|
|
Sponsored Content
Special Forums
IP Networking
Proxy Server
iptables as "proxy" and a filter
Post 302927078 by Smiling Dragon on Sunday 30th of November 2014 07:02:17 PM
11-30-2014
One thing I note in your friend's script is that it sets the firewall to drop all incoming connections before allowing port 22 (ssh) connections. If something goes wrong along the way on this, you'll need console access to get back in :/ I'd recommend setting the -P INPUT DROP last tbh 
As you've noted, this is just INPUT filters, your one is just NAT/IPMASQ. So it's like comparing apples and oranges really.
Looking just at your rules, I don't see anything untoward there, it appears that you are causing the proxy to accept traffic arriving on port 80 and redirecting it to 5.196.130.245.
An external customer connecting to the address would not be able to detect the redirect and would see all their connections as going to and coming back from the address of your proxy.
The webserver would see all the connections as coming from the proxy server address, unless the customer is setting "X-Forwarded-For" headers in their requests (not all that uncommon to find) which would be passed along to the webserver and quite possibly included in it's logs.
If you have a little more background of what your end goal is, we might be able to offer more advice
I would recommend also adding a FORWARD rule to DROP anything not for that port arriving from the external interface, as you've turned on IP forwarding and at present your setup would happily forward anything anyone asks it to. It's note really serious but could exacerbate any existing security issue into a full exploit.
As you've noted, this is just INPUT filters, your one is just NAT/IPMASQ. So it's like comparing apples and oranges really.
Looking just at your rules, I don't see anything untoward there, it appears that you are causing the proxy to accept traffic arriving on port 80 and redirecting it to 5.196.130.245.
An external customer connecting to the address would not be able to detect the redirect and would see all their connections as going to and coming back from the address of your proxy.
The webserver would see all the connections as coming from the proxy server address, unless the customer is setting "X-Forwarded-For" headers in their requests (not all that uncommon to find) which would be passed along to the webserver and quite possibly included in it's logs.
If you have a little more background of what your end goal is, we might be able to offer more advice
I would recommend also adding a FORWARD rule to DROP anything not for that port arriving from the external interface, as you've turned on IP forwarding and at present your setup would happily forward anything anyone asks it to. It's note really serious but could exacerbate any existing security issue into a full exploit.
|
|
9 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Hi Friends,
Can any of you explain me about the below line of code?
mn_code=`env|grep "..mn"|awk -F"=" '{print $2}'`
Im not able to understand, what exactly it is doing :confused:
Any help would be useful for me.
Lokesha (4 Replies)
Discussion started by: Lokesha
4 Replies
2. Shell Programming and Scripting
hi All,
cat file_name | awk /^~/'{print $1","$2","$3","$4}' | sed -e 's/~//g'
Can this be done by using sed or awk alone (4 Replies)
Discussion started by: harshakusam
4 Replies
3. Shell Programming and Scripting
Hi,
I have line in input file as below:
3G_CENTRAL;INDONESIA_(M)_TELKOMSEL;SPECIAL_WORLD_GRP_7_FA_2_TELKOMSEL
My expected output for line in the file must be :
"1-Radon1-cMOC_deg"|"LDIndex"|"3G_CENTRAL|INDONESIA_(M)_TELKOMSEL"|LAST|"SPECIAL_WORLD_GRP_7_FA_2_TELKOMSEL"
Can someone... (7 Replies)
Discussion started by: shis100
7 Replies
4. Solaris
The system don't boot.
on the screen appears following:
press enter to maintenance (or type CTRL-D to continue)...I checked with format command.
... the slices "0-root","1-swap","2-backup" exist.
...the slises "3-var","6-usr" -unassigned. :( (16 Replies)
Discussion started by: wolfgang
16 Replies
5. Shell Programming and Scripting
I have a file that stores data in pairs of lines, following this format:
line 1: header (preceded by ">")
line 2: sequence
Example.txt:
>seq1 name
GATTGATGTTTGAGTTTTGGTTTTT
>seq2 name
TTTTCTTC
I want to filter out the sequences and corresponding headers for all sequences that are less... (2 Replies)
Discussion started by: pathunkathunk
2 Replies
6. UNIX for Dummies Questions & Answers
How to use "mailx" command to do e-mail reading the input file containing email address, where column 1 has name and column 2 containing “To” e-mail address
and column 3 contains “cc” e-mail address to include with same email.
Sample input file, email.txt
Below is an sample code where... (2 Replies)
Discussion started by: asjaiswal
2 Replies
7. UNIX for Dummies Questions & Answers
Hi All
It's me again with another huge txt files. :confused:
What I have:
- I have 33 huge txt files in a folder.
- I have thousands of line in this txt file which contain many the letter "x" in them.
- Some of them have more than one "x" character in the line.
What I want to achieve:... (8 Replies)
Discussion started by: Nexeu
8 Replies
8. Shell Programming and Scripting
Hello.
System : opensuse leap 42.3
I have a bash script that build a text file.
I would like the last command doing :
print_cmd -o page-left=43 -o page-right=22 -o page-top=28 -o page-bottom=43 -o font=LatinModernMono12:regular:9 some_file.txt
where :
print_cmd ::= some printing... (1 Reply)
Discussion started by: jcdole
1 Replies
9. AIX
Hi 2 all,
i have had AIX 7.2
:/# /usr/IBMAHS/bin/apachectl -v
Server version: Apache/2.4.12 (Unix)
Server built: May 25 2015 04:58:27
:/#:/# /usr/IBMAHS/bin/apachectl -M
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
mpm_worker_module (static)
... (3 Replies)
Discussion started by: penchev
3 Replies
LEARN ABOUT OPENSOLARIS
ssh-http-proxy-connect
ssh-http-proxy-connect(1) User Commands ssh-http-proxy-connect(1) NAME
ssh-http-proxy-connect - Secure Shell proxy for HTTP SYNOPSIS
/usr/lib/ssh/ssh-http-proxy-connect [-h http_proxy_host] [-p http_proxy_port] connect_host connect_port DESCRIPTION
A proxy command for ssh(1) that uses HTTP CONNECT. Typical use is where connections external to a network are only allowed via a proxy web server. OPTIONS
The following options are supported: -h http_proxy_host Specifies the proxy web server through which to connect. Overrides the HTTPPROXY and http_proxy environment variables if they are set. -p http_proxy_port Specifies the port on which the proxy web server runs. If not specified, port 80 is assumed. Overrides the HTTPPROXY- PORT and http_proxy environment variables if they are set. OPERANDS
The following operands are supported: http_proxy_host The host name or IP address (IPv4 or IPv6) of the proxy. http_proxy_port The numeric port number to connect to on http_proxy_host. connect_host The name of the remote host to which the proxy web server is to connect you. connect_port The numeric port number of the proxy web server to connect you to on http_proxy_host. EXAMPLES
The recommended way to use a proxy connection command is to configure the ProxyCommand in ssh_config(4) (see Example 1 and Example 2). Example 3 shows how the proxy command can be specified on the command line when running ssh(1). Example 1 Setting the proxy from the environment The following example uses ssh-http-proxy-connect in ssh_config(4) when the proxy is set from the environment: Host playtime.foo.com ProxyCommand /usr/lib/ssh/ssh-http-proxy-connect playtime.foo.com 22 Example 2 Overriding proxy environment variables The following example uses ssh-http-proxy-connect in ssh_config(4) to override (or if not set) proxy environment variables: Host playtime.foo.com ProxyCommand /usr/lib/ssh/ssh-http-proxy-connect -h webcache -p 8080 playtime.foo.com 22 Example 3 Using the command line The following example uses ssh-http-proxy-connect from the ssh(1) command line: example$ ssh -o'ProxyCommand="/usr/lib/ssh/ssh-http-proxy-connect -h webcache -p 8080 playtime.foo.com 22"' playtime.foo.com ENVIRONMENT VARIABLES
HTTPPROXY Takes the http_proxy_host operand to specify the default proxy host. Overrides http_proxy if both are set. HTTPPROXYPORT Takes the http_proxy_port operand to specify the default proxy port. Ignored if HTTPPROXY is not set. http_proxy URL format for specifying proxy host and port. EXIT STATUS
The following exit values are returned: 0 Successful completion. 1 An error occurred. ATTRIBUTES
See attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Availability |SUNWsshu | +-----------------------------+-----------------------------+ |Interface Stability |Stable | +-----------------------------+-----------------------------+ SEE ALSO
ssh(1), ssh-socks5-proxy-connect(1), ssh_config(4), attributes(5) SunOS 5.11 24 Oct 2001 ssh-http-proxy-connect(1)