Fingel.com - Shell Account HOWTOs

                  
                  _______                  __                     
                 / ____(_)___  ____ ____  / / _________  ____ ___ 
                / /_  / / __ \/ __ `/ _ \/ / / ___/ __ \/ __ `__ \
               / __/ / / / / / /_/ /  __/ /_/ /__/ /_/ / / / / / /
              /_/   /_/_/ /_/\__, /\___/_/(_)___/\____/_/ /_/ /_/ 
                            /____/

Bypassing firewalls with ssh

Now we will start exploring some of the truely usefull applications of having a shell account.
Say you are at work or school and you want to use a program like limewire, but you cant because you are behind a firewall that restrics the ports that limewire uses. We can fix that using our shell account. In fact, after you are connected to your shell, you can have it act as a Socks4 or 5 proxy for any program you wish to run that needs unrestricted access to the internet. Of course, this is assuming the machine your shell account is on is not aslo behind a firewall.
So how does this all work? Since you can connect to your shell and exchange data, but you cant make direct connections to other comptuers on the net on specified ports, we will have the shell make those connections for us. Think of it as a man in the middle. Here is an illustration:

 _________        _________                          
|School   |      |Nasty    |  ports blocked         
|Computer |----> |firewall |- cannot make 
|_________|<---- |_________|- direct connections    
                                   | |                  
shell       |------>---------------| |
returns     | ----------<------------|
all         ^ |                                                  
traffic --- | |                                                           
back        | v
throguh     | |
firewall  ________
         |Remote  |  unrestricted
         |shell   |- access to the ---> P2p, games, etc
         |account |  net                         |
         |________|                              V
            ^       shell account                |
            |-------handles resticted-------<----|
                    traffic

I know the illustration isnt so clear, so I wll explain. In most cases, the restricted network you are behind will filter ports so you cannot make the direct conenctions you need in oreder to make use of programs like bittorrent, ftp servers, irc, etc. However, it us usually possible to connect to you shell account and exchange information. So the solution is to "tunnel" all network traffic from your computer to the remote shell, and let it handle that traffic. The shell can then make any connections that are necessary, and return the information back to you through the firewall as encrypted traffic. There is no way for the firewall to know that this traffic is any different than the kind that allows you to browse the web normally.

So how do we do it? We pass an argument to ssh that sets up a tunnel we can send and recieve arbitrary tcp connections through. The syntax for this would be:
ssh -D 6888 hostname/ip
The number follwing -D can be nearly any port you wish to use, but I reccomend a high number that isnt often used.
If you are using puTTY, first open the program and look at the left pane. Click and expand "ssh" then click tunnels. In the box that says "source port", put in a port numbersuch as 6888 and make sure to remember it. Click the dot that says "dynamic" and press add. Go back to the main puTTY configuration and connect to your host like you would normally.
Now your tunnel is set up. The next step is to configure your application to use it instead of the local connection. In almost every internet application, there is an option to use a proxies. In firefox, you would go to options->advanced->network and in the box that says "configure how firefox connects to the internet" click settings. Check "Manual Proxy Configuration." In the box that says HTTP Proxy, type "localhost" and for the port put whichever you chose before, such as 6888. Check the Socks 5 dot. Press OK and you are done. Firefox will now connect to the internet through your shell, bypassing the firewall. Go to www.ipchicken.com and you will notice your hostname and Ip have changed.
All programs can be set up the same way, using proxies. This includes, gnutella, bittorrent, games and servers.

In order to get even more effecient connections for certain applications, those that need to connect through certain ports, we can pass one more argument to forward a port. The syntax for this would be:
ssh -R 69999:localhost:69999: -D 6888 hostname/ip
This allows a program, such as bittorent, to use port 69999 for its connections, and then forward that information back to you on port 6888. All you have to do is set your bittorent program to use port 69999 for its remote port, and then set the proxy to localhost:6888 just like we did for firefox.
To do this in puTTY, use the same configuration that we used for firefox. However, this time, we are going to add an additional port, 69999, to the source port box, check the "remote" dot and click add. Click open and you should now be getting completely unrestricted connection to whatever service you want to be using. In bittorent, this means a gren light, no more blocked port warning.

Return to the main page.