ssh forward connection from one host with no proxy
Hi all
I have been trying to use ssh to bypass firewall, see the current
configuration
machines:
laptop_at_work (http internet only)
custssh_server (no internet access)
ssh_outside (can ssh into cutssh_server)
At laptop_at_work I have access to the internet through a proxy, but
my webmail URL is blocked.
At ssh_outside I can do a wget [url]http://www.cnn.com[/url], it works.
So I want ssh_outside who has full internet connection to act as a
proxy/gateway for me at laptop_at_work, using custssh_server as a
middle gateway between me (laptop_at_work) and and the internet
(ssh_outside)
I have tried
at ssh_outside machine
$ ssh -o "GatewayPorts yes" -g -c arcfour -R *:8885:10.9.8.2:80 -N
user@custssh_server
at custssh_server
telnet localhost 8885
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
GET [url]http://www.cnn.com[/url] HTTP/1.0
HTTP/1.1 400 Bad Request
Date: Thu, 02 Oct 2008 19:07:04 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
Connection closed by foreign host.
I see the localhost (custssh_server) forwards the request to
ssh_outside machine router, which is 10.9.8.2 at port 80.
I want those requests to go through the 10.9.8.2 gateway, but looks
like they are requesting data at port 80, which is the router port and
obviously is not going to work.
So, I ask if there is any chance to make those requests at
custssh_server goes to the 10.9.8.2 gateway and not the 10.9.8.2:80
Thanks
Claudio
Re: ssh forward connection from one host with no proxy
Claudio Miranda schrieb:[color=blue]
> Hi all
>
> I have been trying to use ssh to bypass firewall, see the current
> configuration[/color]
Do you know what you are trying to do?
[color=blue]
>
> machines:
> laptop_at_work (http internet only)
> custssh_server (no internet access)
> ssh_outside (can ssh into cutssh_server)
>[/color]
I don't understand how this might work. custssh_server is a sshserver.
You can connect to it from laptop_at_work _and_ from ssh_outside. How
does this work without internet access?
[color=blue]
> At laptop_at_work I have access to the internet through a proxy, but
> my webmail URL is blocked.[/color]
There is one important question you should answer very carefully: Do you
really like your job?
[color=blue]
> At ssh_outside I can do a wget [url]http://www.cnn.com[/url], it works.
> So I want ssh_outside who has full internet connection to act as a
> proxy/gateway for me at laptop_at_work, using custssh_server as a
> middle gateway between me (laptop_at_work) and and the internet
> (ssh_outside)
>
> I have tried
>
> at ssh_outside machine
> $ ssh -o "GatewayPorts yes" -g -c arcfour -R *:8885:10.9.8.2:80 -N
> user@custssh_server
>[/color]
This is a reverse tunnel not a dynamic forwarding. Maybe you should read
man ssh and look for otpions -L, -R and -D.
[color=blue]
> I see the localhost (custssh_server) forwards the request to
> ssh_outside machine router, which is 10.9.8.2 at port 80.
>[/color]
This is due to -R *:8885:10.9.8.2:80
[color=blue]
> I want those requests to go through the 10.9.8.2 gateway, but looks
> like they are requesting data at port 80, which is the router port and
> obviously is not going to work.
>
> So, I ask if there is any chance to make those requests at
> custssh_server goes to the 10.9.8.2 gateway and not the 10.9.8.2:80
>[/color]
I've never tried that, but maybe
-R *:8885:localhost:8885 -D 8885
might work? But i don't see, where your laptop_at_work comes in? If
custssh_server has no internet access, you can't access this server from
work?
Good Luck
Wolfgang
[color=blue]
> Thanks
>
> Claudio[/color]
Re: ssh forward connection from one host with no proxy
On Oct 2, 5:05*pm, Wolfgang Meiners <WolfgangMeiner...@web.de> wrote:[color=blue]
>[color=green]
> > I have been trying to use ssh to bypass firewall, see the current
> > configuration[/color]
>
> Do you know what you are trying to do?[/color]
Sure! as far as sysadmin personnel there known what I am doing and
they told me to keep ssh only to webmail, it is safe.
[color=blue][color=green]
> > machines:
> > *laptop_at_work (http internet only)
> > *custssh_server (no internet access)
> > *ssh_outside (can ssh into cutssh_server)[/color]
>
> I don't understand how this might work. custssh_server is a sshserver.
> You can connect to it from laptop_at_work _and_ from ssh_outside. How
> does this work without internet access?[/color]
Sorry not to be clear.
The custssh_server has no internet access nor access to outside
servers, that are firewall rules.
But I am able to connect from ssh_outside to custssh_server.
So, I want to have -R connection from ssh_outside to custssh_server
[color=blue][color=green]
> > At laptop_at_work I have access to the internet through a proxy, but
> > my webmail URL is blocked.[/color]
>
> There is one important question you should answer very carefully: Do you
> really like your job?[/color]
Ok, as I said before, it is safe at this point, especially because the
sysadmin people knows me and we agreed to only have webmail access.
[color=blue][color=green]
> > at ssh_outside machine
> > $ ssh -o "GatewayPorts yes" *-g -c arcfour *-R **:8885:10.9.8.2:80 -N
> > user@custssh_server[/color]
>
> This is a reverse tunnel not a dynamic forwarding. Maybe you should read
> man ssh and look for otpions -L, -R and -D.[/color]
I read that.
For this case I believe I need to have a kind of reverse tunnel,
connecting from ssh_outside to custssh_server, with -R redirection.
Then from laptop_at_work I can do a ssh -L 8885:10.9.8.2:8885
custssh_server, redirecting laptop requests to 8885 port, through -R
tunnel (at custssh_server) to 10.9.8.2 (the internet gateway at
ssh_outside network)
[color=blue][color=green]
> > So, I ask if there is any chance to make those requests at
> > custssh_server goes to the 10.9.8.2 gateway and not the 10.9.8.2:80[/color]
>
> I've never tried that, but maybe
> -R *:8885:localhost:8885 -D 8885[/color]
[color=blue]
> might work? But i don't see, where your laptop_at_work comes in? If
> custssh_server has no internet access, you can't access this server from
> work?[/color]
Looks like -D will redirect connections as a SOCKS proxy, that is what
I want.
I believe this is going to work, I will try that and will let you
know.
Thank you, for your time and patience.
Claudio
Re: ssh forward connection from one host with no proxy
Claudio Miranda schrieb:[color=blue]
> I believe this is going to work, I will try that and will let you
> know.[/color]
I would not like to have an open reverse tunnel from custssh_server to
ssh_outside all the time open. I would prefer something like
on ssh_outside
ssh -fN -D 8845 userC@localhost
(maybe you need ssh -gfN -D 8845 userC@localhost)
on laptop_at_work
ssh -fN -L 8845:localhost:8845 userB@custssh_server \
ssh -L 8845:localhost:8845 userC@ssh_outside
where userB is at custssh_server and userC is at ssh_outside. If you
dont need encryption between custssh_server and ssh_outside, you could type
ssh -fN -L 8845:ssh_outside:8845 userB@custssh_server
instead. This should work if you have an private key on laptop_at_work
and correspondig public keys on custssh_server (userB) and ssh_outside
(userC).
[color=blue]
> Claudio[/color]
Wolfgang
