SmartCloud Enterprise: Using a SOCKS Proxy with VLANs

  • 15,603 views
Uploaded on

- SOCKS Overview …

- SOCKS Overview
- Prerequisites
– install PuTTY, PuTTYgen, and SCE CLT
- Basic demo
- Provision a virtual machine to act as SOCKS proxy
- Start PuTTY with SOCKS proxy option
- Access web server using SOCKS
- Troubleshooting
Alternative Path: Using the cloud web user interface
- Extended demo for VLAN connectivity
- Connecting to SOCKS with other client types

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
15,603
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
18
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Alex Amies, aamies@cn.ibm.comCloud ArchitectAugust, 2012SmartCloud EnterpriseUsing a SOCKS Proxy with VLANsSCE Developers Group presentation © 2012 IBM Corporation
  • 2. Agenda  SOCKS Overview  Prerequisites – install PuTTY, PuTTYgen, and SCE CLT  Basic demo – Provision a virtual machine to act as SOCKS proxy – Start PuTTY with SOCKS proxy option – Access web server using SOCKS  Troubleshooting  Alternative Path: Using the cloud web user interface  Extended demo for VLAN connectivity  Connecting to SOCKS with other client types  Next steps2  References © 2012 IBM Corporation
  • 3. SOCKS Overview Credit  Thanks to Navdeep Dhaliwal for pointing this solution out to me Motivation  The security of our cloud resources is enhanced if we use a VLAN  Using a SOCKS proxy allows us a convenient way to access the VLAN  It can encrypt all traffic over the Internet  Even if not using a VLAN it can allow us to tunnel in a dynamic way What is SOCKS?  SOCKet Secure (SOCKS) is a protocol that supports routing between client and server  It allows authentication3 © 2012 IBM Corporation
  • 4. SOCKS Overview (continued) SOCKS and SSH  OpenSSH can act as a SOCKS server  PuTTY an act as a SOCKS client  Allows forwarding of TCP packets to private networks  Operates at a lower level than HTTP proxies SOCKS compared to SSH tunelling  It is similar to port forwarding of SSH tunneling when using OpenSSH / PuTTY but SOCKS is a general protocol not limited to these software packages.  Allows you to access multiple machines over multiple ports with simple setup.  SOCKS is more dynamic, it avoids the need to set up multiple tunnels Applicability  The use of OpenSSH as a SOCKS proxy using the steps in this demo will give users root access to the virtual machine running it  It is suitable for a small number of trusted users4 © 2012 IBM Corporation
  • 5. Prerequisites1) You will need an account on IBM SmartCloud Enterprise. If you do not have one you may sign up online (as an organization). The principles in this presentation will apply to any other IaaS cloud that supports Linux virtual machines and VLANs.2) Download and install PuTTY and PuTTYgen from http://www.chiark.greenend.org.uk/~sgtatham/putty/.3) Install Java 6. This is needed for the SmartCloud Enterprise command line toolkit (CLT)4) Find the link to the SmartCloud Enterprise command line toolkit on the Support tab in the web portal. Set up the command line tool as in the CLT Reference Guide. Set up a password file as described in the guide. If you prefer not to use the command line, all the equivalent steps are available in the web portal.5) Create a SSH key in the SCE web portal and convert it to PuTTY format using PuTTYgen.5 © 2012 IBM Corporation
  • 6. Basic demoThis demo uses SOCKS to access a web server on port 80 over SSH using SOCKSSteps1) Create SOCKS Proxy virtual machine2) Start PuTTY with SOCKS proxy option3) Access the web server over SOCKS6 © 2012 IBM Corporation
  • 7. Basic Demo: overviewWe will use SOCKS to connect to a web server running on the same server as the SOCKSproxy but blocked to the outside. Local Firewall SOCKS Proxy (VM) 80 OpenSSH Apache Network 22 interface PuTTY7 © 2012 IBM Corporation
  • 8. Basic Demo step 1a: Create SOCKS Proxy virtual machineRHEL 6.2 with primary IP on the public Internet-t <server size>, -n <instance name>, -k <image id>, -c <key name>, -L <data center>> ic-create-instance.cmd -u <user id> -w <passprhase> -g <key file> -t"BRZ64.2/4096/60*500*350" -n SOCKSProxy -k 20025211 -c <my key> -L 141Executing action: CreateInstance ...The request has been submitted successfully.1 instances!----------------------------------ID: 266635Name: SOCKSProxyHostname: vhost0677InstanceType: BRZ64.2/4096/60*500*350IP: 170.225.162.167KeyName: <my key>. . .Wait for instance to be provisioned8 © 2012 IBM Corporation
  • 9. Basic Demo step 1b: Create SOCKS Proxy virtual machineCheck status of provisioning request>ic-describe-instances.cmd -u <user id> -w <passprhase> -g <key file>Executing action: DescribeInstances …ID: 266635Name: SOCKSProxyImage ID: 20025211Hostname: vhost0677InstanceType: BRZ64.2/4096/60*500*350IP: 170.225.162.167. . .Status: PROVISIONING. . .Wait for instance status to become ACTIVE9 © 2012 IBM Corporation
  • 10. Basic Demo step 2a: Start PuTTY with SOCKS proxy optionAdd the dynamic tunnel in user interface. Expand +Connections | +Auth, enter the port 5020(any port will do), select Dynamic, and click the Add button. Save the session and click Open.10 © 2012 IBM Corporation
  • 11. Basic Demo step 2b: Start PuTTY with SOCKS proxy optionEnter user name idcuser into the Connection | Data panel to avoid typing it every time tobegine a session. This is convenient but not essential.11 © 2012 IBM Corporation
  • 12. Basic Demo step 2 alternative: Start PuTTY with command lineUsing Windows command line with -D option> "C:Program Files (x86)PuTTYputty.exe" -i <private key> -D 5020 idcuser@<ipaddress>You can see the connection created with the netstat command, as shown below>netstat -anProto Local Address Foreign Address State. . .TCP 127.0.0.1:5020 0.0.0.0:0 LISTENING...12 © 2012 IBM Corporation
  • 13. Basic Demo step 3a: Access the web server over SOCKSStart the web server on the Linux virtual machine, enable the second network interface, andcheck that firewall will not allow direct access. Only port 22 should be open on firewall fromoutside. We also need to add a rule for any port when the source is the local machine. The IPof the local machine should be used. From the remote command line type$ sudo /usr/sbin/apachectl start$ sudo /sbin/ifup eth1$ sudo vi /etc/sysconfig/iptables# Add line allowing any port if accessed from the local machine.. . .-A INPUT -p tcp -m tcp -s 170.225.160.64 -j ACCEPT. . .$ sudo /sbin/service iptables restart13 © 2012 IBM Corporation
  • 14. Basic Demo step 3b: Access the web server over SOCKSSet the SOCKS proxy in Firefox, open Connection Settings dialog in Tools | Options |Advanced | Network in Firefox 10. Enter the address of the proxy and 127.0.0.1 since we Puttyis our entry point to the tunnel and it is running locally. Open the IP address of server in webbrowser.14 © 2012 IBM Corporation
  • 15. Basic Demo step 3c: Access the web server over SOCKSAccess a web server running on the other virtual machine using the private IP in the VLAN.You should see the Apache test page.15 © 2012 IBM Corporation
  • 16. TroubleshootingTry opening the a web server of a well know web site if you cannot access the Apache serverrunning in the VLAN. If there is a problem with the tunnel than you should see a message fromFirefox as shown below. If the web site is visible then the problem is somewhere else.16 © 2012 IBM Corporation
  • 17. Troubleshooting (continued)If the problem is somewhere else than the tunnel, try opening the firewall to the web server onthe SOCKS proxy server to see if it can be reached.$ sudo /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPTIf the problem is with the commands to create the cloud resources then use the web userinterface as shown in the section below.17 © 2012 IBM Corporation
  • 18. Troubleshooting (continued)Look at the event messages in the PuTTY client.18 © 2012 IBM Corporation
  • 19. Troubleshooting (continued)Check network on the SOCKS proxy serverIf the PuTTY event log shows an entry with connection refused resulting from your HTTPrequest on port 80, then there may be a configuration problem with the virtual machine or thefirewall may be preventing the connection even though it is from the local machine. Try curl tothe machine using its IP address from the SSH console to make sure that it is available locally.ICMP (ping) may be blocked so use curl to troubleshoot. The example below shows thisproblem.$ curl 170.225.160.64curl: (7) couldnt connect to host19 © 2012 IBM Corporation
  • 20. Troubleshooting (continued)Check the firewall on the SOCKS proxy server. In the example below a connection is notallowed if the source is the local machine using the actual IP address of the machine. Go backto the firewall rules in step 2.$ sudo iptables -L -n -vChain INPUT (policy DROP 547 packets, 92420 bytes) pkts bytes target prot opt in out source destination 765 360K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destinationChain OUTPUT (policy ACCEPT 900 packets, 387K bytes) pkts bytes target prot opt in out source destination20 © 2012 IBM Corporation
  • 21. Troubleshooting (continued)If you get an issue with resource limits, contact your system administrator to give you sufficientresource limits for private addresses and virtual machine instances. The user in screen shotbelow has insufficient resources to create a private VLAN IP address.21 © 2012 IBM Corporation
  • 22. Alternative Path: Using the cloud web user interfaceAll the steps above can be performed with the cloud portal. For the extended scenario belowyou will need to allocated a reserved IP address on the VLAN. This can be done with thedialog shown below in the Account tab.22 © 2012 IBM Corporation
  • 23. Alternative Path: Using the cloud web user interfaceAll Create the SOCKS proxy VM with the primary address on the public Internet and thesecondary or virtual IP on the VLAN.23 © 2012 IBM Corporation
  • 24. Extended demoAccessing virtual machines on a VLAN using SOCKSSteps1) Discover the VLANs available2) Reserve an IP address on the VLAN.3) Create SOCKS Proxy virtual machine4) Provision a virtual machine on the VLAN5) Start PuTTY with SOCKS proxy option6) Access both virtual machines24 © 2012 IBM Corporation
  • 25. Extended demo overviewUsing SOCKS to access other servers on the VLAN Public Internet VLAN SOCKS Proxy (VM) OpenSSH 22 IP IP PuTTY 80 10.10.10.74 170.225.160.53 10.10.10.66 IP Virtual Machine25 © 2012 IBM Corporation
  • 26. Extended demo step 1: Discover the VLANs availableWe will use the VLAN with ID 288 in Singapore (location 141)> ic-describe-vlans.cmd -u <user id> -w <passprhase> -g <key file>Executing action: DescribeVLANs ...----------------------------------. . .ID: 288Name: Private VLAN SingaporeLocation: 141----------------------------------Executing DescribeVLANs finished26 © 2012 IBM Corporation
  • 27. Extended demo step 2a Create an IP address on the VLANFind address offerings> ic-describe-address-offerings.cmd -u <user id> -w <passprhase> -g <key file>Executing action: DescribeAddressOfferings ...----------------------------------. . .ID: 20027868Location: 141Ip Type: PRIVATEPrice: $0/UHRCurrencyCode: USDCountryCode: SPTPricePerQuantity: 1UnitOfMeasure: UHR----------------------------------Executing DescribeAddressOfferings finished27 © 2012 IBM Corporation
  • 28. Extended demo step 2b Create an IP address on the VLANCreate an IP addresses with the command line-L <data center>, -O <address offering id>, -x <VLAN ID>The address offering ID may be found from the ic-describe-address-offerings command, as instep 2a. Note the ID of the IP address.> ic-allocate-address.cmd -u <user id> -w <passprhase> -g <key file> -L 141 -O 20027868 -x288Executing action: AllocateAddress ...28 © 2012 IBM Corporation
  • 29. Extended demo step 2c Create IP addressesCheck status of IP addresses>ic-describe-addresses.cmd -u <user id> -w <passprhase> -g <key file>Executing action: DescribeAddresses ...3 addresses.----------------------------------ID: 277993InstanceId: nullIP: 10.10.10.66State: FREELocation: 141Owner: <user id>. . .Wait for addresses to be in the FREE state29 © 2012 IBM Corporation
  • 30. Extended demo step 3a Create SOCKS Proxy virtual machineRHEL 6.2 with secondary IP address on the VLAN and primary on the public Internet-t <server size>, -n <instance name>, -k <image id>, -c <key name>, -m <secondary addressid>, -L <data center>Hint: it is not necessary to specify a primary address when using a secondary IP> ic-create-instance.cmd -u <user id> -w <passprhase> -g <key file> -t"BRZ64.2/4096/60*500*350" -n SOCKSProxy -k 20025211 -c <my key> -m "{secondary.ip.0:<address ID>}" -L 141Executing action: CreateInstance ...The request has been submitted successfully.1 instances!----------------------------------ID: 266635Name: SOCKSProxyHostname: vhost0677InstanceType: BRZ64.2/4096/60*500*350IP: 170.225.160.53Secondary IP(s): 10.10.10.66KeyName: <my key>. . .Wait for instance to be provisioned30 © 2012 IBM Corporation
  • 31. Extended demo step 4 Create a virtual machine instance on VLANRHEL 6.2 with primary IP address on the VLAN-t <server size>, -n <instance name>, -k <image id>, -c <key name>, -L <data center>, -x<VLAN ID>> ic-create-instance.cmd -u a.user@cn.ibm.com -g mykey.ext -w unlock -t"BRZ64.2/4096/60*500*350" -n ServerVLAN -k 20025211 -c july26 -m "{secondary.ip.0:282456}" -L 141Executing action: CreateInstance ...The request has been submitted successfully.1 instances!----------------------------------ID: 266635Name: ServerVLANHostname: vhost0677InstanceType: BRZ64.2/4096/60*500*350IP: 10.10.10.74KeyName: <my key>. . .Wait for instance to be provisioned31 © 2012 IBM Corporation
  • 32. Extended demo: additional stepsSteps 5 and 6 are the same as the basic demo1) Discover the VLANs available2) Reserve an IP address on the VLAN.3) Create SOCKS Proxy virtual machine4) Provision a virtual machine on the VLAN5) Start PuTTY with SOCKS proxy option → step 2 of basic demo6) Access both virtual machines → step 3 of basic demoIn the final step enter the IP of virtual machine in the VLAN. This is aprivate IP not visible on the Internet. See next page.32 © 2012 IBM Corporation
  • 33. Extended demo step 6: verify access to the VLANEnter the address of the virtual machine on the VLAN. Test with and without proxy settings inthe browser.33 © 2012 IBM Corporation
  • 34. Connecting to SOCKS with other client typesAll the examples so far used Firefox as an example to connect to the SOCKS proxy. This is because Firefox has a simple option to act as a SOCKS client.Some but not all software applications have options to connect as a SOCKS client. Java supports this using the socksProxyHost system property.$ java -DsocksProxyHost=<SOCKS proxy> <MainClass>For applications that do not directly support SOCKS you can use a “proxifier.” A proxifier is a program that will intercept TCP packets and route them through a proxy. Examples of proxifiers are proxychains (open source), SocksChain (commercial), Proxyfier (commercial), and ProxyCap (commercial).34 © 2012 IBM Corporation
  • 35. Connecting to SOCKS with other client types - proxychainsProxychains is a Linux utility that can intercept TCP packets from a software application and redirect them through a SOCKS proxy even if the application does not directly support SOCKS. On SUSE and Ubuntu install proxychains with the command below$ sudo apt-get install proxychainsOn RHEL use this command$ sudo apt-get install proxychainsEdit the file /etc/proxychains.conf setting the IP address and port for your SOCKS proxy. To use it enter the command$ sudo proxychains <application_name>Where <application_name> is the command for the application that you hope to use.35 © 2012 IBM Corporation
  • 36. Next StepsYou can try this demo out yourself and extend it in many ways. Many of the choices in thedemo were made to make it easy to follow. There are relatively few real limitations.Extending the scenario There is no limitation on using RHEL. OpenSSH can run on other flavors of Linux and onWindows with Cywin installed. There is no limitation on using Firefox. Other browsers and TCP clients can use SOCKSproxy servers. For example, Java is able to use the network libraries via a SOCKS proxy. There are other SOCKS proxy servers besides OpenSSH / Putty.36 © 2012 IBM Corporation
  • 37. Resources1) Proxychain project site, http://proxychains.sourceforge.net/2) OpenSSH project web site, http://www.openssh.com/.3) Proxifier product web site, http://www.proxifier.com/.4) ProxyCap, http://www.proxycap.com/5) SockChain, http://ufasoft.com/socks/6) Tatham, S. PuTTY project web site, http://www.chiark.greenend.org.uk/~sgtatham/putty/.37 © 2012 IBM Corporation
  • 38. References1) Alexander, A, 2010. How to create a Firefox SOCKS proxy with a Putty SSH tunnel, http://www.devdaily.com/unix/edu/putty-ssh-tunnel-firefox-socks-proxy/1-putty-ssh-tunnel-introdu .2) Amies A., Sluiman H, Tong Q G, Liu G N, 2012. Developing and Hosting Applications on the Cloud, IBM Press, ISBN-13: 978-0-13-306684-5, http://www.ibmpressbooks.com/bookstore/product.asp?isbn=9780133066845.3) Gite, A, 2012. Linux: 20 Iptables Examples For New SysAdmins, http://www.cyberciti.biz/tips/linux-iptables-examples.html.4) IBM, 2012. SmartCloud Enterprise Command Line Toolkit Reference, http://www.ibm.com/cloud/enterprise.5) Oracle, 2011. Java Networking and Proxies, http://docs.oracle.com/javase/6/docs/technotes/guides/net/proxies.html.6) Leech, et al, 1996. SOCKS Protocol Version 5. Request for Comments: 1928, IETF, http://tools.ietf.org/html/rfc1928.38 © 2012 IBM Corporation
  • 39. 39 39 © 2012 IBM Corporation
  • 40. Trademarks and notes©IBM Corporation 2012IBM, the IBM logo, ibm.com, Cognos, DB2, Informix, Lotus, Rational, SmartCloud, System x, Tivoli andWebSphere are trademarks or registered trademarks of International Business Machines Corporation in theUnited States, other countries, or both. If these and other IBM trademarked terms are marked on their firstoccurrence in this information with the appropriate symbol (® or ™), these symbols indicate US registered orcommon law trademarks owned by IBM at the time this information was published. Such trademarks mayalso be registered or common law trademarks in other countries. A current list of IBM trademarks isavailable on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtmlIntel is a trademark of Intel Corporation or its subsidiaries in the United States and other countries.Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, orboth.Other company, product and service names may be trademarks or service marks of others.References in this publication to IBM products or services do not imply that IBM intends to make themavailable in all countries in which IBM operates.40 © 2012 IBM Corporation