python -m SimpleHTTPServer 1234 >/dev/null 2>&1 &
[1] 57942
Curl it from the host to make sure it's running:
bash-3.2$ curl localhost:1234
hi
Start up a container that has curl installed (this is just ubuntu + curl):
bash-3.2$ docker run --rm -it --net="host" tutum/curl bash
Try curling from inside the container:
root#moby:/# curl localhost:1234
curl: (7) Failed to connect to localhost port 1234: Connection refused
I am on macOS, so I'm thinking it might have something to do with the container's host being boot2docker rather than my mac, but I still don't know how to mitigate this.
Any advice would be much appreciated! :)

Trying to scp to an EC2 instance, states sftp only?

scp -Cpv -i /home/jamie/Downloads/jamie1.pem /srv/http/wordpress/wp- content/themes/dt-the7 ec2-user#52.210.108.143:/var/www/html/wp-content/themes/
[...]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending command: scp -v -p -t /var/www/html/wp-content/themes/
This service allows sftp connections only.
Can anyone tell me how to also allow ssh/scp connections?
Thanks
You need to modify sshd_config on the server and restart the sshd daemon. The configuration will probably contain something like
ForceCommand internal-sftp
if you will comment that out, you should be able to get ssh and scp access.

Ucarp update switch's arp cache

I'm using ucarp over linux bonding for high availability and automatic failover of two servers.
Here are the commands I used on each server for starting ucarp :
Server 1 :
ucarp -i bond0 -v 2 -p secret -a 10.110.0.243 -s 10.110.0.229 --upscript=/etc/vip-up.sh --downscript=/etc/vip-down.sh -b 1 -k 1 -r 2 -z
Server 2 :
ucarp -i bond0 -v 2 -p secret -a 10.110.0.243 -s 10.110.0.242 --upscript=/etc/vip-up.sh --downscript=/etc/vip-down.sh -b 1 -k 1 -r 2 -z
and the content of the scripts :
vip-up.sh :
#!/bin/sh
exec 2> /dev/null
/sbin/ip addr add "$2"/24 dev "$1"
vip-down.sh :
#!/bin/sh
exec 2> /dev/null
/sbin/ip addr del "$2"/24 dev "$1"
Everything works well and the servers switch from one to another correctly when the master becomes unavailable.
The problem is when I unplug both servers from the switch for a too long time (approximatively 30 min). As they are unplugged they both think they are master,
and when I replug them, the one with the lowest ip address tries to stay master by sending gratuitous arps. The other one switches to backup as expected, but I'm unable to access the master through its virtual ip.
If I unplug the master, the second server goes from backup to master and is accessible through its virtual ip.
My guess is that the switch "forgets" about my servers when they are disconnected from too long, and when I reconnect them, it is needed to go from backup to master to update correctly switch's arp cache, eventhough the gratuitous arps send by master should do the work. Note that restarting ucarp on the master does fix the problem, but I need to restart it each time it was disconnected from too long...
Any idea why it does not work as I expected and how I could solve the problem ?
Thanks.

Setting Up Docker Dnsmasq

I'm trying to set up a docker dnsmasq container so that I can have all my docker containers look up the domain names rather than having hard-coded IPs (if they are on the same host). This fixes an issue with the fact that one cannot alter the /etc/hosts file in docker containers, and this allows me to easily update all my containers in one go, by altering a single file that the dnsmasq container references.
It looks like someone has already done the hard work for me and created a dnsmasq container. Unfortunately, it is not "working" for me. I wrote a bash script to start the container as shown below:
name="dnsmasq_"
timenow=$(date +%s)
name="$name$timenow"
sudo docker run \
-v="$(pwd)/dnsmasq.hosts:/dnsmasq.hosts" \
--name=$name \
-p='127.0.0.1:53:5353/udp' \
-d sroegner/dnsmasq
Before running that, I created the dnsmasq.hosts directory and inserted a single file within it called hosts.txt with the following contents:
192.168.1.3 database.mydomain.com
Unfortunately whenever I try to ping that domain from within:
the host
The dnsmasq container
another container on the same host
I always receive the ping: unknown host error message.
I tried starting the dnsmasq container without daemon mode so I could debug its output, which is below:
dnsmasq: started, version 2.59 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt DBus i18n DHCP TFTP conntrack IDN
dnsmasq: reading /etc/resolv.dnsmasq.conf
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: read /etc/hosts - 7 addresses
dnsmasq: read /dnsmasq.hosts//hosts.txt - 1 addresses
I am guessing that I have not specified the -p parameter correctly when starting the container. Can somebody tell me what it should be for other docker containers to lookup the DNS, or whether what I am trying to do is actually impossible?
The build script for the docker dnsmasq service needs to be changed in order to bind to your server's public IP, which in this case is 192.168.1.12 on my eth0 interface
#!/bin/bash
NIC="eth0"
name="dnsmasq_"
timenow=$(date +%s)
name="$name$timenow"
MY_IP=$(ifconfig $NIC | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}')
sudo docker run \
-v="$(pwd)/dnsmasq.hosts:/dnsmasq.hosts" \
--name=$name \
-p=$MY_IP:53:5353/udp \
-d sroegner/dnsmasq
On the host (in this case ubuntu 12), you need to update the resolv.conf or /etc/network/interfaces file so that you have registered your public IP (eth0 or eth1 device) as the nameserver.
You may want to set a secondary nameserver to be google for whenever the container is not running, by changing the line to be dns-nameservers xxx.xxx.xxx.xxx 8.8.8.8 E.g. there is no comma or another line.
You then need to restart your networking service sudo /etc/init.d/networking restart if you updated the /etc/network/interfaces file so that this auto updates the /etc/resolve.conf file that docker will copy to the container during the build.
Now restart all of your containers
sudo docker stop $CONTAINER_ID
sudo docker start $CONTAINER_ID
This causes their /etc/resolv.conf files update so they point to the new nameserver settings.
DNS lookups in all your docker containers (that you built since making the changes) should now work using your dnsmasq container!
As a side note, this means that docker containers on other hosts can also take advantage of your dnsmasq service on this host as long as their host's nameserver settings is set to using this server's public IP.

bidirectional encrypted communication using spiped for port forwarding

I would like to establish bidirectional encrypted communication between two machines using spiped (http://www.tarsnap.com/spiped.html) but I suspect that this is really a question about port forwarding... here's what I have working thus far (where my local machine is OS X Mavericks, and the remote is a Ubuntu 12.04 Virtualbox VM):
Remotely (listen on 8025 for external requests and redirect to 8000,
where nc displays on stdout):
remote % killall spiped
remote % spiped -d -s '[0.0.0.0]:8025' -t '[127.0.0.1]:8000' -k keyfile
remote % while true; do nc -l 8000; done
Then, locally (listen on 8001 locally and redirect to 8025, where it is sent to the remote machine):
local % killall spiped
local % spiped -e -s '[127.0.0.1]:8001' -t '[192.168.56.10]:8025' -k keyfile
Now when I do the following, "hello" is printed to stdout remotely:
local % echo hello | nc 127.0.0.1 8001
All of this is great. But what about sending data from the remote machine and receiving it locally? I naively assume I can do this remotely:
remote % echo hello | nc 127.0.0.1 8000
And read the data locally with
local % nc -l 8001
But nc does not receive any data locally. I assume I am fundamentally misunderstanding something. In the absence of specific answers, can anyone suggest resources to read up on relevant topics? I'm not looking for a solution using an ssh tunnel - I know how to do that.
In order to provide bi-directional communications with spiped you will need to setup the following on both machines:
A server daemon using the pre-shared key which forwards to the requested local service
A client which sends traffic using the same pre-shared key to the desired spiped port
One listens & one receives on both systems. For more information take a look a the source code for the client & for the server.
You can run the spiped service on both systems but each will require manual (or scripted) connections using the spipe client.
For example using the server (on both machines you would run the following):
spiped {-e | -d} -s <source socket> -t <target socket> -k <key file>
[-DfFj] [-n <max # connections>] [-o <connection timeout>] [-p <pidfile>]
[{-r <rtime> | -R}]
And on the clients wishing to communicate (bi-directionally) with each other you would have to manually invoke the client:
spipe -t <target socket> -k <key file> [-fj] [-o <connection timeout>]
Or as a real world example using your setup (two services bound to 8025 forwarding to nc on 8000).
remote % spiped -d -s '[0.0.0.0]:8025' -t '[127.0.0.1]:8000' -k keyfile
remote % while true; do nc -l 8000; done
local % spiped -d -s '[0.0.0.0]:8025' -t '[127.0.0.1]:8000' -k keyfile
local % while true; do nc -l 8000; done
Each (remote & local) run the following (nc bound locally to 8001 and sending to the server at 8025):
remote % spiped -e -s '[127.0.0.1]:8001' -t '[192.168.56.10]:8025' -k keyfile
local % spiped -e -s '[127.0.0.1]:8001' -t '[192.168.56.11]:8025' -k keyfile
Sending data to 8001 on both remote & local forwarding to local & remote
remote % echo "hello client" | nc 127.0.0.1 8001
local % echo "hello server" | nc 127.0.0.1 8001
Listening to each
remote % nc -l 8001
local % nc -l 8001
Seeing as how the software was designed to protect the transport layer of the tarsnap backup software which only requires the payloads to be encrypted TO the service.
Their example within the documentation for protecting the SSH daemon further illustrates this by making use of the 'ProxyCommand' option for SSH. Eg:
You can also use spiped to protect SSH servers from attackers: Since
data is authenticated before being forwarded to the target, this can
allow you to SSH to a host while protecting you in the event that
someone finds an exploitable bug in the SSH daemon -- this serves the
same purpose as port knocking or a firewall which restricts source IP
addresses which can connect to SSH. On the SSH server, run
dd if=/dev/urandom bs=32 count=1 of=/etc/ssh/spiped.key
spiped -d -s '[0.0.0.0]:8022' -t '[127.0.0.1]:22' -k /etc/ssh/spiped.key
then copy the server's /etc/ssh/spiped.key to
~/.ssh/spiped_HOSTNAME_key on your local system and add the lines
Host HOSTNAME ProxyCommand spipe -t %h:8022 -k ~/.ssh/spiped_%h_key
to the ~/.ssh/config file. This will cause "ssh HOSTNAME" to
automatically connect using the spipe client via the spiped daemon;
you can then firewall off all incoming traffic on port tcp/22.
For a detailed list of the command-line options to spiped and spipe,
see the README files in the respective subdirectories.

Resources