過労死 Coderoshi: The Organ Grinder: Firewall Tunneling via EC2 Proxy

Teaching monkeys new tricks.

I've been around. Let's get that straight. Sure, I no longer work in a corporate environment yet still, on occasion, feel the ache of an old scar. The wounds of the corporate blade just cut too deep. This world is hell to anyone who doesn't thrive in such artificial environments. This is a new segment for a new year (well, fiscal year) - The Organ Grinder: Teaching (Code)Monkeys New Tricks. Perhaps not new, but useful for those who need to survive in this wilderness. Today's trick: getting around corporate firewalls via tunneling.

I understand why some corporations wish to limit internet access to the common folk: ensuring that the receptionist does his job instead of playing WoW, blocking an old-lady manager from downloading the new forward "cute-kittens.jpg.exe", stopping sales guys from surfing for porn all day. However, when you are a software developer, blocking your access to the wild, wild web is like keeping a goldfish in one of those colored baggies of water they give out at carnivals; sure the fish live - sort of - only to die a day later when you take it home. Get the analogy? The fish is your soul.

1) Set up EC2

Firstly, you must have Java 1.5 or greater installed, and the JAVA_HOME env var set.
in unix

$ export JAVA_HOME=<PATH>

in windows

C:\> set JAVA_HOME=<PATH>

Create an EC2 account on Amazon (all of these steps can be found in detail here).

Set up the account and grab your X.509 certs.

Download and unzip the EC2 command-line tools - works for *nix, osx and windows (afaik).

Set up your *nix/osx paths:

$ export EC2_HOME=<path-to-tools>
$ export PATH=$PATH:$EC2_HOME/bin
$ export EC2_PRIVATE_KEY=~/.ec2/pk-HKZYKTAIG2ECMXYIBH3HXV4ZBZQ55CLO.pem 
$ export EC2_CERT=~/.ec2/cert-HKZYKTAIG2ECMXYIBH3HXV4ZBZQ55CLO.pem

Or, set up your windows paths:

C:\> set EC2_HOME=<path-to-tools>
C:\> set PATH=%PATH%;%EC2_HOME%\bin
C:\> set EC2_PRIVATE_KEY=c:\ec2\pk-HKZYKTAIG2ECMXYIBH3HXV4ZBZQ55CLO.pem 
C:\> set EC2_CERT=c:\ec2\cert-HKZYKTAIG2ECMXYIBH3HXV4ZBZQ55CLO.pem

run:

$ ec2-add-keypair my-proxy

This will output a key similar in structure to this:

-----BEGIN RSA PRIVATE KEY-----
MIIEoQIBAAKCAQBuLFg5ujHrtm1jnutSuoO8Xe56LlT+HM8v/xkaa39EstM3/aFxTHgElQiJLChp
... blah blah blah, more data ...
-----END RSA PRIVATE KEY-----

copy/paste everything between and including "-----BEGIN RSA PRIVATE KEY-----" to "-----END RSA PRIVATE KEY----- " into a file named:

id_rsa-my-proxy

Then change the permissions of the file

chmod 600 id_rsa-my-proxy

2) EC2 Instance
Use the the Ubuntu 7.1 ami.

ec2-run-instances ami-b111f4d8 -k my-proxy

Which will output a line similar to the following:

INSTANCE        i-10a64379   ami-b111f4d8     pending   my-proxy  0

It will take a few minutes for the instance to launch. To check on its status:

ec2-describe-instances

When the instance is finally running, you will see the instance domain as something like the following:

domU-12-34-31-00-00-05.usma1.compute.amazonaws.com

You can ssh in as you wold expect, using the domain. Root has no password.

ssh -i id_rsa-my-proxy root@domU-12-34-31-00-00-05.usma1.compute.amazonaws.com

3) SSH Proxy

If you can connect out through port 443, set up sshd to listen on it. Avoid port 80. Your network may filter encrypted data on that port. If not, you'll have to drop down to port 80 and pray.

ssh -ND 1337 root@domU-12-34-31-00-00-05.usma1.compute.amazonaws.com

What this does is routes all localhost requests from port 1337 (or whatever port you want) to your EC2 ssh server (over port 22).

4) Important! Shutdown!

Amazon charges you $0.10 for every hour your instance is running. When you are done with your proxy, don't forget to shut it off! Ten cents isn't much money, but it adds up to approx. $72/mo if you leave it running all the time. Pretty expensive for a simple proxy! But in reality, you'll probably only need it a few times a week, costing you maybe $2 per month (20 hours). Use the instance id to terminate, not the domain (ec2-describe-instances if you have forgotten the id). Something like: