Escaping Firewalls
From iA wiki
Contents |
The problem
Many corporate firewalls limit access to outside resouces, limiting the ability of the people working for the company to get their work done. Typically, all incoming traffic is blocked, and all outgoing traffic except HTTP and FTP are blocked.
The solution
One solution is to tunnel your traffic through a proxy server on an open port. These are usually:
- 20: FTP Data
- 21: FTP Control
- 80: HTTP (sometimes proxied)
- 443: HTTPS (sometimes proxied)
You also want to ensure that the traffic isn't subject to corporate monitoring of content, as this can trigger some filtering software. Luckily, there is a clean solution that you can probably built from materials you have in your own home!
The Secure Shell (ssh) protocol was originally developed as an encrypted form of telnet, to remotely connect to and control Unix terminals. It also can tunnel any TCP traffic to a remote host.
To escape your corporate firewall, you just set up a chain that looks like:
Local Machine Firewall Remote Machine Internet
======================== | ================
|
Web Browser/IM --> ssh ------------------> sshd --------> Back out to the internet
port 1080 | port 443 Unrestricted port
If your corporate firewall is very restrictive and the only form of egress is through an HTTP proxy, this can still be done. The TCP connection for ssh just needs to connect to the proxy first, and pass "CONNECT <IP ADDRESS>" to the proxy first. After that, all ssh communications are secure.
Setting up the server
This solutions requires that you have control or cooperation from the outside endpoint. Any computer connected to the internet will do; however, it will require substantial bandwidth since all communication from the firewalled machine will be travelling down the pipe to the remote machine, then back out.
If the remote machine is a *nux box, install sshd per your distribution's instructions. If the remote box is a Windows box, install sshd as a service as instructed here . Use ssh to log into the box and ensure that it is working properly.
Edit the /etc/ssh-config file and add the following options (as of OpenSSH v4.3):
- Port 443
- AllowTcpForwarding true
Restart the ssh service and ensure that you can log in to port 443 by typing "ssh -p 443 username@localhost" on the ssh server.
If you have a firewall between the internet and the ssh server, forward port 443 from the firewall to the ssh server. That should be the only port necessary.
Once you have it set up, get a nice, easy-to-remember (and dynamically updated) hostname through FreeDNS.
Busting Out
Now that there is a server awaiting connections, you just need to connect to it. We'll be using ssh's SOCKS proxy to actually route the traffic from inside the firewall to outside the firewall.
If your firewall is just blocking non-http ports, you can use ssh to connect and host with the command:
ssh -p 443 -D 1080 user@my.ssh.server.org
This instructs ssh to connect to port 443 and set up a SOCKS 4/5 server on port 1080 locally.
If your firewall requires passing through a proxy server, use Corkscrew on *nux or PuTTY on Windows.
Using PuTTY
PuTTY is a great tool, but can be a bit odd to configure and use. One thing to remember when configuring/testing PuTTY is to remember to go to the "Session" tab, click the name of your working session, and click "Save" before connecting _every_time_, or PuTTY won't remember your changes.
First, getting PuTTY (v0.58) to connect:
- Enter user@my.public.ip.org into the hostname
- Enter 443 into the port field
- Select SSH as the protocol
- If you're behind a proxy:
- Click the Connection/Proxy item
- Select HTTP as the proxy method
- Enter the name/port of the proxy server
- Select "Yes" for "Do DNS name lookup at proxy end"
- Save your session
Attempt to connect.
If all goes well, enable proxying in PuTTY:
- Select the Connection/SSH/Tunnels pane
- Enter 1080 for "Source Port"
- Leave destination blank
- Select the "Dynamic" button (which will enable SOCKS proxying)
- Click "Add"
- A line reading "D1080" should appear in the list
- Save your session
Connect to the server again. You should have forwarding enabled.
Once you have that working, you can create a shortcut to PuTTY with the -load "Session Name" flag to automatically connect. If you trust your local security, you can save yourself typing in the password by keeping an SSH key locally.
Using Applications
Many applications can be configured to use a SOCKS5 proxy for their connections. Unfortunately, many applications don't use the SOCKS proxy for their DNS lookups, so while your traffic is encrypted, corporate firewalls will still show lookups to sticking.it.to.the.man.org in their logs. Some applications that are known to work correctly:
