SSH Port forwarding / Tunneling with multiple hops - amazon-web-services

Background
Three subnets exist in an AZ in AWS. Two of them are private and one is public.
The Public Subnet has a Jumpbox which can be connected to from my local machine via ssh using a pem file (Sample - ssh -i my-key-file.pem ec2-user#host1
The First private subnet has an EC2 Instance that acts as a Application Server. It can only be reached from the Jumbox via ssh. The same pem file is used here. (Sample - ssh -i my-key-file.pem ec2-user#host2). This command is executed on host1.
The second private subnet hosts an Oracle Instance using AWS RDS Service. It is running on port 1521. The DB Can only be accessed from the App Server/host2.
How I am working currently
host2 has sqlplus client installed.
First,I connect to host1, then to host2, and then execute sqlplus to execute Queries at the Command line (No GUI).
I am planning to use GUI tools like SQL Developer to connect right from my local machine. I thought using Port forwarding/SSH Tunneling It can be achieved.
I tried using different options, but with no success. The following links are useful:
https://superuser.com/questions/96489/an-ssh-tunnel-via-multiple-hops
https://rufflewind.com/2014-03-02/ssh-port-forwarding
My Approach to SSH Tunneling
ssh -N -L 9999:127.0.0.1:1234 ec2-user#host1 -i my-key-file.pem -v -v -v
This is executed on my local machine.
It does not do much as I can already connect to host1 using ssh. I did not know how to forward many levels. Using this host as my first hop. After this, ssh listens on port 9999 which is Local to my machine. It forwards any traffic to host1 to Port 1234. My assumption is that, If I use sqlplus on my local machine connecting to localhost:9999, the traffic will arrive at host1:1234
I used 127.0.0.1 because the target of SSH tunneling is with respect to the SSH Server, which is host1. Basically, Both Target, SSH Server are on the same host.
ssh -N -L 1234:db-host:1521 ec2-user#host2 -i my-key-file.pem -v -v- v
This is executed on host1
After this, ssh forwards any incoming traffic on port 1234 to target host (DB Host)/1521 using host2 as the Tunnel.
Again, my assumption is that, ssh is listening on port 1234 on host1. Any traffic arriving from anywhere will be delivered to DB Host using host2 as the tunnel.
I executed both commands and did not see any error. I verified which ports are listening using netstat -tulpn | grep LISTEN.
After these two, My plan was to connect to the Database using Hostname as localhost and Port number as 9999.
What's going wrong !
But when I try to connect to the DB from my local machine, getting an error from my SQL Client Got minus one from a read call. I could not understand the Debug messages from ssh logs.
I believe my understanding of how port forwarding works might not be right. Any inputs would be helpful.
Thanks for your time !

Related

Unable to setup ssh config remote forwarding from Local --> Bastion --> EC2

Overview
I'm trying to configure ~/.ssh/config to connect my local VSCode to remote (EC2). I've done a lot of testing and can't understand why situation one is working and others are failing. I'm able to get RemoteCommand to work successfully for ssh'ing into EC2 instance after ssh'ing into BastionHost, however I'm unable to achieve the same with ProxyJump or ProxyCommand. VSCode doesn't list the EC2 filesystem when using the RemoteCommand example (just gets to BastionHost), so thinking I'll need to resolve to either ProxyJump/ProxyCommand based on most of the documentation.
I've tried to follow the instructions here exactly along with trying out different approaches from other articles to no avail.
##WORKS
Host dev-ec2
HostName 10.248.000.206
User meme1
RemoteCommand ssh 10.248.000.201
RequestTTY yes
IdentityFile ~/.ssh/mykey
##WORKS
Host bastion-dev
HostName 10.248.000.206
User meme1
IdentityFile ~/.ssh/mykey
RequestTTY yes
##FAILS (times out)
Host dev-ec2-proxycommand
HostName 10.248.000.201
User meme1
ProxyCommand ssh.exe bastion-dev -W %h:%p
##FAILS (Permission denied on public key, even though no issue in the RemoteCommand example)
Host ec2-dev-proxyjump
HostName 10.248.000.201
User meme1
ProxyJump bastion-dev
IdentityFile ~/.ssh/mykey
System Info
OS: Windows 10
Bastion OS: Linux (Amazon Linux AMI)
Disclaimer
I've been trolling StackOverflow and other forums for the past couple days to no avail, and although I've found similar questions none have provided viable answers for resolving.
I suppose this one below is failing because you are using a command from Windows at your bastion, that is Linux.
Command ssh.exe will not work on Linux. Everything that you put on ProxyCommand will run inside your bastion host, in your case it is a Linux OS.
Also make sure your instance Security Group allow connection from bastion IP, not from your computer.
##FAILS (times out)
Host dev-ec2-proxycommand
HostName 10.248.000.201
User meme1
ProxyCommand ssh.exe bastion-dev -W %h:%p
I have the config below on my ~/.ssh/config file and it works fine for me to connect on my instance behind bastion host.
Bastion IP: 172.31.4.238
Host IP (behind bastion): 172.31.11.98
Host 172.31.11.98
HostName 172.31.11.98
User ec2-user
ProxyCommand ssh -W %h:%p ec2-user#172.31.4.238
See it below
$ ssh 172.31.11.98
The authenticity of host '172.31.11.98 (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:vy....
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.31.11.98' (ECDSA) to the list of known hosts.
__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
[ec2-user#ip-172-31-11-98 ~]$

How to change localhost to ec2 public dns

I have an ec2 instance on which i login as:
ssh -L 5001:localhost:5000 sumit#<public DNS>
I have an application (superset) which I run as:
2020-04-01 08:18:24,531:INFO:root:logging was configured successfully
2020-04-01 08:18:24,620:INFO:root:Configured event logger of type <class 'superset.utils.log.DBEventLogger'>
* Environment: production
WARNING: This is a development server. Do not use it in a production deployment.
Use a production WSGI server instead.
* Debug mode: off
2020-04-01 08:18:25,600:INFO:werkzeug: * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
Now when I open my browser and type, then it works:
http://127.0.0.1:5001/
I already have setup all http and https traffic:
Now when I change 127.0.0.1 to the aws public dns address it doesn't work. Please let me know what am I missing?
You method is using something call Port Forwarding.
This command:
ssh -L 5001:localhost:5000 sumit#<public DNS>
is saying: "Please SSH into the instance, and also forward port 5001 on this computer to the other computer, and ask it to send the traffic to localhost:5000."
Therefore, any traffic sent to port 5001 on your computer will be forwarded to port 5001 on the target computer. This is a good way of preventing other people from being able to access port 5000 on that computer, unless they are able to SSH into the instance (presumably using a private key).
Accessing http://127.0.0.1:5001/ means it will go to port 5001 on your computer. It would be the same as going to http://localhost:5001 on your own computer.
The flow is: 127.0.0.1:5001 -> via SSH connection -> localhost:5000 on other computer
Changing it to http://DNS-NAME:5001 will try to connect to port 5001 on the destination computer, which is not a port that is in use. You could try changing it to connect to http://DNS-NAME:5000 (which is the port where the application seems to be running) and opening the Security Group to allow port 5000, but that would probably violate the security that somebody probably wanted to put in place.

Why can't i telnet my aws instance?

Created an AWS AMI instance.
I can telnet from the instance itself
telnet [Pv4 Public IP] 9200
But not from my pc.
This is my security group
What am I doing wrong?
You can check your Network ACL configurations.
It looks like there is some other firewall in between your PC and server which is blocking you on 9200.
If you can access port 80 via telnet or you're able to SSH in it's likely you have a network ACL in place. If you can not access port 80 via telnet but you can via a browser it's like a local config - maybe AV or a firewall.
EC2 instances use security groups for their firewall
Another test to narrow down the the issue would to see if you could telnet from another instances in the same subenet in the same AZ. Being in the same subnet you should not be affected by a network ACL.
You can have a look at this telnet-to a cloud instance from outside
The solution to problem was "Open the services and make the telnet manual and right click on it and chose start"
As well make sure that the instance is residing in a public VPC
Based on what you've described, there isn't really much else to work with. Your ability to telnet the public IP from the instance implies the server is listening on the external interface and your security group is already set to have the port open to all incoming connections.
Aside from the trivial overlooking of not actually having the instance under the listed security group, the only possibility I can think of now is an active firewall on the instance. In the case of iptables or ufw (which is an interface to iptables), it's trivial to verify whether they are indeed getting in the way:
// List iptables access rules
sudo iptables -L -v
// List access rules via ufw
sudo ufw status
You said: "This is my SG", but...which way? Inbound or outbound?
It can simply be that your host can't reply to your PC.
Try to add a rule which adds outbound TCP ranging from ports 32768 to 65535 (ephemeral ports), so that the telnet server response packets can travel back to your PC.
Otherwise, like the others said, look at one level up, VPC-level (network ACL).
You might have your acceptor process running on 127.0.0.1:9000 which means only local clients can connect. This is not related to your Security Group which could be wide open.
Run lsof -i:9000 if on unix.
If you see something like this under NAME then host IP used to start your acceptor will needs to change from 127.0.0.1 to 0.0.0.0 (and secure via SG/FW).
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 2777 ubuntu 148u IPv6 26856 0t0 TCP localhost:afs3-callback (LISTEN)
A Telnet service is not installed by default on an Amazon Linux AMI.
If you wish to use it, you will need to install it yourself, eg: Install and Setup Telnet on EC2 Amazon Linux or CentOS.
However, these days it is recommended to use ssh instead of telnet because it is more secure. See: Telnet on wikipedia
Just a thought, check firewall of your PC.
Need to ensure your SSH key you generated via IAM and attached to the EC2 at launch is added to the login:
ssh-add -K <yourkeyname>.pem
ssh ubuntu#<yourdns or ip>.com == or == ssh ec2-user#<yourdns or ip>

vpn through google cloud gce

I am trying to setup a small GCE to use as a VPN gateway when I travel. My current attempt is to setup OpenVPN on Ubuntu 16.04 using the script at https://www.cyberciti.biz/faq/howto-setup-openvpn-server-on-ubuntu-linux-14-04-or-16-04-lts/. I was able to run the script and get an ovpn file at the end. On my laptop (Kubuntu 16.04) I was able to connect to the GCE machine using network manager by importing the ovpn file.
On my laptop I can see the connection is successful but I am not getting any data through the connection (ie I can't go to any websites in my browser).
What I am not sure is if I need to make changes to the Google Network Firewall based on the comments in the link:
#OpenVPN Forward by vg
-A ufw-before-forward -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT
-A ufw-before-forward -i tun+ -j ACCEPT
-A ufw-before-forward -i tap+ -j ACCEPT
#OpenVPN END by vg
So, if something like that is needed, how do I setup the commands in the Google Network Firewall?
I do have the 1194 port pointing to my GCE instance which is why I assume I am able to see the VPN connect.
I've made a quick test in my own project, and it works fine.
In my case I don't have any firewall rule, running in the openvpn-server.
Keep in mind that you need to configure your internal ip as IP listening and set the public IP when the program asks you.
In your example they use the same IP.
Also I have set a rule Firewall rule in the Google Cloud project allowing the inbound traffic for the port 1194

Can't connect to remote instance via ssh tunneling + proxying

Having trouble connecting to remote server via ssh tunneling.
I'm not that experienced with ssh or portforwarding. I'm trying to forward traffic from an application on a remote lab server to a port on my laptop so I can monitor the traffic. I can log into the server without a problem using:
ssh -i ~/.ssh/mykey.pem username#server.com
However, when I try to create a tunnel (which I am routing through a proxy server via SwitchyOmega):
ssh -L 3128:localhost:8888 -N -i ~/.ssh/mykey.pem username#server.com
I still can't access the page.
My OS is El Capitan and I'm using Chrome, but the remote server is running ubuntu. I appreciate any advice or suggested reading!
EDIT: Initially thought the server was on AWS with a fixed IP, but it turns out its a physical lab server.
You need to create the fowarding accessible by others, therefore do not bind localhost, but the external IP or *. Also you need to specify the -g switch, if you are connecting to the forwarded port remotely:
ssh -g -L *:3128:localhost:8888 -N -i ~/.ssh/mykey.pem username#server.com
In a new terminal window on your local machine, SSH into the remote machine using the following options to setup port forwarding.
ssh -N -L 3128:localhost:8888 user#remote_server
-N options tells SSH that no commands will be run and it’s useful for port forwarding, and -L lists the port forwarding configuration that we setup.
To close the SSH tunnel simply do ctrl-c.