Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   How to apt-get over ssh tunnel through a firewall? (http://www.linux-archive.org/debian-user/170277-how-apt-get-over-ssh-tunnel-through-firewall.html)

Mitchell Laks 10-03-2008 04:02 PM

How to apt-get over ssh tunnel through a firewall?
 
Hi,

I have a number of debian machines that live behind a firewall.

Debian Machine A is granted internet access and can browse
the internet. However machines B-D were not granted internet access and live on the general internal network,
and were originally installed with Debian by utilizing a private network with machine A
192.168.4.x, and getting internet access via NAT through A.

Now machines B-D no longer live on the private network but can ssh into machine A.

Now I know how to browse the internet on B-D
by creating a ssh tunnel to A and utilizing the Iceweasel Browser settings to use a
local Socks proxy.


Can I do something similar with apt-get so that I can apt-get update and apt-get upgrade
over ssh without
physically moving the machines B-D to the private network 192.168.4.x with machine A?


thanks,
mitchell


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Celejar 10-03-2008 06:38 PM

How to apt-get over ssh tunnel through a firewall?
 
On Fri, 3 Oct 2008 12:02:22 -0400
Mitchell Laks <mlaks@post.harvard.edu> wrote:

> Hi,
>
> I have a number of debian machines that live behind a firewall.
>
> Debian Machine A is granted internet access and can browse
> the internet. However machines B-D were not granted internet access and live on the general internal network,
> and were originally installed with Debian by utilizing a private network with machine A
> 192.168.4.x, and getting internet access via NAT through A.
>
> Now machines B-D no longer live on the private network but can ssh into machine A.
>
> Now I know how to browse the internet on B-D
> by creating a ssh tunnel to A and utilizing the Iceweasel Browser settings to use a
> local Socks proxy.
>
>
> Can I do something similar with apt-get so that I can apt-get update and apt-get upgrade
> over ssh without
> physically moving the machines B-D to the private network 192.168.4.x with machine A?

There are several apt proxies available:

apt-cacher
apt-cacher-ng
apt-proxy
approx

[I use approx; various readers of this list have their own preferences.]

Set up one of them on A, configure B-D's sources file appropriately,
and your ssh procedure should work.

> thanks,
> mitchell

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Mitchell Laks 10-03-2008 10:01 PM

How to apt-get over ssh tunnel through a firewall?
 
On 14:38 Fri 03 Oct , Celejar wrote:
> On Fri, 3 Oct 2008 12:02:22 -0400
>
> There are several apt proxies available:
>
> apt-cacher
> apt-cacher-ng
> apt-proxy
> approx
>
> [I use approx; various readers of this list have their own preferences.]
>
> Set up one of them on A, configure B-D's sources file appropriately,
> and your ssh procedure should work.

thank you. I am familiar with apt-cacher, but not with approx which I can
try.

However, I think that does not solve my problem. For instance
what if the A computer is running etch and B-D are running sid?
How can I get B-D to get software that has not been installed on A?

Is there some smart way to set up a direct tunnel through A
and tell apt-get to go through the tunnel itself, instead of using
these caching methods which better serve other purposes.
(For instance since B-D run sid, I can cache on one of them for the others.

what software-backbone/port is apt-get using to get the software?


Are you familiar with setting up tunnels like

ssh -ND 8080 user@destination.com
?

Mitchell













>
> > thanks,
> > mitchell
>
> Celejar
> --
> mailmin.sourceforge.net - remote access via secure (OpenPGP) email
> ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Florian Kulzer 10-04-2008 11:34 AM

How to apt-get over ssh tunnel through a firewall?
 
On Fri, Oct 03, 2008 at 12:02:22 -0400, Mitchell Laks wrote:
> Hi,
>
> I have a number of debian machines that live behind a firewall.
>
> Debian Machine A is granted internet access and can browse
> the internet. However machines B-D were not granted internet access and live on the general internal network,
> and were originally installed with Debian by utilizing a private network with machine A
> 192.168.4.x, and getting internet access via NAT through A.
>
> Now machines B-D no longer live on the private network but can ssh into machine A.
>
> Now I know how to browse the internet on B-D
> by creating a ssh tunnel to A and utilizing the Iceweasel Browser settings to use a
> local Socks proxy.
>
>
> Can I do something similar with apt-get so that I can apt-get update and apt-get upgrade
> over ssh without
> physically moving the machines B-D to the private network 192.168.4.x with machine A?

Can you run a proxy on machine A? You can secure it very tightly, both
via its own configuration and via your firewall, so that it only accepts
local connections on machine A. Then you can do this on machines B-D:

ssh -N -L 31280:localhost:3128 $HOSTNAME_OR_IP_OF_MACHINE_A

This will tunnel port 31280 on B-D to machine A, from where it will be
forwarded to localhost (i.e. machine A itself) port 3128. This assumes
that your proxy on A listens for local connections on port 3128 (the
standard squid port). Then it will be as if the proxy was running on B-D
listening on port 31280, so you can set "http://localhost:31280" as the
http_proxy variable on these machines.

If you cannot run a proxy on machine A then you can try to use tsocks on
machines B-D:

http://tsocks.sourceforge.net/

(Debian packages are available in main.)

--
Regards, | http://users.icfo.es/Florian.Kulzer
Florian |


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Osamu Aoki 10-04-2008 06:40 PM

How to apt-get over ssh tunnel through a firewall?
 
You can use ssh but ...

On Fri, Oct 03, 2008 at 12:02:22PM -0400, Mitchell Laks wrote:
> Hi,
>
> I have a number of debian machines that live behind a firewall.
>
> Debian Machine A is granted internet access and can browse
> the internet. However machines B-D were not granted internet access and live on the general internal network,
> and were originally installed with Debian by utilizing a private network with machine A
> 192.168.4.x, and getting internet access via NAT through A.
>
> Now machines B-D no longer live on the private network but can ssh into machine A.
>
> Now I know how to browse the internet on B-D
> by creating a ssh tunnel to A and utilizing the Iceweasel Browser settings to use a
> local Socks proxy.

Yes.

> Can I do something similar with apt-get so that I can apt-get update and apt-get upgrade
> over ssh without
> physically moving the machines B-D to the private network 192.168.4.x with machine A?

Yes. But doing without ssh may be simpler and saves BW.

Run squid on A and let others access it. You need to set http_proxy
environment variable or use apt.conf setting for all A,B,C. Then you
save bandwidth.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Celejar 10-05-2008 01:20 AM

How to apt-get over ssh tunnel through a firewall?
 
On Fri, 3 Oct 2008 18:01:55 -0400
Mitchell Laks <mlaks@post.harvard.edu> wrote:

> On 14:38 Fri 03 Oct , Celejar wrote:
> > On Fri, 3 Oct 2008 12:02:22 -0400
> >
> > There are several apt proxies available:
> >
> > apt-cacher
> > apt-cacher-ng
> > apt-proxy
> > approx
> >
> > [I use approx; various readers of this list have their own preferences.]
> >
> > Set up one of them on A, configure B-D's sources file appropriately,
> > and your ssh procedure should work.
>
> thank you. I am familiar with apt-cacher, but not with approx which I can
> try.
>
> However, I think that does not solve my problem. For instance
> what if the A computer is running etch and B-D are running sid?
> How can I get B-D to get software that has not been installed on A?

I'm pretty sure that it makes no difference what flavor A is running -
I assume that A need not even run Debian! The apt sources lists of B-D
will contain (with approx - I assume you can do similarly with the
others) references to the flavor desired, and A will fetch any packages
that are needed. My sources contain (on the machine that runs approx):

deb http://localhost:9999/debian/ sid main non-free contrib
deb http://localhost:9999/debian-multimedia sid main

> Is there some smart way to set up a direct tunnel through A
> and tell apt-get to go through the tunnel itself, instead of using
> these caching methods which better serve other purposes.
> (For instance since B-D run sid, I can cache on one of them for the others.
>
> what software-backbone/port is apt-get using to get the software?

apt can use an http proxy; see 'man apt.conf' for details. So you
could set up one on A and configure B-D to tunnel in to it over ssh,
but I think that you are misunderestimating the flexibility of the
dedicated apt caching programs, as above.

> Mitchell

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Steve Lamb 10-05-2008 11:02 PM

How to apt-get over ssh tunnel through a firewall?
 
Osamu Aoki wrote:
> Run squid on A and let others access it. You need to set http_proxy
> environment variable or use apt.conf setting for all A,B,C. Then you
> save bandwidth.

Or use apt-cache.

--
Steve C. Lamb | But who can decide what they dream
PGP Key: 1FC01004 | and dream I do
-------------------------------+---------------------------------------------

Osamu Aoki 10-06-2008 11:39 AM

How to apt-get over ssh tunnel through a firewall?
 
On Sun, Oct 05, 2008 at 04:02:21PM -0700, Steve Lamb wrote:
> Osamu Aoki wrote:
> > Run squid on A and let others access it. You need to set http_proxy
> > environment variable or use apt.conf setting for all A,B,C. Then you
> > save bandwidth.
>
> Or use apt-cache.

You must have meant apt-cacher.

(I like squid approach though ... because it handles Debian archive
design change more smoothly.)

Osamu


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

"Todd A. Jacobs" 10-07-2008 12:13 AM

How to apt-get over ssh tunnel through a firewall?
 
On Fri, Oct 03, 2008 at 12:02:22PM -0400, Mitchell Laks wrote:

> Now I know how to browse the internet on B-D by creating a ssh tunnel
> to A and utilizing the Iceweasel Browser settings to use a local Socks
> proxy.

This is untested, but if you change your sources.list to include
something like:

# /etc/apt/sources.list
deb http://localhost:1080/debian/ stable main contrib non-free

and then open a tunnel:

# from the command line
ssh -fND 1080 machine_A

it should just work. If not, you can try something more complicated,
like:

# /etc/apt/sources.list
deb http://localhost:32315/debian/ stable main contrib non-free

# from the command line
ssh -fN -L32315:localhost:32315 machineA 'ssh -fN -L32315:ftp.us.debian.org:80'

There's probably a better way to do this, but you asked specifically
about ssh tunneling. Good luck!

--
"Oh, look: rocks!"
-- Doctor Who, "Destiny of the Daleks"


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Bob 10-18-2008 05:54 AM

How to apt-get over ssh tunnel through a firewall?
 
Mitchell Laks wrote:

On 14:38 Fri 03 Oct , Celejar wrote:


On Fri, 3 Oct 2008 12:02:22 -0400

There are several apt proxies available:

apt-cacher
apt-cacher-ng
apt-proxy
approx

[I use approx; various readers of this list have their own preferences.]

Set up one of them on A, configure B-D's sources file appropriately,
and your ssh procedure should work.



thank you. I am familiar with apt-cacher, but not with approx which I can
try.


However, I think that does not solve my problem. For instance
what if the A computer is running etch and B-D are running sid?
How can I get B-D to get software that has not been installed on A?



This is not a problem with apt-proxy as to it's clients it looks like a
full mirror, however it only actually downloads the packages you use, so
the first time you download a package it comes in at whatever speed it
would if you downloaded it directly, but the second time it comes in at
LAN speed.


For testing I lust used ssh tunnels to access my proxy and it works fine.


Is there some smart way to set up a direct tunnel through A
and tell apt-get to go through the tunnel itself, instead of using
these caching methods which better serve other purposes.
(For instance since B-D run sid, I can cache on one of them for the others.



Easer then that I have a pinhole in my firewall rules allowing access to
port 9999 (the default apt-proxy port) but only to the IP of my
apt-proxy from my 192.168.50.xx subnet to my 192.168.24.xx one, this
allows wireless clients, my web server, and other less trusted clients
to use the apt-proxy.


what software-backbone/port is apt-get using to get the software?



Are you familiar with setting up tunnels like

ssh -ND 8080 user@destination.com
?

Mitchell



To quote a previous post on the subject:

It's pretty cool to be able to perform net installs in a few minutes and
updates are equally fast, after the first time. The only downside is
it's a bit picky about it's internet connection, I know that sounds
weird but when I have it connected directly to the internet with no http
proxy it stalls and doesn't work properly, when I have it behind a squid
proxy it's happy as a sand boy.

A slightly nonstandard thing I've done is I've created a different
section for each release, so instead of having
deb http://192.168.24.99:9999/debian/ etch main
deb http://192.168.24.99:9999/debian-security/ etch/updates main
or
deb http://192.168.24.99:9999/debian/ lenny main
deb http://192.168.24.99:9999/debian-security/ lenny/updates main
in my apt sources files I have
deb http://192.168.24.99:9999/etch/ etch main
deb http://192.168.24.99:9999/etch-security/ etch/updates main
or
deb http://192.168.24.99:9999/lenny/ lenny main
deb http://192.168.24.99:9999/lenny-security/ lenny/updates main

This is because apt-proxy will only hold a certain number of versions of
any given package, although this number is configurable I found that
sometimes stable packages were being pushed out by those from sid and
testing, this way I've still got most of sarge in cache .


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


All times are GMT. The time now is 08:30 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.