# ssh tunneling

## Cr0t

My router at home forwards port 2222 to port 22 to one of my linux machines. My work doesn't allow me to connect to port 2222. I have been playing around with ssh tunneling, but I am unable to connect.

----------

## HeXiLeD

Check THIS video

Change ports if necessary such as 443 in some cases instead of 22 for ssh

Add [SOLVED] to your topic if the problem gets solved

----------

## Cr0t

Didn't work....

----------

## the.root

Does your work use a proxy that all traffic must go through?

And i didnt watch that video, but i assume you tried forwarding port 443 to 22 on your router to PC, if that fails port 80 to 22 on your router to PC? And also assume you can connect to your PC port 22 internally no problem.

----------

## Cr0t

 *the.root wrote:*   

> Does your work use a proxy that all traffic must go through?
> 
> And i didnt watch that video, but i assume you tried forwarding port 443 to 22 on your router to PC, if that fails port 80 to 22 on your router to PC? And also assume you can connect to your PC port 22 internally no problem.

 If I forward port 22 to my internal port 22, I can connect just fine from work. I had to change the port, because otherwise people try to hack me all day long. So I forwarded port 2222 to port 22.

Now if I try to connect from work it just times out.

```
[WORK] -> Router:2222 -> forward -> gentoo:22
```

----------

## the.root

 *Cr0t wrote:*   

>  *the.root wrote:*   Does your work use a proxy that all traffic must go through?
> 
> And i didnt watch that video, but i assume you tried forwarding port 443 to 22 on your router to PC, if that fails port 80 to 22 on your router to PC? And also assume you can connect to your PC port 22 internally no problem. If I forward port 22 to my internal port 22, I can connect just fine from work. I had to change the port, because otherwise people try to hack me all day long. So I forwarded port 2222 to port 22.
> 
> Now if I try to connect from work it just times out.
> ...

 

Have you tried from other external places besides your work? Maybe its a limitation/restriction within your work's network. You should be able to try it from your internal just the same. ssh $user@$external_ip -p 2222 . If you cant do that then id say theres an issue with the FWD on the router. What kind of router is it, did you set it up for tcp/udp, what are the timeouts, etc etc. There may also be a firewall or similar on the router blocking it. Another possibility (although i've only seen it a couple times), your ISP could be blocking it.

----------

## eccerr0r

I have a similar problem rootcaused - my work firewall prohibits ports other than 22 (and 80, and 443, but I have an https server) going out.  Basically there's really no solution.  If you have a friendly firewall admin they'll open a hole for you; but likely if you're at a large company it's a definite 'NO' ... 

and so I continue to get hack attempts.  Just pray that my accounts all have secure passwords or use key-based authentication.

Another thing I was thinking about to slightly reduce hacking attempts is to have a (port 80) URL that allows new port 22 connects for a short while, then either another url to block or timeout to shut it off again.  While not great security, it definitely would reduce the number of attempts yet still allow myself to login externally.

----------

## the.root

 *eccerr0r wrote:*   

> I have a similar problem rootcaused - my work firewall prohibits ports other than 22 going out.  Basically there's really no solution.  If you have a friendly firewall admin they'll open a hole for you; but likely if you're at a large company it's a definite 'NO' ... 
> 
> and so I continue to get hack attempts.  Just pray that my accounts all have secure passwords or use key-based authentication.
> 
> Another thing I was thinking about to slightly reduce hacking attempts is to have a (port 80) URL that allows new port 22 connects for a short while, then either another url to block or timeout to shut it off again.  While not great security, it definitely would reduce the number of attempts yet still allow myself to login externally.

 

Another couple ideas is to only allow ssh from certain ip's, and if you can setup port knocking on your firewall/router that might help. Also, key based authentication is idea. 

Normally its odd for place to ONLY allow 22 out. Generally you have 80 & 443, maybe some mail ports, proxy ports, something else open you can use.

----------

## eccerr0r

I ended up not whitelisting because if I'm at a random wifi hotspot, I won't know my IP address in advance.  Not to mention my work uses a rotating proxy and I'm not sure if I've gotten every single possible proxy yet.

I've even been to one wifi hotspot that had free net access -- but disallowed everything but port 80.  Didn't have to use it long to figure out that it was not going to be useful as I can't use it for secure connections (either VPNing back home (udp 1194 blocked), https (tcp 443 blocked), or ssh(tcp 22 blocked).)  Was kind of hesitant to even use f.g.o through it or anything else, probably only useful to check the weather, google maps, or something.

----------

