These are instructions for a simple gateway.
This is not a replacement for something like NoCatAuth, but is meant to complement a catch and release system. The big benefit is that it will allow you access to a network (The InterNet is a good example) even if the gateway is not on your subnet. It also allows reverse tunnels to the .cwn
This works under linux, freebsd or openbsd. It doesn't take a monster of a computer, so you can do it with pretty much any old box you have laying around.
This example only uses SSH and can only forward straight TCP connections. If you want your gateway for games or other services, you may need to add more proxies or switch from SSH to IPSEC or some other protocol. This is not an end-all-be-all guide to gatewaying, but should be enough to get you started.
what you need
SSH
- generally installed by default.
Squid Proxy
web server (for documentation)
- any webserver will do. it's just for docs.
config tips
make sure that your deny all is at the end.
-- /etc/squid.conf -- http_access allow localhost http_access deny all
create a user account on your system with no password.
![/!\](/moin_static180/modernized/img/alert.png "/!\"){kind=small}
If you dont want the gateway to be public, you probably shouldn't do that.
-- /etc/passwd -- public:*:1001:1001:Tunnel:/nonexistent:/bin/tunnel
-- /usr/local/etc/sshd_config -- PermitEmptyPasswords yes
/bin/tunnel is a simple C program that doesn't give the user any shell access, but allows them to establish an SSH tunnel.
--begin tunnel.c--
#include <stdio.h>
main ()
{
printf ("Welcome to tunnelhost , go to http://tunnelhost/ for instructions \r\n");
while ( 1 )
sleep(5);
}
--end tunnel.c--gcc -o tunnel tunnel.c
move this to /bin and add /bin/tunnel to /etc/shells
help out your users
Put up a web server with a page that explains what services you proxy.
Hi, welcome to tunnelhost. This machine is dual homed between SeattleWireless and the InterNet. To establish a proxied web connection, use the java applet or point your tunnel at localhost:8080. If you need to tunnel to another host, you must know the machine name and port to connect to before you establish your connection. List of Proxies this server runs. web - port 8080
Setup a Proxy Auto Configuration script:
// a very simple autoconfig script, routes .cwn through the local ssh tunnel
function FindProxyForURL(url, host)
{
/* if it ends in .cwn, proxy it */
if(dnsDomainIs(host,".cwn"))
return "PROXY 127.0.0.1:8080; DIRECT";
return "DIRECT";
}
SSH clients
You also may want to have some tools available.
Java application / applet
Windows OpenSSH
Mac SSH
Command line options.
ssh -L 8080:localhost:8080 -L 2222:anotherhost:22 public@tunnelhost
MindTerm Bootstrap HTML
Throw this code into an index.html somewhere:
<html>
<APPLET CODE="com.mindbright.application.MindTerm.class"
ARCHIVE="mindterm_ns.jar" WIDTH=0 HEIGHT=0>
<PARAM NAME="cabinets" VALUE="mindterm_ie.cab">
<PARAM NAME="sepframe" value="true">
<PARAM NAME="autoprops" value="both">
<PARAM NAME="debug" value="true">
<param name="server" value="your.gateway.name">
<param name="local0" value="8080:127.0.0.1:8080">
<param name="copy-select" value="false">
<param name="username" value="gateway">
<param name="password" value="public">
</applet>
</html>The param's "localX" (X being 0-through-whatever) will auto-magically setup port forwarding.
<param name="local0" value="8080:127.0.0.1:8080">
<param name="local1" value="110:127.0.0.1:110">
<param name="local2" value="25:127.0.0.1:25">sets up forwarding for web proxy, pop3 and smtp. client programs can be configured to use an ip address of 127.0.0.1.
