OpenSUSE Linux Rants

OpenSUSE Linux Tips, tricks, how-tos, opinions, and news

My Resume  -  My LinkedIn Profile

July 15, 2006

Filter piercing with Linux

by @ 7:15 am. Filed under General Linux, How-To, ssh tips, SUSE Tips & Tricks

The other day, I was given a challenge. My friend said to me, “I sure wish I knew how to get around this filter.” Of course, he was talking about a web content filtration system that was active on the network’s Internet connection. I thought about it for a second, looked around to see if anyone was listening, and whispered, “I can show you how to do that.”

What’s funny is that it is a one-line command, and uses the ssh command.

The idea is that you set up a tunnel between two computers. One is the computer that you are on, which is behind the filter (in a local network with the connection being filtered). The other computer is one accessible from the Internet to which you have ssh access. This might be your router box at home, or your web server, or whatever machine. As long as it is directly on the Internet and you can ssh into it.

The next thing you need is to know the hostname of the machine you are trying to access (which your filter is blocking). If this is a single webhost, you can just use that machine directly. If it is several webhosts, you are in a bit of a bind. This is because when you set up the tunnel, you can only forward the connection to a single host.

It’s probably a great time to start using examples. Alright, so I am on a machine which is in a local network. My machine will be called alpha. Now, I also have a router box at home. I am going to use this box to set up my tunnel. This machine is called homebox.

Now, I can create my ssh connection, but I still need to tell homebox to forward my HTTP requests to somewhere. The catch is that I can only tell it a single place. Therefore, if it is one webhost, I’m great. However, if there are multiple websites that I want to access, I would have to tell homebox to forward my HTTP requests to some kind of HTTP proxy server. Then, because the proxy server just forwards requests, it will be able to hit any and all websites, rather than just a single one.

I will call the proxy server notreal.proxyserver.com.

The cool part of the ssh tunnel is that I can tell the end on the local alpha machine to listen for connections. When something connects, that connection is forwarded to homebox, which is then forwarded to notreal.proxyserver.com, which makes the actual request to the site that we are trying to view. When the page is served, it first arrives at notreal.proxyserver.com, then gets sent to homebox, and finally arrives back at alpha.

Now, all we have to do is tell these machines which ports to do all this on, and we are SET! To do this, I will give you the syntax:

ssh -L [LOCAL PORT TO LISTEN ON]:[PROXY SERVER]:[PROXY SERVER PORT] [USERNAME]@[SSHSERVER]

OK, so my local port to listen on will be 8080. The proxy server is notreal.proxyserver.com. The proxy server port will be 8080. The username will obviously be a user that exists on your ssh server, which in this case is homebox. Thus, the final commandline will look like this:

ssh -L 8080:notreal.proxyserver.com:8080 scott@homebox

Once you have that connection established, do not close the window. As long as that window is open, your tunnel is active.

All you have to do now is set the proxy server in your browser to 127.0.0.1 and port to 8080, and you will have access to whatever websites your heart desires.

Ain’t Linux cool?!

4 Responses to “Filter piercing with Linux”

  1. Gabriel Gunderson Says:

    Be careful, in many work places that could cost you your job. Right, wrong or otherwise, many jobs require you to sign something saying that you will not bypass filters that are in place.

    Just a word of warning. Enjoy 🙂

  2. Javier Guerra Says:

    look into the -D option to ssh; it turns the tunnel into a SOCKS-compatible proxy, letting you connecto to any number of remote machines.

  3. dietrich Says:

    Gabriel Gunderson’s caveat noted,

    You can also use a ‘R’everse port tunnel (with the -R)

    The idea being, assuming you have a work PC behind a firewall that blocks port 22 inbound.

    Assuming you have a legimate and blessed scenario, you can reverse tunnel out of your firewall to your home PC on a high non-priviledged port (e.g. port 10000)

    Once the ssh reverse tunnel is established, you can ssh from home to your work PC.

    Think of it as being a “poor man’s” VPN.

    And the icing on the cake is that you can also tunnel vnc over the ssh connection.

    The office PC, if Windows, a sshd server running, so either Putty or Cygwin will do (Cygwin being my preference).

    OK, ssh your brains out! 😉

    Static (!@#$%^&) Click. Blip.

  4. dietrich Says:

    P.S.

    The -f switch will tell ssh to run in the background, so there’s no issue as to your bolded ‘don’t close the window’

    Ok Auf Wiedersehen!

    Static (!@#$%^&) Click. Blip.

OpenSUSE Linux Rants
Official OpenSUSE Linux Site

internal links:

categories:

SUSE Resources

search blog:

archives:

March 2022
S M T W T F S
« Feb    
 12345
6789101112
13141516171819
20212223242526
2728293031  

59 queries. 0.226 seconds