Proxy firewalls and content filters are both good & evil things; they can prevent you from making a bad mistake, or bad mistakes happening to you. However, sometimes it might be useful to punch through a proxy or firewall. Whether it might be for your youtube fetish, listening to internet radio, or uploading images/media into WordPress successfully (or you are a proxy admin and you want to prevent this sort of thing), this article on pushing connections through a firewall may be suitable for you.
Caveat: Doing things like this can be against your proxy provider’s policies. You are responsible for your own actions. This article is for educational purposes only!
System administrators and network security personnel: pay close attention to this article!
Background Information and Explanation
For our background information/explanation, we are going to use HTTP requests from an internet browser
The above figure shows an example connection in a normal setting without a proxy or firewall. HTTP requests are made directly from your browser to the web server endpoint.
If you type http://www.google.com into your browser, the browser assumes that the there is an implicit “:80″ at the end of your server endpoint and that the web server you are trying to hit is listening on port 80. (i.e. you can get the same effect by entering http://www.google.com:80
(If you don’t know what ports are, think of them like much like windows and doors in a building. If you enter through certain doors/windows in the building, you can get to certain parts and rooms of that building. It’s the same type of thing on a computer except that data is exchanged through those windows. If you don’t want people to come in those windows (ports on your machine), you can have them closed or blocked.)
Anyways, the browser begins by making a TCP socket connection to the specified server on port 80 and begins transmission. Once the server has finished processing the request, it will send back and HTTP response.
Now we have a little bit different scenario above. We are in a setting where we have some proxy server that has a firewall that filters our HTTP requests and also blocks bad responses from the outside world.
If you try to make a direct connection to the web server without first configuring your browser, it will not make the connection. However, once your browser is told that there is a proxy server, the request will go through (as long as it passes the filter criteria). In your browser connection settings, you can set your proxy address and ports.
For example, say that proxy.engfers.com is your proxy server with the proxy port being 3123 (random port number, but yours might be port 80 or 8080 or anything). Well, the browser first knows that it must make a connection to the proxy server to make it to the outside world, so it makes the proxy connection. Any requests are passed through the proxy port and the firewall and content filter will examine where your request is headed and will allow or deny the passage of your request onto the destination web server.
If your request passes inspection, it is then passed along to the outside web site / server (through whatever port was originally specified… 80 in our google.com example)
Now we come to an instance where your request is not allowed to continue. The request is blocked and you usually get a response back from the proxy server saying why it was blocked.
NOTE: A majority of the time your proxy server will have some sort of authentication attached to it, so make sure you check if it needs authentication or not first.
Well then we are hosed!!! Not necessarily, read on...
Now we have an SSH (Secure SHell) client, like PuTTY, that we would like to connect to an outside server. Now you remember that 80 was the default connection port for HTTP, well 22 is the default port for SSH. Now it’s all very similar to the HTTP examples.
Behind a proxy, you must tell your SSH cient what your proxy server, port, username, and password is and if you can make a connection that outside server, you are doing okay!!
Well, once you establish a secure shell connection to that outside server, all requests are encrypted!!! So if you can connect via SSH, the firewall / content filter can’t read what’s in your data packets unless it’s smart enough to decrypt the packets.
How does this help me though?
Luckily, many SSH clients, like PuTTY, can let you tunnel other connections through the SSH pipe that it created with the outside server.
What kind of connections can be tunneled?
Any thing that supports connections to a SOCKS proxy. Web browsers are a good example. NOTE: On Windows machines, many programs (like iTunes, Windows Media Player, Adobe Flash Player) make their connections through Internet Exploder, so as long as IE can connect they can as well!
Okay so check out this next diagram…
So now you have an SSH client on your local box (like PuTTY) that you have set up SOCKS tunneling on, and you are connected through the firewall to the external desktop/server on a secure and encrypted connection. Now you take your SOCKS capable program (like Internet Exploder) and tell it to point to 127.0.0.1 as your SOCKS proxy and set the port to whatever port you told your SSH client.
Now, when you make your HTTP request, it first makes a SOCKS connection to your SSH client. The SSH client then takes the HTTP request and passes it (encrypted) through the SSH pipe (past the firewall) over to your server/desktop. As long as that server/desktop doesn’t have proxy server, it should make a direct connection to the endpoint web server and pass your HTTP request onto it, grab the HTTP response from the web server and pass it back along the pike until it comes back to your browser. Walla!! You have just made a successful request!!
NOTE: If your server/desktop is behind another proxy/firewall, you will have to setup more SSH+tunneling on that box to another server/desktop.
Now that we’ve explained the process, let’s go through the steps…
Putt is an SSH/telnet client that has many other features tacked onto it like X11 forwarding and port tunneling (aka forwarding).
Port tunneling is what we care about…
2. Server or Workstation Endpoint that can Accept SSH Connections
If you don’t have this, the whole example is defunct. If you have some sort of linux machine lying around (or your hosting service uses linux =] ), it will accept SSH connections if sshd is turned on (usually on by default).
Step 1: Create the SSH Connection with a SOCKS Tunnel Enabled
Enter in your server/workstation that you are going to connect to. Use an IP address or the domain name.
Select SSH as the Connection Type.
On the left Category selection, choose Connection » SSH » Tunnels.
In the “Source port” field, enter any port (7070 in our example) that you wish to use as your SOCKS port for all of your local applications to connect to.
Select Dynamic as the type of port.
Click the “Add” button.
When successful, you should see a “D” followed by whatever port you specified.
Now in the left Category pane, go to Connection » Proxy.
Select your proxy type (usually it’s an HTTP proxy).
Enter your proxy’s hostname/ip-address (find this out).
Enter your proxy’s port (find this out).
If your proxy requres authentication, enter your username and password.
Click “Open” to open the connection.
Now you have your SOCKS server and SSH connection set up!! Now it’s time to configure your SOCKS capable apps to connect to PuTTY!!
Step 2: Connect Your SOCKS-Proxy-Capable Applications to Your PuTTY Proxy
Let’s take Internet Exploder and Firefox as examples…
Open Firefox. Go to Tools » Options » Advanced (icon) » Network (tab) » Settings (button)
Select the radio button that says “Manual proxy configuration”
NOTE: At this point, you may have data already in your HTTP proxy address and ports, and all of the other server types will be disabled (greyed out). This is okay; just delete the data in HTTP address and ports and make sure the checkbox “Use this proxy server for all protocols” is NOT checked (this will open the rest of the proxy servers for editing).
In the SOCKS Host proxy server line, enter in 127.0.0.1 for the socks proxy server and set the socks proxy port to whatever-you-set-up-in-putty-as-your-tunnel-port (7070 in our example).
Hit “OK”s until you are out of Firefox options and you are done!!!
# Internet Exploder…
Go to Tools » Internet Options » Connections (tab) » LAN Settings (button)
Check the box under the Proxy server area that says “Use a proxy server for your LAN”
NOTE: Make sure that the 2 checkboxes under Automatic Configuration are NOT checked.
Click on the “Advanced” button…
NOTE: At this point, you may have data already in your HTTP proxy address and ports, and all of the other server types will be disabled (greyed out). This is okay; just delete the data in HTTP address and ports and make sure the checkbox “Use the same proxy server for all protocols” is NOT checked (this will open the rest of the proxy servers for editing).
In the Socks proxy server line, enter in 127.0.0.1 for the socks proxy server and set the socks proxy port to whatever-you-set-up-in-putty-as-your-tunnel-port (7070 in our example).
Hit “OK”s until you are out of IE options and you are done!!!
What about Flash, iTunes radio, Windows Media Player, etc working?
After you configure Internet Exploder with your PuTTY SOCKS proxy, they will auto-magically work!!! This is because they use IE to connect to the internet!!!
Why should I care about Flash?
Um… any sort of videos, and type of Flash uploader (uploading images and media in WordPress) will not work.
This tutorial was for Windows; what about MAC and Linux?
If you understand the concepts and terminology laid here before you, this can easily be done in any other environment (maybe not with PuTTY, but there are many other SSH clients out there that support port tunnelling/forwarding)
Moreover, they do make a unix source distribution of PuTTY that you can download and build…
Comments, Ratings, Etc
Please ping me if you think that this is wrong. Rate the article so I know how I’m doing!!!