Author: Christophe Gevrey
Updated: [udate]
Context: You are working on a Windows machine for a company wich is providing you with an
Internet connection to web sites but you can not read your email
using your favourite mail reader (Mulberry for example) because
the port 143 (IMAP) is not open... Who cares?
If you are able to open HTTPS web sites the following will
change your life!
Are you able to see a page like https://webmail.cri.ch/login.php ? If yes, it means that the port 443 of the firewall is open and that you are able to tunnel all your communication through it!
What does it mean and how to do that?
First of all, the most "difficult" part is to have your own Linux machine outside, in the free world, or at least an account on a Linux box with enough rights, if you do not have one, or can not get one, once again, the following is useless to you...
So, what does it mean? It mean that you will send all the connections upon any protocol through this secure channel! No only you will be able to reach any server on any port, but it will be encrypted and the tyrannic network administrator will not be able to see your password between your workstation and his firewall.
Ok, you are logged in and you have admin rights. We are going to configure and use SSH. What is SSH? It stands for "Secure SHell", a kind of Telnet but where the data is encrypted, this is enough for you to know. By default, sshd, the SSH daemon, and not deamon :-) , is running on your Linux box, but unfortunately on port 22. This is not a big deal. Why should it be a deal anyway? Because the idea is to have sshd listening on port 443, you start to see the trick? We are going to build a tunnel between your company firewall https port 443 and your Linux machine ssh port ... 443.
Changing the listening port of a Linux server is peanuts.
But, first of all, you will have to perform another operation.
In most of the cases, you will have as well Apache running on
your box. Great! But... Apache is running HTTP and... HTTPS. So
the port 443 is already in use and you will have to fix that.
How? Easy:
$vi /etc/httpd/conf.d/ssl.conf
Locate the "Listen 443" line and comment it out (put a # at the begininng of the line). Save the file and restart (or stop) Apache:
$/etc/init.d/httpd restart
Still easy huh? Ok, next step: sshd
$vi /etc/ssh/sshd_config
Make the following changes to this file:
#Port 22
Port 443
Then you have to restart the SSH daemon:
$/etc/init.d/sshd restart
You are ready on the server side! Incredible isn't it? Just to be sure, open your favourite ssh client and try to open a ssh console on your linux box, but do not forget to change the port, from 22 to 443. It works? Perfect! It does not? Search the newsgroups...
You now need Putty, probably the best Windows ssh client, at least a free one...
Why? Because Putty povides exactly the functionnality we need... setting up a tunnel over an ssh connection.
Download it and start it. First of all,
you need to tell Putty that you are going to establish an ssh
connection not on the default port 22 but on the port 443.
Input that value in the "Session" tab, input as well the location of
your magic Linux box.
The network admistrator has setup an Internet proxy? Who cares... Go
to "Connection > Proxy" and fill in the proper data...
We are almost done.
For the example we are gonna tunnel the IMAP connect to your
favourite mail server: mail.cri.ch
Go to "Connection > SSH > Tunnels".
What you have to understand here is what you are going to setup will be on your remote Linux machine, so "localhost" will be this box, and the other addresses will be as seen from this box.
There are 2 possibilities: