Linux Docs - Building a secure tunnel to bypass a firewall (ssh and Putty)
Site Navigation:

 
 

Building a tunnel to bypass a firewall

Author:  Christophe Gevrey
Updated: 20-12-2004
Feedback welcome: linux@cri.ch
Free service provided by: www.cri.ch

Introduction

Context: You are working on a Windows machine for a company wich is providing you with an Internet connection to web sites but you can not read your email using your favourite mail reader (Mulberry for example) because the port 143 (IMAP) is not open... Who cares?
If you are able to open HTTPS web sites the following will change your life!

Are you able to see a page like https://webmail.cri.ch/login.php ? If yes, it means that the port 443 of the firewall is open and that you are able to tunnel all your communication through it!

What does it mean and how to do that?

First of all, the most "difficult" part is to have your own Linux machine outside, in the free world, or at least an account on a Linux box with enough rights, if you do not have one, or can not get one, once again, the following is useless to you...

So, what does it mean? It mean that you will send all the connections upon any protocol through this secure channel! No only you will be able to reach any server on any port, but it will be encrypted and the tyrannic network administrator will not be able to see your password between your workstation and his firewall.

Implementation

The server side - Outside the firewall

Do you have your Linux machine ready? No??? OK, if you have an ADSL connection at home and an old machine, even a notebook with a broken screen, it will be perfect, download and install Fedora, it will be perfect!

Ok, you are logged in and you have admin rights. We are going to configure and use SSH. What is SSH? It stands for "Secure SHell", a kind of Telnet but where the data is encrypted, this is enough for you to know. By default, sshd, the SSH daemon, and not deamon :-) , is running on your Linux box, but unfortunately on port 22. This is not a big deal. Why should it be a deal anyway? Because the idea is to have sshd listening on port 443, you start to see the trick? We are going to build a tunnel between your company firewall https port 443 and your Linux machine ssh port ... 443.

Changing the listening port of a Linux server is peanuts. But, first of all, you will have to perform another operation. In most of the cases, you will have as well Apache running on your box. Great! But... Apache is running HTTP and... HTTPS. So the port 443 is already in use and you will have to fix that. How? Easy:
$vi /etc/httpd/conf.d/ssl.conf

Locate the "Listen 443" line and comment it out (put a # at the begininng of the line). Save the file and restart (or stop) Apache:

$/etc/init.d/httpd restart

Still easy huh? Ok, next step: sshd

$vi /etc/ssh/sshd_config

Make the following changes to this file:

#Port 22
Port 443

Then you have to restart the SSH daemon:

$/etc/init.d/sshd restart

You are ready on the server side! Incredible isn't it? Just to be sure, open your favourite ssh client and try to open a ssh console on your linux box, but do not forget to change the port, from 22 to 443. It works? Perfect! It does not? Search the newsgroups...

The client side - Inside the firewall

You now need Putty, probably the best Windows ssh client, at least a free one...
Why? Because Putty povides exactly the functionnality we need... setting up a tunnel over an ssh connection.
Download it and start it. First of all, you need to tell Putty that you are going to establish an ssh connection not on the default port 22 but on the port 443.

Input that value in the "Session" tab, input as well the location of your magic Linux box.
The network admistrator has setup an Internet proxy? Who cares... Go to "Connection > Proxy" and fill in the proper data...

We are almost done.

For the example we are gonna tunnel the IMAP connect to your favourite mail server: mail.cri.ch
Go to "Connection > SSH > Tunnels".
What you have to understand here is what you are going to setup will be on your remote Linux machine, so "localhost" will be this box, and the other addresses will be as seen from this box.
There are 2 possibilities:

  • You have sufficient access rights on your Windows machine and you can map ports below 1024
  • You do not have sufficient access rights on your Windows machine and you can not map ports below 1024
The most elegant one is the first case because you are going to use the same local port as you would use in a normal case (no firewall).
Source-port: 143
Destination: mail.cri.ch

It means that you will configure your Mail software not to check your IMAP on mail.cri.ch but on... localhost
The SSH tunnel will then take care to bring your requests to the mail server!
If you can not forward your port 143, who cares? Just set the Putty tunnel Source-port to 2043 for example and tell your mail software to read the mail on localhost:2043 and that's it!