ssh forward connection from one host with no proxy

Hi all

I have been trying to use ssh to bypass firewall, see the current
configuration

machines:
laptop_at_work (http internet only)
custssh_server (no internet access)
ssh_outside (can ssh into cutssh_server)

At laptop_at_work I have access to the internet through a proxy, but
my webmail URL is blocked.
At ssh_outside I can do a wget http://www.cnn.com, it works.
So I want ssh_outside who has full internet connection to act as a
proxy/gateway for me at laptop_at_work, using custssh_server as a
middle gateway between me (laptop_at_work) and and the internet
(ssh_outside)

I have tried

at ssh_outside machine
$ ssh -o "GatewayPorts yes" -g -c arcfour -R *:8885:10.9.8.2:80 -N
user@custssh_server

at custssh_server
telnet localhost 8885

Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
GET http://www.cnn.com HTTP/1.0
HTTP/1.1 400 Bad Request
Date: Thu, 02 Oct 2008 19:07:04 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request
Connection closed by foreign host.


I see the localhost (custssh_server) forwards the request to
ssh_outside machine router, which is 10.9.8.2 at port 80.

I want those requests to go through the 10.9.8.2 gateway, but looks
like they are requesting data at port 80, which is the router port and
obviously is not going to work.

So, I ask if there is any chance to make those requests at
custssh_server goes to the 10.9.8.2 gateway and not the 10.9.8.2:80

Thanks

Claudio

Claudio Miranda <(E-Mail Removed)> wrote:
> I have been trying to use ssh to bypass firewall

Assuming this is a work environment you'd be better off talking with
your line manager and the system adminstrators. The firewall is there
for a reason. (Even if you don't agree with the reason.)

Chris

On Oct 2, 4:58*pm, Chris Davies <chris-use...@roaima.co.uk> wrote:
> Claudio Miranda <clau...@claudius.com.br> wrote:
> > I have been trying to use ssh to bypass firewall
>
> Assuming this is a work environment you'd be better off talking with
> your line manager and the system adminstrators. The firewall is there
> for a reason. (Even if you don't agree with the reason.)

Thank for your advice, but sysadmin people told me if can keep this
ssh only to my webmail access it is safe.
Currently I already have access to my webmail through a 3G connection
+bluetooth, but its not fast.

I suppose you are a system admin, right ?

Thanks

Claudio

In news:d0796a71-0bc4-4a13-963c-(E-Mail Removed),
Claudio Miranda <(E-Mail Removed)> typed:

> At laptop_at_work I have access to the internet through a proxy, but
> my webmail URL is blocked.

And why is it blocked? webmail traditionally uses either port 80 or port
443, which the normal proxy doesn't block, so your admins have particular
reasons for limiting your Internet webmail access; you should discuss your
need with them.

Claudio Miranda <(E-Mail Removed)> wrote:
> Thank for your advice, but sysadmin people told me if can keep this
> ssh only to my webmail access it is safe.

Fine. Just wanted to make the warning!

To clarify your requirement:

* You have three boxes, laptop, custssh_server, and ssh_outside

* You want to get from laptop to a webmail service hosted elsewhere,
but cannot do so directly

* Laptop can only use a web proxy, but that web proxy allows
TCP connections to ports other than 80

* Custssh_server can accept inbound requests, on ports of your
choice from laptop and ssh_outside, but cannot establish them

* ssh_outside is a server under your control that can accept inbound
requests on ports of your choice, and that can connect to
custssh_server using ssh on port 22

* Laptop cannot establish any direct connection with ssh_outside

* Ssh_outside cannot establish any direct connection with laptop


Initally I would suggest that you use ssh from ssh_outside IN to
custssh_server that carries a reverse tunnel to your webmail. Let's have
port 80 on webmail presented as port 8080 on custssh_server:

ssh -R '*:8080:webmail.where.ever:80' custssh_server

You then connect with your web browser to custssh_server on port 8080
and it should all work. (Mind the GatewayPorts option, though.)


However, I see that you've already tried this, and you've got a CISCO
IOS error. Is this your firewall blocking the access? (You didn't say.)

I'm going to assume that the CISCO firewall is between your laptop and
the custssh_server, and that it's monitoring application traffic
regardless of port.

To bypass this you will need to use an http/ssl tunnel instead of
plain http. With purely web based technologies you will need to having
something running on either custssh_server or ssh_outside that unwrapped
https raffic back into plain http before forwarding it on. You would
connect to this (un)wrapper from your laptop using https instead of http.

Try looking at stunnel, or openvpn (which can tunnel https over proxies)

Chris