ssh forward connection from one host with no proxy - SSH

This is a discussion on ssh forward connection from one host with no proxy - SSH ; Hi all I have been trying to use ssh to bypass firewall, see the current configuration machines: laptop_at_work (http internet only) custssh_server (no internet access) ssh_outside (can ssh into cutssh_server) At laptop_at_work I have access to the internet through a ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: ssh forward connection from one host with no proxy

  1. ssh forward connection from one host with no proxy

    Hi all

    I have been trying to use ssh to bypass firewall, see the current
    configuration

    machines:
    laptop_at_work (http internet only)
    custssh_server (no internet access)
    ssh_outside (can ssh into cutssh_server)

    At laptop_at_work I have access to the internet through a proxy, but
    my webmail URL is blocked.
    At ssh_outside I can do a wget http://www.cnn.com, it works.
    So I want ssh_outside who has full internet connection to act as a
    proxy/gateway for me at laptop_at_work, using custssh_server as a
    middle gateway between me (laptop_at_work) and and the internet
    (ssh_outside)

    I have tried

    at ssh_outside machine
    $ ssh -o "GatewayPorts yes" -g -c arcfour -R *:8885:10.9.8.2:80 -N
    user@custssh_server

    at custssh_server
    telnet localhost 8885

    Connected to localhost.localdomain (127.0.0.1).
    Escape character is '^]'.
    GET http://www.cnn.com HTTP/1.0
    HTTP/1.1 400 Bad Request
    Date: Thu, 02 Oct 2008 19:07:04 GMT
    Server: cisco-IOS
    Accept-Ranges: none

    400 Bad Request
    Connection closed by foreign host.


    I see the localhost (custssh_server) forwards the request to
    ssh_outside machine router, which is 10.9.8.2 at port 80.

    I want those requests to go through the 10.9.8.2 gateway, but looks
    like they are requesting data at port 80, which is the router port and
    obviously is not going to work.

    So, I ask if there is any chance to make those requests at
    custssh_server goes to the 10.9.8.2 gateway and not the 10.9.8.2:80

    Thanks

    Claudio

  2. Re: ssh forward connection from one host with no proxy

    Claudio Miranda schrieb:
    > Hi all
    >
    > I have been trying to use ssh to bypass firewall, see the current
    > configuration


    Do you know what you are trying to do?

    >
    > machines:
    > laptop_at_work (http internet only)
    > custssh_server (no internet access)
    > ssh_outside (can ssh into cutssh_server)
    >


    I don't understand how this might work. custssh_server is a sshserver.
    You can connect to it from laptop_at_work _and_ from ssh_outside. How
    does this work without internet access?

    > At laptop_at_work I have access to the internet through a proxy, but
    > my webmail URL is blocked.


    There is one important question you should answer very carefully: Do you
    really like your job?

    > At ssh_outside I can do a wget http://www.cnn.com, it works.
    > So I want ssh_outside who has full internet connection to act as a
    > proxy/gateway for me at laptop_at_work, using custssh_server as a
    > middle gateway between me (laptop_at_work) and and the internet
    > (ssh_outside)
    >
    > I have tried
    >
    > at ssh_outside machine
    > $ ssh -o "GatewayPorts yes" -g -c arcfour -R *:8885:10.9.8.2:80 -N
    > user@custssh_server
    >

    This is a reverse tunnel not a dynamic forwarding. Maybe you should read
    man ssh and look for otpions -L, -R and -D.

    > I see the localhost (custssh_server) forwards the request to
    > ssh_outside machine router, which is 10.9.8.2 at port 80.
    >

    This is due to -R *:8885:10.9.8.2:80

    > I want those requests to go through the 10.9.8.2 gateway, but looks
    > like they are requesting data at port 80, which is the router port and
    > obviously is not going to work.
    >
    > So, I ask if there is any chance to make those requests at
    > custssh_server goes to the 10.9.8.2 gateway and not the 10.9.8.2:80
    >


    I've never tried that, but maybe
    -R *:8885:localhost:8885 -D 8885

    might work? But i don't see, where your laptop_at_work comes in? If
    custssh_server has no internet access, you can't access this server from
    work?

    Good Luck
    Wolfgang

    > Thanks
    >
    > Claudio


  3. Re: ssh forward connection from one host with no proxy

    On Oct 2, 5:05*pm, Wolfgang Meiners wrote:
    >
    > > I have been trying to use ssh to bypass firewall, see the current
    > > configuration

    >
    > Do you know what you are trying to do?


    Sure! as far as sysadmin personnel there known what I am doing and
    they told me to keep ssh only to webmail, it is safe.

    > > machines:
    > > *laptop_at_work (http internet only)
    > > *custssh_server (no internet access)
    > > *ssh_outside (can ssh into cutssh_server)

    >
    > I don't understand how this might work. custssh_server is a sshserver.
    > You can connect to it from laptop_at_work _and_ from ssh_outside. How
    > does this work without internet access?


    Sorry not to be clear.
    The custssh_server has no internet access nor access to outside
    servers, that are firewall rules.
    But I am able to connect from ssh_outside to custssh_server.
    So, I want to have -R connection from ssh_outside to custssh_server

    > > At laptop_at_work I have access to the internet through a proxy, but
    > > my webmail URL is blocked.

    >
    > There is one important question you should answer very carefully: Do you
    > really like your job?


    Ok, as I said before, it is safe at this point, especially because the
    sysadmin people knows me and we agreed to only have webmail access.

    > > at ssh_outside machine
    > > $ ssh -o "GatewayPorts yes" *-g -c arcfour *-R **:8885:10.9.8.2:80 -N
    > > user@custssh_server

    >
    > This is a reverse tunnel not a dynamic forwarding. Maybe you should read
    > man ssh and look for otpions -L, -R and -D.


    I read that.
    For this case I believe I need to have a kind of reverse tunnel,
    connecting from ssh_outside to custssh_server, with -R redirection.
    Then from laptop_at_work I can do a ssh -L 8885:10.9.8.2:8885
    custssh_server, redirecting laptop requests to 8885 port, through -R
    tunnel (at custssh_server) to 10.9.8.2 (the internet gateway at
    ssh_outside network)

    > > So, I ask if there is any chance to make those requests at
    > > custssh_server goes to the 10.9.8.2 gateway and not the 10.9.8.2:80

    >
    > I've never tried that, but maybe
    > -R *:8885:localhost:8885 -D 8885


    > might work? But i don't see, where your laptop_at_work comes in? If
    > custssh_server has no internet access, you can't access this server from
    > work?


    Looks like -D will redirect connections as a SOCKS proxy, that is what
    I want.
    I believe this is going to work, I will try that and will let you
    know.

    Thank you, for your time and patience.

    Claudio

  4. Re: ssh forward connection from one host with no proxy

    Claudio Miranda schrieb:
    > I believe this is going to work, I will try that and will let you
    > know.


    I would not like to have an open reverse tunnel from custssh_server to
    ssh_outside all the time open. I would prefer something like

    on ssh_outside
    ssh -fN -D 8845 userC@localhost
    (maybe you need ssh -gfN -D 8845 userC@localhost)

    on laptop_at_work
    ssh -fN -L 8845:localhost:8845 userB@custssh_server \
    ssh -L 8845:localhost:8845 userC@ssh_outside

    where userB is at custssh_server and userC is at ssh_outside. If you
    dont need encryption between custssh_server and ssh_outside, you could type
    ssh -fN -L 8845:ssh_outside:8845 userB@custssh_server
    instead. This should work if you have an private key on laptop_at_work
    and correspondig public keys on custssh_server (userB) and ssh_outside
    (userC).

    > Claudio


    Wolfgang

+ Reply to Thread