# rerouting internet traffic [solved]

## Elleni

I would like to let a friend use my gentoo box as a proxy over internet. What would be recommended way to achieve this ?

I do not have a fixed ip, it is an ordinary workstation, connected to internet directly with no iptables or something. Would this work out with setting up squid or is this an overkill (and what software would you recommend) and a dyndns adress to access it despite of changing ip of the gentoo box because its dhcp ? 

The goal is that my friend's http and https traffic would be routed through that gentoo box. 

Any thoughts / hints ? Is security a problem ? What would be the easiest way to achieve this ?Last edited by Elleni on Fri Jul 06, 2012 2:19 pm; edited 1 time in total

----------

## Elleni

anyone ? 

would it simply be possible to open a ssh or openvpn tunnel to my gentoo box and set my friends firefox with the help of putty to use my gentoo box as a proxy without the need of installing squid at all?

----------

## BillWho

Elleni,

Get your ip address with curl ifconfig.me/ip or wget -qO- ifconfig.me/ip

Your friend connects to your box with ssh -D 12345 whoever@address

Firefox settings:

Manual proxy configuration

SOCKS_Host:localhost SOCKS v5

Port:12345

That's it - you're good to go

Good luck   :Wink: 

----------

## Elleni

Hello BillWho, 

That means, not having a fixed ip, I would need something like dyndns because of changing ip, and to connect from a windows machine something like putty to ssh to my gentoo box. Only socks proxy setting needed, nothing else ? That sounds easy, cool  :Smile: 

I will try that out. Thanks a lot for helping ! 

I would like to restrict ssh to public key login (I did not yet try this with putty from a windows machine, but I think this should work similar to when ssh-ing from another linux client which I already did sometime ago), so I will test and mark as solved as soon as I was able to achieve my task. 

I will comeback to you if I have further questions. In the meantime thanks a lot for your post, putting me into the right direction  :Smile: 

----------

## Elleni

Problem connecting to ssh with putty and keybased authentication: 

With the private key, generated as user, not root with ssh-keygen on my gentoo box I went to a windows box and used puttygen to import the said private key, and saved it with puttygen as .ppk key. 

Then started putty and tried to connect to my servers ip. In Putty Auth section I have browsed/selected the .ppk file, so I think everything should be ok. 

I am prompted: login as:

When typing the local user with which I have generated the pub/private keypair on my gentoo box I get following error: 

server refused our key / Disconnected: No supported authentication methods available (server sent: publickey)

Configuration which I have done on my gentoo box /etc/ssh/sshd_config: 

ChallengeResponseAuthentication no

PasswordAuthentication no

Any idea what I am doing wrong ?

Edit: After re-reading ssh wiki, I guess I did not append the public key to the authorized keys... I will have a look this evening....  :Smile: 

----------

## BillWho

 *Elleni wrote:*   

> With the private key, generated as user, not root with ssh-keygen on my gentoo box

 

I'm not sure about windows/putty, but in a linux -> linux   scenario ssh-keygen is run on  the client logged in as the user that will be connecting to the server and the key is copied  to the server of said user.

----------

## Elleni

Thanks for your input. That's what I have done in the end, used another gentoo box to kreate the keys and copied them step by step as told on the wiki on to my box. First reenabled password login for ssh, then ssh to the server with password authentication and deactivated it once I was able to do keybased login. This key now also works like a charm with putty after having converted to its format with puttygen.exe on the windows box. 

So I guess this case is solved  :Smile: 

Thanks again. 

One word to security. Is it quite sure like this with a keybased login and a passphrase for the key, or would you recommend more steps like fail2ban. Until now I did not feel the need to install iptables as the box did not have services started / ports open, vulnerable for attacks, I guess...

----------

## BillWho

Elleni,

Glad to hear that you got it working   :Very Happy: 

As far as security goes, if fail2ban helps you sleep at night then go for it. I've never used it so I really can't speak to it.

Naturally, you want to secure that key so it never gets into unauthorized hands. Also, I hope you created a limited account for your friend so privileges cannot be escalated. 

A simple thing you can do is if you have a window of time when access is required, then you can lock ssh logins with /etc/nologin outside that window. So you can setup a cron job to touch it and remove at a certain time. This will not work for root though.

If you don't do a lot of remote administration then you can prevent root login with PermitRootLogin no in sshd_config.

Good luck   :Wink: 

----------

## Elleni

Hi BillWho, thanks again for your answer! 

Well I ll go without fail2ban  for the moment  :Smile: 

Yep, the key is in save hands, and permitrootlogin is already disabled - so I guess I'll stay like this and as I have a backup of my box - in the worst case I'll be able restore. Great support, thank you!

----------

