How to route traffic from ssh server to my local machine?

4

I am a student at a college. In my school, we have this strange rule that after 12 midnight, there is an internal LAN Ban. That means I am able to connect to the internet (external traffic) while sitting in my room, but I can't access most of the internal servers (say B) through the LAN, except for one server (say A). I can ssh to that machine (A) and ping other internal servers (B) and even ssh to them.

My College has its own hosted mirrors (B) for various distributions (http://mirror.cse.iitk.ac.in). I have configured package managers to use this mirror and during the day time, it works flawlessly and downloads happen at a whopping 10+ MB/s (its LAN), but during the nights when the LAN Ban is in action, I have to use other Indian Mirrors to download/update packages which is pathetically slow compared to the former.

What I want to achieve is write a script to route the traffic from server A to my local machine since A can access the mirror (B) even during the LAN Ban hours. I googled it up but didn't get what I wanted to do. In short, I want to setup a reverse-proxy like thing that makes my local machine access the mirror(B) by routing the traffic from A.

Is it possible? I am still a newbie and learning things. Any kind of help would be greatly appreciated.

Thanks in advance!

Mayank Sharma

Posted 2017-12-23T19:27:18.020

Reputation: 43

1

been a while but I guess you could set up a HTTP Proxy on A. SSH -D can do that. OTOH they might not allow that. Another thing you could do is SSH to A, then on A, use wget to download whatever, then find a way to transfer the file from A to your computer so after wget, maybe scp. https://unix.stackexchange.com/questions/106480/how-to-copy-files-from-one-machine-to-another-using-ssh

– barlop – 2017-12-23T20:48:35.960

Did you try port forwarding via ssh? Read TCP FORWARDING in man ssh, or google for tutorials. – dirkt – 2017-12-24T10:12:47.993

I don't have root privileges on that server, so port forwarding is completely out of options.

@barlop I tried that and it works with smaller packages, but we have a storage restriction too (Just 250 MB per student on server A). Moreover, this doesn't work if I wish to update my distro.

Thanks for help anyways! :) – Mayank Sharma – 2017-12-24T11:31:05.600

Answers

4

Let's cover all possible bases.

Method 1

Firstly, for the mirror. mirror.cse.iitk.ac.in is an external mirror, and has an external IP. Which means you can access it with an external IP address. At the time of writing, this resolves to 202.3.77.108. Use that in your mirror configuration file, and you should get speeds as good as on LAN (in my experience).

Method 2

Now, coming to the server A (which I'm assuming is webhome.cc.iitk.ac.in). Use an ssh tunnel. In short:

ssh -L8000:mirror.cse.iitk.ac.in:80 <username>@webhome.cc.iitk.ac.in

Keep the above ssh running (you can deamonize the command with a combination of -N and -f). Now, in your configuration file, instead of 

http://mirror.cse.iitk.ac.in/

use

http://localhost:8000/

I wrote an article on port forwarding when I learnt about it. So this should be helpful to understand how the above works.

Comments

Next doubt (from my experience) will be about keeping ssh connected in background (reconnect if disconnect). Look into adding KeepAlive, ServerAliveInterval parameters in .ssh/config file ;)

Edit

I noticed that in the comments you said port forwarding is out of the question since you don't have root access on the server. The above command does not require root access on the server because of several reasons.

  1. The port is mapped on YOUR computer (not on the server). i.e. You will finally be listening on localhost:8000.
  2. Listening on ports which are greater than 1024 (8000 in this case) does not anyway require root access.

Notes

  1. If this was https, you'd be forwarding the requests to port 443 of mirror.cse.iitk.ac.in (instead of 80).

  2. The request goes like this:

YOU --> localhost:8000 (your PC) --via-ssh-tunnel-> webhome (forwards it to mirror:80) --> mirror.cse.iitk.ac.in (and then the reverse)

Pallav Agarwal

Posted 2017-12-23T19:27:18.020

Reputation: 56

Is this to one particular server running on that mirror computer though? and if it's on port 80 then what is it? a web server on there? Then it will only access that web server which will only return that one website. OTOH I guess it might be ok for his specific package download requirement from that web server? But if his Q and the answer is so limited/specific, then he should probably update his title. – barlop – 2017-12-26T00:50:54.490

I like that method 1 does not violate the school's rules (however silly they may be). You could apply that solution more generally by changing your network settings to prefer a public DNS, and only try the school's internal DNS if it cannot find a domain's IP address. That should work for all externally-accessible servers on the local network, and for all applications on your computer. – jpaugh – 2018-09-20T15:24:13.617

1@jpaugh While that works, internal DNS are preferred not because they are a superset of public DNS (they aren't), but because due to the low latency, they are an order of magnitude faster. – Pallav Agarwal – 2018-09-22T05:07:42.813

Faster, and less reliable, at least from my experience. I've given up on using my ISP's DNS servers long ago. – jpaugh – 2018-09-24T14:59:40.810

1@jpaugh I must've hit my head when was writing that. The real reason is that our institute wifi requires login, and until you login, only institute DNS works. Also institute DNS is required for resolving internal only names. Since internal websites don't require login, you can browse intranet without authentication as long as you are on internal dns too. – Pallav Agarwal – 2018-09-25T23:59:01.113

Asked: 2017-12-23T19:27:18.020

Viewed: 681 times

Active: 2017-12-24T16:15:24.987