smartcloud enterprise: using a socks proxy with vlans

© 2012 IBM Corporation

SmartCloud Enterprise Using a SOCKS Proxy with VLANsSCE Developers Group presentation

Alex Amies, [email protected]

Cloud Architect

August, 2012

© 2012 IBM Corporation2

Agenda SOCKS Overview

Prerequisites – install PuTTY, PuTTYgen, and SCE CLT

Basic demo

– Provision a virtual machine to act as SOCKS proxy

– Start PuTTY with SOCKS proxy option

– Access web server using SOCKS

Troubleshooting

Alternative Path: Using the cloud web user interface

Extended demo for VLAN connectivity

Connecting to SOCKS with other client types

Next steps

References


SOCKS Overview

Credit

Thanks to Navdeep Dhaliwal for pointing this solution out to me

Motivation

The security of our cloud resources is enhanced if we use a VLAN

Using a SOCKS proxy allows us a convenient way to access the VLAN

It can encrypt all traffic over the Internet

Even if not using a VLAN it can allow us to tunnel in a dynamic way

What is SOCKS?

SOCKet Secure (SOCKS) is a protocol that supports routing between client and

server

It allows authentication


SOCKS Overview (continued)

SOCKS and SSH

OpenSSH can act as a SOCKS server

PuTTY an act as a SOCKS client

Allows forwarding of TCP packets to private networks

Operates at a lower level than HTTP proxies

SOCKS compared to SSH tunelling

It is similar to port forwarding of SSH tunneling when using OpenSSH / PuTTY

but SOCKS is a general protocol not limited to these software packages.

Allows you to access multiple machines over multiple ports with simple setup.

SOCKS is more dynamic, it avoids the need to set up multiple tunnels

Applicability

The use of OpenSSH as a SOCKS proxy using the steps in this demo will give

users root access to the virtual machine running it

It is suitable for a small number of trusted users


Prerequisites

1) You will need an account on IBM SmartCloud Enterprise. If you do not have one you may sign up online (as an organization). The principles in this presentation will apply to any other IaaS cloud that supports Linux virtual machines and VLANs.

2) Download and install PuTTY and PuTTYgen from http://www.chiark.greenend.org.uk/~sgtatham/putty/.

3) Install Java 6. This is needed for the SmartCloud Enterprise command line toolkit (CLT)

4) Find the link to the SmartCloud Enterprise command line toolkit on the Support tab in the web portal. Set up the command line tool as in the CLT Reference Guide. Set up a password file as described in the guide. If you prefer not to use the command line, all the equivalent steps are available in the web portal.

5) Create a SSH key in the SCE web portal and convert it to PuTTY format using PuTTYgen.


Basic demoThis demo uses SOCKS to access a web server on port 80 over SSH using SOCKS

Steps

1) Create SOCKS Proxy virtual machine

2) Start PuTTY with SOCKS proxy option

3) Access the web server over SOCKS


Basic Demo: overviewWe will use SOCKS to connect to a web server running on the same server as the SOCKS proxy but blocked to the outside.

OpenSSH

PuTTY

Network interface

SOCKS Proxy (VM)

Apache

80

22

LocalFirewall


Basic Demo step 1a: Create SOCKS Proxy virtual machineRHEL 6.2 with primary IP on the public Internet-t <server size>, -n <instance name>, -k <image id>, -c <key name>, -L <data center>

> ic-create-instance.cmd -u <user id> -w <passprhase> -g <key file> -t "BRZ64.2/4096/60*500*350" -n SOCKSProxy -k 20025211 -c <my key> -L 141

Executing action: CreateInstance ...

The request has been submitted successfully.

1 instances!

----------------------------------

ID: 266635

Name: SOCKSProxy

Hostname: vhost0677

InstanceType: BRZ64.2/4096/60*500*350

IP: 170.225.162.167

KeyName: <my key>

. . .

Wait for instance to be provisioned


Basic Demo step 1b: Create SOCKS Proxy virtual machineCheck status of provisioning request

>ic-describe-instances.cmd -u <user id> -w <passprhase> -g <key file>

Executing action: DescribeInstances …

ID: 266635

Name: SOCKSProxy

Image ID: 20025211

Hostname: vhost0677


IP: 170.225.162.167

. . .

Status: PROVISIONING

. . .

Wait for instance status to become ACTIVE


Basic Demo step 2a: Start PuTTY with SOCKS proxy optionAdd the dynamic tunnel in user interface. Expand +Connections | +Auth, enter the port 5020 (any port will do), select Dynamic, and click the Add button. Save the session and click Open.


Basic Demo step 2b: Start PuTTY with SOCKS proxy optionEnter user name idcuser into the Connection | Data panel to avoid typing it every time to begine a session. This is convenient but not essential.


Basic Demo step 2 alternative: Start PuTTY with command lineUsing Windows command line with -D option

> "C:\Program Files (x86)\PuTTY\putty.exe" -i <private key> -D 5020 idcuser@<ip address>

You can see the connection created with the netstat command, as shown below

>netstat -an

Proto Local Address Foreign Address State

. . .

TCP 127.0.0.1:5020 0.0.0.0:0 LISTENING

. . .


Basic Demo step 3a: Access the web server over SOCKSStart the web server on the Linux virtual machine, enable the second network interface, and check that firewall will not allow direct access. Only port 22 should be open on firewall from outside. We also need to add a rule for any port when the source is the local machine. The IP of the local machine should be used. From the remote command line type

$ sudo /usr/sbin/apachectl start

$ sudo /sbin/ifup eth1

$ sudo vi /etc/sysconfig/iptables

# Add line allowing any port if accessed from the local machine.

. . .

-A INPUT -p tcp -m tcp -s 170.225.160.64 -j ACCEPT

. . .

$ sudo /sbin/service iptables restart


Basic Demo step 3b: Access the web server over SOCKSSet the SOCKS proxy in Firefox, open Connection Settings dialog in Tools | Options | Advanced | Network in Firefox 10. Enter the address of the proxy and 127.0.0.1 since we Putty is our entry point to the tunnel and it is running locally. Open the IP address of server in web browser.


Basic Demo step 3c: Access the web server over SOCKSAccess a web server running on the other virtual machine using the private IP in the VLAN. You should see the Apache test page.


TroubleshootingTry opening the a web server of a well know web site if you cannot access the Apache server running in the VLAN. If there is a problem with the tunnel than you should see a message from Firefox as shown below. If the web site is visible then the problem is somewhere else.


Troubleshooting (continued)If the problem is somewhere else than the tunnel, try opening the firewall to the web server on the SOCKS proxy server to see if it can be reached.

$ sudo /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT

If the problem is with the commands to create the cloud resources then use the web user interface as shown in the section below.


Troubleshooting (continued)Look at the event messages in the PuTTY client.


Troubleshooting (continued)Check network on the SOCKS proxy server

If the PuTTY event log shows an entry with connection refused resulting from your HTTP request on port 80, then there may be a configuration problem with the virtual machine or the firewall may be preventing the connection even though it is from the local machine. Try curl to the machine using it's IP address from the SSH console to make sure that it is available locally. ICMP (ping) may be blocked so use curl to troubleshoot. The example below shows this problem.

$ curl 170.225.160.64

curl: (7) couldn't connect to host


Troubleshooting (continued)Check the firewall on the SOCKS proxy server. In the example below a connection is not allowed if the source is the local machine using the actual IP address of the machine. Go back to the firewall rules in step 2.

$ sudo iptables -L -n -v

Chain INPUT (policy DROP 547 packets, 92420 bytes)

pkts bytes target prot opt in out source destination

765 360K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

Chain FORWARD (policy DROP 0 packets, 0 bytes)


Chain OUTPUT (policy ACCEPT 900 packets, 387K bytes)



Troubleshooting (continued)If you get an issue with resource limits, contact your system administrator to give you sufficient resource limits for private addresses and virtual machine instances. The user in screen shot below has insufficient resources to create a private VLAN IP address.


Alternative Path: Using the cloud web user interfaceAll the steps above can be performed with the cloud portal. For the extended scenario below you will need to allocated a reserved IP address on the VLAN. This can be done with the dialog shown below in the Account tab.


Alternative Path: Using the cloud web user interfaceAll Create the SOCKS proxy VM with the primary address on the public Internet and the secondary or virtual IP on the VLAN.


Extended demoAccessing virtual machines on a VLAN using SOCKS

Steps

1) Discover the VLAN's available

2) Reserve an IP address on the VLAN.


4) Provision a virtual machine on the VLAN

5) Start PuTTY with SOCKS proxy option

6) Access both virtual machines


Extended demo overviewUsing SOCKS to access other servers on the VLAN

OpenSSH

Virtual Machine

VLANPublicInternet

PuTTY

IP IP

SOCKS Proxy (VM)

22

IP

80170.225.160.53 10.10.10.66

10.10.10.74


Extended demo step 1: Discover the VLAN's availableWe will use the VLAN with ID 288 in Singapore (location 141)

> ic-describe-vlans.cmd -u <user id> -w <passprhase> -g <key file>

Executing action: DescribeVLANs ...

----------------------------------

. . .

ID: 288

Name: Private VLAN Singapore

Location: 141

----------------------------------

Executing DescribeVLANs finished


Extended demo step 2a Create an IP address on the VLANFind address offerings

> ic-describe-address-offerings.cmd -u <user id> -w <passprhase> -g <key file>

Executing action: DescribeAddressOfferings ...

----------------------------------

. . .

ID: 20027868

Location: 141

Ip Type: PRIVATE

Price: $0/UHR

CurrencyCode: USD

CountryCode: SPT

PricePerQuantity: 1

UnitOfMeasure: UHR

----------------------------------

Executing DescribeAddressOfferings finished


Extended demo step 2b Create an IP address on the VLANCreate an IP addresses with the command line-L <data center>, -O <address offering id>, -x <VLAN ID>The address offering ID may be found from the ic-describe-address-offerings command, as in step 2a. Note the ID of the IP address.

> ic-allocate-address.cmd -u <user id> -w <passprhase> -g <key file> -L 141 -O 20027868 -x 288

Executing action: AllocateAddress ...


Extended demo step 2c Create IP addressesCheck status of IP addresses

>ic-describe-addresses.cmd -u <user id> -w <passprhase> -g <key file>

Executing action: DescribeAddresses ...

3 addresses.

----------------------------------

ID: 277993

InstanceId: null

IP: 10.10.10.66

State: FREE

Location: 141

Owner: <user id>

. . .

Wait for addresses to be in the FREE state


Extended demo step 3a Create SOCKS Proxy virtual machineRHEL 6.2 with secondary IP address on the VLAN and primary on the public Internet-t <server size>, -n <instance name>, -k <image id>, -c <key name>, -m <secondary address id>, -L <data center>Hint: it is not necessary to specify a primary address when using a secondary IP

> ic-create-instance.cmd -u <user id> -w <passprhase> -g <key file> -t "BRZ64.2/4096/60*500*350" -n SOCKSProxy -k 20025211 -c <my key> -m "{se

condary.ip.0:<address ID>}" -L 141



1 instances!

----------------------------------

ID: 266635

Name: SOCKSProxy

Hostname: vhost0677


IP: 170.225.160.53

Secondary IP(s): 10.10.10.66

KeyName: <my key>

. . .



Extended demo step 4 Create a virtual machine instance on VLANRHEL 6.2 with primary IP address on the VLAN-t <server size>, -n <instance name>, -k <image id>, -c <key name>, -L <data center>, -x <VLAN ID>

> ic-create-instance.cmd -u [email protected] -g mykey.ext -w unlock -t "BRZ64.2/4096/60*500*350" -n ServerVLAN -k 20025211 -c july26 -m "{se

condary.ip.0:282456}" -L 141



1 instances!

----------------------------------

ID: 266635

Name: ServerVLAN

Hostname: vhost0677


IP: 10.10.10.74

KeyName: <my key>

. . .



Extended demo: additional stepsSteps 5 and 6 are the same as the basic demo

1) Discover the VLAN's available

2) Reserve an IP address on the VLAN.


4) Provision a virtual machine on the VLAN

5) Start PuTTY with SOCKS proxy option → step 2 of basic demo

6) Access both virtual machines → step 3 of basic demo

In the final step enter the IP of virtual machine in the VLAN. This is a private IP not visible on the Internet. See next page.


Extended demo step 6: verify access to the VLANEnter the address of the virtual machine on the VLAN. Test with and without proxy settings in the browser.


Connecting to SOCKS with other client types

All the examples so far used Firefox as an example to connect to the SOCKS proxy. This is because Firefox has a simple option to act as a SOCKS client.

Some but not all software applications have options to connect as a SOCKS client. Java supports this using the socksProxyHost system property.

$ java -DsocksProxyHost=<SOCKS proxy> <MainClass>

For applications that do not directly support SOCKS you can use a “proxifier.” A proxifier is a program that will intercept TCP packets and route them through a proxy. Examples of proxifiers are proxychains (open source), SocksChain (commercial), Proxyfier (commercial), and ProxyCap (commercial).


Connecting to SOCKS with other client types - proxychains

Proxychains is a Linux utility that can intercept TCP packets from a software application and redirect them through a SOCKS proxy even if the application does not directly support SOCKS. On SUSE and Ubuntu install proxychains with the command below

$ sudo apt-get install proxychains

On RHEL use this command

$ sudo apt-get install proxychains

Edit the file /etc/proxychains.conf setting the IP address and port for your SOCKS proxy. To use it enter the command

$ sudo proxychains <application_name>

Where <application_name> is the command for the application that you hope to use.


Next StepsYou can try this demo out yourself and extend it in many ways. Many of the choices in the demo were made to make it easy to follow. There are relatively few real limitations.

Extending the scenario There is no limitation on using RHEL. OpenSSH can run on other flavors of Linux and on

Windows with Cywin installed. There is no limitation on using Firefox. Other browsers and TCP clients can use SOCKS

proxy servers. For example, Java is able to use the network libraries via a SOCKS proxy. There are other SOCKS proxy servers besides OpenSSH / Putty.


Resources

1) Proxychain project site, http://proxychains.sourceforge.net/

2) OpenSSH project web site, http://www.openssh.com/.

3) Proxifier product web site, http://www.proxifier.com/.

4) ProxyCap, http://www.proxycap.com/

5) SockChain, http://ufasoft.com/socks/

6) Tatham, S. PuTTY project web site, http://www.chiark.greenend.org.uk/~sgtatham/putty/.


References

1) Alexander, A, 2010. How to create a Firefox SOCKS proxy with a Putty SSH tunnel, http://www.devdaily.com/unix/edu/putty-ssh-tunnel-firefox-socks-proxy/1-putty-ssh-tunnel-introduction.shtml.

2) Amies A., Sluiman H, Tong Q G, Liu G N, 2012. Developing and Hosting Applications on the Cloud, IBM Press, ISBN-13: 978-0-13-306684-5, http://www.ibmpressbooks.com/bookstore/product.asp?isbn=9780133066845.

3) Gite, A, 2012. Linux: 20 Iptables Examples For New SysAdmins, http://www.cyberciti.biz/tips/linux-iptables-examples.html.

4) IBM, 2012. SmartCloud Enterprise Command Line Toolkit Reference, http://www.ibm.com/cloud/enterprise.

5) Oracle, 2011. Java Networking and Proxies, http://docs.oracle.com/javase/6/docs/technotes/guides/net/proxies.html.

6) Leech, et al, 1996. SOCKS Protocol Version 5. Request for Comments: 1928, IETF, http://tools.ietf.org/html/rfc1928.


39


Trademarks and notes

©IBM Corporation 2012

IBM, the IBM logo, ibm.com, Cognos, DB2, Informix, Lotus, Rational, SmartCloud, System x, Tivoli and WebSphere are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol (® or ™), these symbols indicate US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml

Intel is a trademark of Intel Corporation or its subsidiaries in the United States and other countries.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

Other company, product and service names may be trademarks or service marks of others.

References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.

smartcloud enterprise: using a socks proxy with vlans

Technology