Wednesday, February 17, 2010

HOWTO: SSH tunnelling and securing traffic for networks with closed ports


On this howto I am going to show how to connect to any service at any port behind a router that restricts port access with a particular example: music streaming.

Situation:

We are behind a router that restricts some services (or any services) and we want, for instance, to access a service on port 3000 but the network does not allow us to do it (typical work/university situation).

Connection to service on port 3000 is restricted


We will need:
  • A server with full Internet access that we control (say our Desktop PC at home)
  • A running Linux distro on the server
  • The will/nedd to connect to restricted services in another network.
The result:

Access to any service (port) we want on the Internet throught an encrypted connection on any OS (Linux, Windows...).
Now the firewall does not know what on this connection on port 80 :) -click to see a bigger version-


Home machine:

So let's start on our machine at home. We have first to install the SSH server, the package is usually called openssh. Once installed we can open the config file of the ssh daemon: "/etc/ssh/ssh_config" (the path may be different on your distro), it should look like this:

Host *
# ForwardAgent no
ForwardX11 yes
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22



Now, we suppose our evil-corporation network only allows connections to port 80 to surf the web so we are going to put the ssh server on port 80 to be sure we can connect to it, edit the file (as root) and change the line:

# Port 22

to

Port 80

Now the ssh server is ready to be run, you can leave the rest of the file as it is, we are not interested on the other features of ssh on this howto. So, open a terminal and, as root, run the sshd daemon:
root@mont-blanc ~ # sshd
sshd re-exec requires execution with an absolute path

OOPS, no worries there, we are going to find the path:

root@mont-blanc ~ # which sshd
/usr/sbin/sshd
root@mont-blanc ~ # /usr/sbin/sshd

Done ! Now our server is up and running on port 80.
All of our configuration at home is done, now put on a paper/e-mail, your public IP address and open (redirect) the port 80 on your router/firewall. You can retrieve your public IP on lot's of sites like this one, or this one.


Office/university/whatever machine:

Life is better on Linux, everybody knows that :), we are first going to see how to do it all under Linux.
First of all we are going to connect to our server at home, say for instance your home's IP is 80.90.100.110:

ssh -N -D 2929 -P 80 user@80.90.100.110

Type your password and you are done. Now a SOCKS proxy server is running on your local (office...) machine on port 2929.
-N will prevent a shell to be opened
-D stands for dynamic, which is dynamic port forwarding, every connection to the SOCKS proxy on this port will forward the port (3000 for instance) to our home server on this same port but, through the ssh link on 80.
-P the port of our ssh server
user is your username at home

Now we can configure our applications to use the SOCKS sever, for instance firefox can be set to use a SOCKS server in the preferences->advanced menu. There you must specify the localhost ip address 127.0.0.1 and on this case the port 2929.
Surf the web now, and access http://www.ip-adress.com/ you will see that your IP is the one you have at home.

Ok, but what about applications that have no options or preferences for a SOCKS host ?

proxychains comes to your rescue, download and install it (if you can't find a package for your distro, download the code and just run the usual ./configure , make and make install (as root).

Proxychains will allow us to run any application as if it was connected to the proxy we choose. How ? Proxychains connects to the proxy and when the application wants to connect to a host proxychains redirects the connection.
To configure it open "/etc/proxyhains.conf" and at the end of the file, remove any entry like:

socks4 127.0.0.1 9050

and substitute it by:
socks5 127.0.0.1 2929

Save and close. Now lets try it:

$ proxychains rhythmbox
|DNS-request| radio.hiof.no
|S-chain|-<>-127.0.0.1:2929-<><>-4.2.2.2:53-<><>-OK
|DNS-response| radio.hiof.no is 158.39.172.209
|S-chain|-<>-127.0.0.1:2929-<><>-158.39.172.209:8000-<><>-OK

On this example we opened rhythmbox with proxychains and requested to listen a radio on port 8000, peace of cake :) now the firewall doesn't know what the traffic going through the port 80 is, but allows it and we can connect to a streaming server on port 8000 which otherwise we wouldn't have been able to.

On Windows machines instead of ssh you can use putty like this:

putty -ssh -N -D 2929 -P 80 user@80.90.100.110

and sockscap instead of proxychains.

I hope you enjoyed this article, any comments, suggestions... please comment.


Blogger templates

A cœur vaillant rien d'impossible.
Powered by Blogger.

Labels

About