ssh forward connection from one host with no proxy - Networking

This is a discussion on ssh forward connection from one host with no proxy - Networking ; Hi all I have been trying to use ssh to bypass firewall, see the current configuration machines: laptop_at_work (http internet only) custssh_server (no internet access) ssh_outside (can ssh into cutssh_server) At laptop_at_work I have access to the internet through a ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: ssh forward connection from one host with no proxy

  1. ssh forward connection from one host with no proxy

    Hi all

    I have been trying to use ssh to bypass firewall, see the current
    configuration

    machines:
    laptop_at_work (http internet only)
    custssh_server (no internet access)
    ssh_outside (can ssh into cutssh_server)

    At laptop_at_work I have access to the internet through a proxy, but
    my webmail URL is blocked.
    At ssh_outside I can do a wget http://www.cnn.com, it works.
    So I want ssh_outside who has full internet connection to act as a
    proxy/gateway for me at laptop_at_work, using custssh_server as a
    middle gateway between me (laptop_at_work) and and the internet
    (ssh_outside)

    I have tried

    at ssh_outside machine
    $ ssh -o "GatewayPorts yes" -g -c arcfour -R *:8885:10.9.8.2:80 -N
    user@custssh_server

    at custssh_server
    telnet localhost 8885

    Connected to localhost.localdomain (127.0.0.1).
    Escape character is '^]'.
    GET http://www.cnn.com HTTP/1.0
    HTTP/1.1 400 Bad Request
    Date: Thu, 02 Oct 2008 19:07:04 GMT
    Server: cisco-IOS
    Accept-Ranges: none

    400 Bad Request
    Connection closed by foreign host.


    I see the localhost (custssh_server) forwards the request to
    ssh_outside machine router, which is 10.9.8.2 at port 80.

    I want those requests to go through the 10.9.8.2 gateway, but looks
    like they are requesting data at port 80, which is the router port and
    obviously is not going to work.

    So, I ask if there is any chance to make those requests at
    custssh_server goes to the 10.9.8.2 gateway and not the 10.9.8.2:80

    Thanks

    Claudio

  2. Re: ssh forward connection from one host with no proxy

    Claudio Miranda wrote:
    > I have been trying to use ssh to bypass firewall


    Assuming this is a work environment you'd be better off talking with
    your line manager and the system adminstrators. The firewall is there
    for a reason. (Even if you don't agree with the reason.)

    Chris

  3. Re: ssh forward connection from one host with no proxy

    On Oct 2, 4:58*pm, Chris Davies wrote:
    > Claudio Miranda wrote:
    > > I have been trying to use ssh to bypass firewall

    >
    > Assuming this is a work environment you'd be better off talking with
    > your line manager and the system adminstrators. The firewall is there
    > for a reason. (Even if you don't agree with the reason.)


    Thank for your advice, but sysadmin people told me if can keep this
    ssh only to my webmail access it is safe.
    Currently I already have access to my webmail through a 3G connection
    +bluetooth, but its not fast.

    I suppose you are a system admin, right ?

    Thanks

    Claudio



  4. Re: ssh forward connection from one host with no proxy

    In news:d0796a71-0bc4-4a13-963c-98d9b4d814f3@r66g2000hsg.googlegroups.com,
    Claudio Miranda typed:

    > At laptop_at_work I have access to the internet through a proxy, but
    > my webmail URL is blocked.


    And why is it blocked? webmail traditionally uses either port 80 or port
    443, which the normal proxy doesn't block, so your admins have particular
    reasons for limiting your Internet webmail access; you should discuss your
    need with them.



  5. Re: ssh forward connection from one host with no proxy

    Claudio Miranda wrote:
    > Thank for your advice, but sysadmin people told me if can keep this
    > ssh only to my webmail access it is safe.


    Fine. Just wanted to make the warning!

    To clarify your requirement:

    * You have three boxes, laptop, custssh_server, and ssh_outside

    * You want to get from laptop to a webmail service hosted elsewhere,
    but cannot do so directly

    * Laptop can only use a web proxy, but that web proxy allows
    TCP connections to ports other than 80

    * Custssh_server can accept inbound requests, on ports of your
    choice from laptop and ssh_outside, but cannot establish them

    * ssh_outside is a server under your control that can accept inbound
    requests on ports of your choice, and that can connect to
    custssh_server using ssh on port 22

    * Laptop cannot establish any direct connection with ssh_outside

    * Ssh_outside cannot establish any direct connection with laptop


    Initally I would suggest that you use ssh from ssh_outside IN to
    custssh_server that carries a reverse tunnel to your webmail. Let's have
    port 80 on webmail presented as port 8080 on custssh_server:

    ssh -R '*:8080:webmail.where.ever:80' custssh_server

    You then connect with your web browser to custssh_server on port 8080
    and it should all work. (Mind the GatewayPorts option, though.)


    However, I see that you've already tried this, and you've got a CISCO
    IOS error. Is this your firewall blocking the access? (You didn't say.)

    I'm going to assume that the CISCO firewall is between your laptop and
    the custssh_server, and that it's monitoring application traffic
    regardless of port.

    To bypass this you will need to use an http/ssl tunnel instead of
    plain http. With purely web based technologies you will need to having
    something running on either custssh_server or ssh_outside that unwrapped
    https raffic back into plain http before forwarding it on. You would
    connect to this (un)wrapper from your laptop using https instead of http.

    Try looking at stunnel, or openvpn (which can tunnel https over proxies)

    Chris

+ Reply to Thread