Re: [gentoo-user] [OT] SSH port forwards behind restrictive firewall
On Tuesday 19 February 2008, Mick wrote: Does your mail server at home have a real ip address? You can do ssh -l username -p 443 -N ssh.server.address -L localport:mail.server.address:remoteport And you don't need to worry about setting up forwarding rules on the router. The mail server is on the Internet, not accessible by ssh. I intended to use the router to bounce the ssh connection and forward it to the mail server. laptop -- |firewall| -- router -- mailserver sshsshssl Essentially, thinking of using the router as a proxy server. Ok, then Willie's command will work just fine, provided that *ssh* connections to port 443 or 80 of your router work (and of course, that your router can in turn reach the mail server on the necessary ports). ssh -p 443 -L 1234:mail.server:25 -L 5678:mail.server:110 [EMAIL PROTECTED] Would open ports 1234 and 5678 on localhost for sending and receiving mail respectively. If your mail server uses SSL, the use the corresponding ports (995 and/or 587 or whatever). What you send to port 1234 on localhost will be forwarded by ssh to your router, and the router will forward the data to the mail server, port 25. The same for port 5678. Note that the connection between your computer and the router is through ssh, to port 443 of the router. This is the only connection you'll pass through the firewall, and through which all the forwarded ports will flow. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] [OT] SSH port forwards behind restrictive firewall
On Tuesday 19 February 2008, Etaoin Shrdlu wrote: On Tuesday 19 February 2008, Mick wrote: Does your mail server at home have a real ip address? You can do ssh -l username -p 443 -N ssh.server.address -L localport:mail.server.address:remoteport And you don't need to worry about setting up forwarding rules on the router. The mail server is on the Internet, not accessible by ssh. I intended to use the router to bounce the ssh connection and forward it to the mail server. laptop -- |firewall| -- router -- mailserver sshsshssl Essentially, thinking of using the router as a proxy server. Ok, then Willie's command will work just fine, provided that *ssh* connections to port 443 or 80 of your router work (and of course, that your router can in turn reach the mail server on the necessary ports). ssh -p 443 -L 1234:mail.server:25 -L 5678:mail.server:110 [EMAIL PROTECTED] Would open ports 1234 and 5678 on localhost for sending and receiving mail respectively. If your mail server uses SSL, the use the corresponding ports (995 and/or 587 or whatever). What you send to port 1234 on localhost will be forwarded by ssh to your router, and the router will forward the data to the mail server, port 25. The same for port 5678. Note that the connection between your computer and the router is through ssh, to port 443 of the router. This is the only connection you'll pass through the firewall, and through which all the forwarded ports will flow. Nice! I will try it out next time I'm in the office. Thanks. :) -- Regards, Mick signature.asc Description: This is a digitally signed message part.
[gentoo-user] [OT] SSH port forwards behind restrictive firewall
Hi All, I think that I have confused myself with this. I am behind a firewall/http proxy which seems to only allow outbound connections on ports 80 443 for web browsing. This is not enough for me, as I would like to use my mail client to send and receive mail from behind the firewall. I tried connecting to ssh servers which listen on different ports, besides tcp/22 and I was not successful. This is probably an indication that the internet gateway machine only accepts connections for packets that have a destination to ports 80 443. If the above is correct, am I right to assume that to be able to run a tunnel through this internet gateway I should run something like: ssh -L :localhost:443 [EMAIL PROTECTED] or are ssh packets somehow distinguishable by their headers, so that a cleverly crafted firewall will still identify them and drop them? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] [OT] SSH port forwards behind restrictive firewall
On Monday 18 February 2008, Mick wrote: Hi All, I think that I have confused myself with this. I am behind a firewall/http proxy which seems to only allow outbound connections on ports 80 443 for web browsing. This is not enough for me, as I would like to use my mail client to send and receive mail from behind the firewall. I tried connecting to ssh servers which listen on different ports, besides tcp/22 and I was not successful. This is probably an indication that the internet gateway machine only accepts connections for packets that have a destination to ports 80 443. If the above is correct, am I right to assume that to be able to run a tunnel through this internet gateway I should run something like: ssh -L :localhost:443 [EMAIL PROTECTED] Yup, that's pretty much it. Essentially you have set up a tunnel from port on the local machine (the exact port is irrelevant for firewall purposes, it's mostly random in normal connections anyway) to port 443 on remote_sshd.com. Hopefully you have control over that remote host and now you can do anything you feel like from there, bypassing probably hours of work by some firewall admin evil grin Which all goes to show the utter futility out firewalling outbound connections from anyone with clue 0. Unless of course ... or are ssh packets somehow distinguishable by their headers, so that a cleverly crafted firewall will still identify them and drop them? There are such products around, called names like Level 7 firewalls etc. They look inside packets and try to deduce what's being transported. HTML traffic is easy, just look for appropriate URLs. https is less so, to the best of my knowledge https traffic looks a whole lot like ssh, as they are basically wrapped in the same layer. The essential difference is the remote port number. Try the above and see what happens -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] [OT] SSH port forwards behind restrictive firewall
On Monday 18 February 2008, Mick wrote: Hi All, I think that I have confused myself with this. I am behind a firewall/http proxy which seems to only allow outbound connections on ports 80 443 for web browsing. This is not enough for me, as I would like to use my mail client to send and receive mail from behind the firewall. I tried connecting to ssh servers which listen on different ports, besides tcp/22 and I was not successful. This is probably an indication that the internet gateway machine only accepts connections for packets that have a destination to ports 80 443. If the above is correct, am I right to assume that to be able to run a tunnel through this internet gateway I should run something like: ssh -L :localhost:443 [EMAIL PROTECTED] This command still tries to contact the remote host on port 22, and is blocked by the firewall. IIUC to exit the local firewall you should have the remote sshd listening on port 443 or 80. ssh -p 443 [EMAIL PROTECTED] Of course, the remote /etc/ssh/sshd_config must have Port 443 (or 80). If this works and you are able to actually connect to the remote ssh, you can add local or remote port forwarding to this basic command. So, as an example for email, you can do something: ssh -p 443 -L :smtpserver:25 [EMAIL PROTECTED] and configure your mail client to send to localhost, port . Another alternative (depending upon how many ports you need to forward) could be to use SOCKS. or are ssh packets somehow distinguishable by their headers, so that a cleverly crafted firewall will still identify them and drop them? That depends. The block might be solely port-based, or the firewall might very well able to do deep packet inspection beyond the TCP port, and recognize HTTP packets (as well as FTP, IRC, etc.), even if they use a different port. However, I'm not sure how it would be able to look into encrypted packets, like eg SSH or HTTPS packets (other than maybe recognize that they are indeed SSH or HTTPS, it should not be able to understand what's actually passing inside the flow, since the payloads are encrypted). Such a firewall could however block SSH packets even if they are destined to port 80 or 443 (since they are not HTTP traffic), so the above commands would not work. However, even with this kind of firewall you might still be able to tunnel SSH inside HTTP, so that packets look like regular HTTP traffic and can traverse the firewall. A program for doing that is httptunnel (in portage). Hope this helps. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] [OT] SSH port forwards behind restrictive firewall
Mick wrote: Hi All, I think that I have confused myself with this. I am behind a firewall/http proxy which seems to only allow outbound connections on ports 80 443 for web browsing. This is not enough for me, as I would like to use my mail client to send and receive mail from behind the firewall. I tried connecting to ssh servers which listen on different ports, besides tcp/22 and I was not successful. This is probably an indication that the internet gateway machine only accepts connections for packets that have a destination to ports 80 443. If the above is correct, am I right to assume that to be able to run a tunnel through this internet gateway I should run something like: ssh -L :localhost:443 [EMAIL PROTECTED] or are ssh packets somehow distinguishable by their headers, so that a cleverly crafted firewall will still identify them and drop them? I don't have a direct answer, but it depends on the configuration of the firewall. You can analyze for content and you can also allow all traffic. -- == Nick Stinemates ([EMAIL PROTECTED]) http://nick.stinemates.org AIM: Nick Stinemates MSN: [EMAIL PROTECTED] Yahoo: [EMAIL PROTECTED] == -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] [OT] SSH port forwards behind restrictive firewall
On Monday 18 February 2008, Etaoin Shrdlu wrote: On Monday 18 February 2008, Mick wrote: Hi All, I think that I have confused myself with this. I am behind a firewall/http proxy which seems to only allow outbound connections on ports 80 443 for web browsing. This is not enough for me, as I would like to use my mail client to send and receive mail from behind the firewall. I tried connecting to ssh servers which listen on different ports, besides tcp/22 and I was not successful. This is probably an indication that the internet gateway machine only accepts connections for packets that have a destination to ports 80 443. If the above is correct, am I right to assume that to be able to run a tunnel through this internet gateway I should run something like: ssh -L :localhost:443 [EMAIL PROTECTED] This command still tries to contact the remote host on port 22, and is blocked by the firewall. Oops! Yes, the primary ssh connection will take place to port 22 on the server, unless this is specified separately as you show below. IIUC to exit the local firewall you should have the remote sshd listening on port 443 or 80. ssh -p 443 [EMAIL PROTECTED] Of course, the remote /etc/ssh/sshd_config must have Port 443 (or 80). If this works and you are able to actually connect to the remote ssh, you can add local or remote port forwarding to this basic command. So, as an example for email, you can do something: ssh -p 443 -L :smtpserver:25 [EMAIL PROTECTED] and configure your mail client to send to localhost, port . Another alternative (depending upon how many ports you need to forward) could be to use SOCKS. With option -D on the server. Hmm, need to explain that the ssh server is NOT the mail server (and last time I looked gmail did not accept ssh connections to their mail servers!), but a router I run at home. The idea is that I will set up corresponding forwarding rules on the router. Is that sound? PS. Unless I missed it Kmail does not have settings for SOCKS. Thank you for your help. :) -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] [OT] SSH port forwards behind restrictive firewall
On Mon, Feb 18, 2008 at 07:26:28PM +, Penguin Lover Mick squawked: ssh -p 443 -L :smtpserver:25 [EMAIL PROTECTED] and configure your mail client to send to localhost, port . Another alternative (depending upon how many ports you need to forward) could be to use SOCKS. With option -D on the server. Hmm, need to explain that the ssh server is NOT the mail server (and last time I looked gmail did not accept ssh connections to their mail servers!), but a router I run at home. The idea is that I will set up corresponding forwarding rules on the router. Is that sound? Does your mail server at home have a real ip address? You can do ssh -l username -p 443 -N ssh.server.address -L localport:mail.server.address:remoteport And you don't need to worry about setting up forwarding rules on the router. It might even work with private ip addresses for the mail server (I've never tried that... but it could be true that the ssh server will try to look up the ip address of mail server relative to where it is sitting, in that case it should be possible to address something behind an NAT). W -- Pintsize: Hehe, yeah, that does sound like a pretty empty, pointless existence. Marten: You are not helping, you know. Pintsize: Wait, I'm supposed to be HELPING? Sortir en Pantoufles: up 437 days, 20:52 -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] [OT] SSH port forwards behind restrictive firewall
On Monday 18 February 2008, Willie Wong wrote: On Mon, Feb 18, 2008 at 07:26:28PM +, Penguin Lover Mick squawked: ssh -p 443 -L :smtpserver:25 [EMAIL PROTECTED] and configure your mail client to send to localhost, port . Another alternative (depending upon how many ports you need to forward) could be to use SOCKS. With option -D on the server. Hmm, need to explain that the ssh server is NOT the mail server (and last time I looked gmail did not accept ssh connections to their mail servers!), but a router I run at home. The idea is that I will set up corresponding forwarding rules on the router. Is that sound? Does your mail server at home have a real ip address? You can do ssh -l username -p 443 -N ssh.server.address -L localport:mail.server.address:remoteport And you don't need to worry about setting up forwarding rules on the router. The mail server is on the Internet, not accessible by ssh. I intended to use the router to bounce the ssh connection and forward it to the mail server. laptop -- |firewall| -- router -- mailserver sshsshssl Essentially, thinking of using the router as a proxy server. -- Regards, Mick signature.asc Description: This is a digitally signed message part.