ssh forward connection from one host with no proxy

Discussion in 'Linux Networking' started by Claudio Miranda, Oct 2, 2008.

  1. Hi all

    I have been trying to use ssh to bypass firewall, see the current
    configuration

    machines:
    laptop_at_work (http internet only)
    custssh_server (no internet access)
    ssh_outside (can ssh into cutssh_server)

    At laptop_at_work I have access to the internet through a proxy, but
    my webmail URL is blocked.
    At ssh_outside I can do a wget http://www.cnn.com, it works.
    So I want ssh_outside who has full internet connection to act as a
    proxy/gateway for me at laptop_at_work, using custssh_server as a
    middle gateway between me (laptop_at_work) and and the internet
    (ssh_outside)

    I have tried

    at ssh_outside machine
    $ ssh -o "GatewayPorts yes" -g -c arcfour -R *:8885:10.9.8.2:80 -N
    user@custssh_server

    at custssh_server
    telnet localhost 8885

    Connected to localhost.localdomain (127.0.0.1).
    Escape character is '^]'.
    GET http://www.cnn.com HTTP/1.0
    HTTP/1.1 400 Bad Request
    Date: Thu, 02 Oct 2008 19:07:04 GMT
    Server: cisco-IOS
    Accept-Ranges: none

    400 Bad Request
    Connection closed by foreign host.


    I see the localhost (custssh_server) forwards the request to
    ssh_outside machine router, which is 10.9.8.2 at port 80.

    I want those requests to go through the 10.9.8.2 gateway, but looks
    like they are requesting data at port 80, which is the router port and
    obviously is not going to work.

    So, I ask if there is any chance to make those requests at
    custssh_server goes to the 10.9.8.2 gateway and not the 10.9.8.2:80

    Thanks

    Claudio
     
    Claudio Miranda, Oct 2, 2008
    #1
    1. Advertisements

  2. Claudio Miranda

    Chris Davies Guest

    Assuming this is a work environment you'd be better off talking with
    your line manager and the system adminstrators. The firewall is there
    for a reason. (Even if you don't agree with the reason.)

    Chris
     
    Chris Davies, Oct 2, 2008
    #2
    1. Advertisements

  3. Thank for your advice, but sysadmin people told me if can keep this
    ssh only to my webmail access it is safe.
    Currently I already have access to my webmail through a 3G connection
    +bluetooth, but its not fast.

    I suppose you are a system admin, right ?

    Thanks

    Claudio
     
    Claudio Miranda, Oct 3, 2008
    #3
  4. Claudio Miranda

    b.jeswine Guest

    In
    And why is it blocked? webmail traditionally uses either port 80 or port
    443, which the normal proxy doesn't block, so your admins have particular
    reasons for limiting your Internet webmail access; you should discuss your
    need with them.
     
    b.jeswine, Oct 3, 2008
    #4
  5. Claudio Miranda

    Chris Davies Guest

    Fine. Just wanted to make the warning!

    To clarify your requirement:

    * You have three boxes, laptop, custssh_server, and ssh_outside

    * You want to get from laptop to a webmail service hosted elsewhere,
    but cannot do so directly

    * Laptop can only use a web proxy, but that web proxy allows
    TCP connections to ports other than 80

    * Custssh_server can accept inbound requests, on ports of your
    choice from laptop and ssh_outside, but cannot establish them

    * ssh_outside is a server under your control that can accept inbound
    requests on ports of your choice, and that can connect to
    custssh_server using ssh on port 22

    * Laptop cannot establish any direct connection with ssh_outside

    * Ssh_outside cannot establish any direct connection with laptop


    Initally I would suggest that you use ssh from ssh_outside IN to
    custssh_server that carries a reverse tunnel to your webmail. Let's have
    port 80 on webmail presented as port 8080 on custssh_server:

    ssh -R '*:8080:webmail.where.ever:80' custssh_server

    You then connect with your web browser to custssh_server on port 8080
    and it should all work. (Mind the GatewayPorts option, though.)


    However, I see that you've already tried this, and you've got a CISCO
    IOS error. Is this your firewall blocking the access? (You didn't say.)

    I'm going to assume that the CISCO firewall is between your laptop and
    the custssh_server, and that it's monitoring application traffic
    regardless of port.

    To bypass this you will need to use an http/ssl tunnel instead of
    plain http. With purely web based technologies you will need to having
    something running on either custssh_server or ssh_outside that unwrapped
    https raffic back into plain http before forwarding it on. You would
    connect to this (un)wrapper from your laptop using https instead of http.

    Try looking at stunnel, or openvpn (which can tunnel https over proxies)

    Chris
     
    Chris Davies, Oct 3, 2008
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.