ssh forward connection from one host with no proxy

Discussion in 'Linux Networking' started by Claudio Miranda, Oct 2, 2008.

  1. Hi all

    I have been trying to use ssh to bypass firewall, see the current

    laptop_at_work (http internet only)
    custssh_server (no internet access)
    ssh_outside (can ssh into cutssh_server)

    At laptop_at_work I have access to the internet through a proxy, but
    my webmail URL is blocked.
    At ssh_outside I can do a wget, it works.
    So I want ssh_outside who has full internet connection to act as a
    proxy/gateway for me at laptop_at_work, using custssh_server as a
    middle gateway between me (laptop_at_work) and and the internet

    I have tried

    at ssh_outside machine
    $ ssh -o "GatewayPorts yes" -g -c arcfour -R *:8885: -N

    at custssh_server
    telnet localhost 8885

    Connected to localhost.localdomain (
    Escape character is '^]'.
    GET HTTP/1.0
    HTTP/1.1 400 Bad Request
    Date: Thu, 02 Oct 2008 19:07:04 GMT
    Server: cisco-IOS
    Accept-Ranges: none

    400 Bad Request
    Connection closed by foreign host.

    I see the localhost (custssh_server) forwards the request to
    ssh_outside machine router, which is at port 80.

    I want those requests to go through the gateway, but looks
    like they are requesting data at port 80, which is the router port and
    obviously is not going to work.

    So, I ask if there is any chance to make those requests at
    custssh_server goes to the gateway and not the


    Claudio Miranda, Oct 2, 2008
    1. Advertisements

  2. Claudio Miranda

    Chris Davies Guest

    Assuming this is a work environment you'd be better off talking with
    your line manager and the system adminstrators. The firewall is there
    for a reason. (Even if you don't agree with the reason.)

    Chris Davies, Oct 2, 2008
    1. Advertisements

  3. Thank for your advice, but sysadmin people told me if can keep this
    ssh only to my webmail access it is safe.
    Currently I already have access to my webmail through a 3G connection
    +bluetooth, but its not fast.

    I suppose you are a system admin, right ?


    Claudio Miranda, Oct 3, 2008
  4. Claudio Miranda

    b.jeswine Guest

    And why is it blocked? webmail traditionally uses either port 80 or port
    443, which the normal proxy doesn't block, so your admins have particular
    reasons for limiting your Internet webmail access; you should discuss your
    need with them.
    b.jeswine, Oct 3, 2008
  5. Claudio Miranda

    Chris Davies Guest

    Fine. Just wanted to make the warning!

    To clarify your requirement:

    * You have three boxes, laptop, custssh_server, and ssh_outside

    * You want to get from laptop to a webmail service hosted elsewhere,
    but cannot do so directly

    * Laptop can only use a web proxy, but that web proxy allows
    TCP connections to ports other than 80

    * Custssh_server can accept inbound requests, on ports of your
    choice from laptop and ssh_outside, but cannot establish them

    * ssh_outside is a server under your control that can accept inbound
    requests on ports of your choice, and that can connect to
    custssh_server using ssh on port 22

    * Laptop cannot establish any direct connection with ssh_outside

    * Ssh_outside cannot establish any direct connection with laptop

    Initally I would suggest that you use ssh from ssh_outside IN to
    custssh_server that carries a reverse tunnel to your webmail. Let's have
    port 80 on webmail presented as port 8080 on custssh_server:

    ssh -R '*:8080:webmail.where.ever:80' custssh_server

    You then connect with your web browser to custssh_server on port 8080
    and it should all work. (Mind the GatewayPorts option, though.)

    However, I see that you've already tried this, and you've got a CISCO
    IOS error. Is this your firewall blocking the access? (You didn't say.)

    I'm going to assume that the CISCO firewall is between your laptop and
    the custssh_server, and that it's monitoring application traffic
    regardless of port.

    To bypass this you will need to use an http/ssl tunnel instead of
    plain http. With purely web based technologies you will need to having
    something running on either custssh_server or ssh_outside that unwrapped
    https raffic back into plain http before forwarding it on. You would
    connect to this (un)wrapper from your laptop using https instead of http.

    Try looking at stunnel, or openvpn (which can tunnel https over proxies)

    Chris Davies, Oct 3, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.