Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
up. If you are already behind the firewall, you will not be able to log in the server. Since I
was in a rush, I did use Anyterm to be able to access the server for the initial
configuration.
We will set the server to be listening on the port 443, so that we can SSH into it using the
port usually reserved to HTTPS. Log into your server, and edit the file
/etc/ssh/sshd_config and add the line:
Listen 443
Then restart your SSH server. It now listens on port 443 (in the configuration file, you can
leave the other ports, such as 22).
You should be able to log into your server, from behind the firewall, with the following
command:
ssh -p 443 my.server.com
You may want to set up your access so that no password is required to log in, using SSH
keys for instance. This will allow you to open the tunnels to the server without having to
type in your password. Essential.
SSH tunneling
Say that you want to access to email account via IMAP (port 143) when the firewall
forbids it. Create a SSH tunnel with the following command:
ssh -L localhost:10143:mail.isp.com:143 -p 443 user@my.server.com
This will forward any IMAP requests received on localhost port 10143 to mail.isp.com
port 143, all through a SSH tunnel. We basically use the server to forward the IMAP
connection.
Then set up your email client to use localhost as incoming server, and 10143 as the port
number. You should be able to fetch your emails, despite the firewall.
At the same time, I also want to connect to another server, via SSH. In fact, I want to
open a webspace in Konqueror, via the fish KIO plugin. Turns out that you can enable
several redirections in the same tunnel:
ssh -L localhost:10143:mail.isp.com:143 -L localhost:10022:web.isp.com:22 -p 443
user@my.server.com
Then in Konqueror, I simply go to:
fish://user@localhost:10022
SSH as a SOCKS server
Now, we will attempt to have Skype and FTP to bypass the firewall. In order to do so, we
will run a SOCKS server on a given port, and set applications to use SOCKS, either
natively, either forcibly. When an application uses SOCKS, all its network connections are
routed through the SOCKS server, which forwards it all to your server on Internet, and
then connects to your different services and servers. It is a bit like a "multi-port" SSH
tunnel.
Some applications don't understand SOCKS. So we will trick them, using tsocks .
Running an application under tsocks will catch all the application's connections and
negociate SOCKS access transparently. Technically, tsocks overwrites the kernel
connection methods with its own, using LD_PRELOAD. To install tsocks, compile it from
the source, or simply install your distribution's package. For Debian/Ubuntu:
sudo apt-get install tsocks
To run SSH as a SOCKS server listening on port 1080, use the following command:
ssh -D 1080 -p 443 user@my.server.com
Note that if you can get the firewall to redirect some ports to you, you can also enable the
forwarding into the tunnel from the server. For instance here, I have the server listening
on port 1081, and forwarding all connections to my localhost, port 1081. Can be very
useful for some peer-to-peer applications:
ssh -A -R 1081:localhost:1081 -D 1080 -p 443 user@my.server.com
Then configure tsocks to use to connect to localhost port 1080. Edit /etc/tsocks.conf, and
near the end, change it so that it looks like this:
server = 127.0.0.1
port = 1080
Then, you need to run your applications from within tsocks. You can use tsocks in many
ways. For instance, in a shell, run simply tsocks and you will get into a new shell from
which all applications will be forced to connect through the SOCKS server. You can also
run applications as following:
tsocks skype
tsocks kopete
tsocks kmail
tsocks ftp someserver.com
tsocks ssh someuser@someserver.com
If everything goes well, you will run almost all applications as if you were directly
connected to Internet.
Some notes
You need root access on your server to allow SSH to listen port 443. But you don't need
to install anything on the server. As long as your server is connected to Internet with a
less restrictive firewall, and you have a SSH account on it, you're fine.
FTP will need to be in passive mode
Annoyingly, Konqueror SOCKS configuration can't use SSH as SOCKS server, nor plays
well with tsocks
Some applications work better with simple SSH tunneling
Some plainly don't work. The only BitTorrent application I could get working is azareus,
using these instructions
Conclusion
It works very well! I was stuck in a place with only a public hostpot, and am now able to
work using all my normal tools, with very little changes. I do web coding, and I use SSH,
FTP, IM, all the time; I can now do it all. I SSH, FTP, IMAP, Skype, IM through SOCKS,
uses fish through SSH tunneling, and browse Internet trough nothing since the ISP allows
HTTP!
If you have a public hostpot nearby, which requires a registration to use, and you actually
are not registered, you can search for DNS or ICMP tunneling . You will be able to
redirect all your traffic through DNS or ICMP requests, since these hotspots let you do
that and only that.