# Setting up SSH tunneling over HTTP port 80

## Promit

Yes, I know there's a million threads about this already, but I don't quite understand what others are doing, so I figure I might as well explain my own setup.

My school is running an extremely aggressive proxy that blocks pretty much everything except port 80 and the HTTPS port (443 maybe?). It also blocks non HTTP requests (from what I can figure) because setting up SSH to simply listen on port 80 doesn't help worth a damn.

So I figure I'll set up an http tunnel.

Now, outgoing first. I have a Linux box (Gentoo) that is going to try to SSH out to other boxes on the Internet (specifically an OS X box, but possibly Linux, BSD, and Windows boxes later, as well). So first of all, what software do I need to emerge? I've heard a couple names tossed around, but I'm just even more confused about what to use. Smaller is better, but not really necessary. What do I need to configure, exactly, on both the Gentoo box and the network-external servers? It would be preferable to get a tunnel which requires nothing on the external server side, but I can do without that if necessary.

Second, ingoing. I'm not sure if HTTP is open incoming to the network or not, though I imagine it is. (I'll nmap it tomorrow and figure out for sure.) What do I need to set up on the Gentoo box to get SSH incoming from port 80? (I'll tell you right now NOTHING can change in the firewall can change.) Also, what do I need to do on Windows clients to SSH to the Gentoo box? (I'm using puTTY at the moment, although I suppose that can change if it needs to.)

Oh, and please try and explain clearly, concisely, and throughly; I'm really not that good with network stuff and I get lost pretty easily sometimes.

----------

## OdinsDream

If I got you correctly, you want the SSH daemon to listen on port 80?

nano /etc/ssh/sshd_config uncomment Port 22, change to 80.

Or you want to set up a script to automatically SSH out to another computer's port 80 at a certain time?

This, I'm not too sure about. I'd say you should use cron, but I'm not sure about the authentication. You could add the MacOSX system to ~/.ssh/authorized_keys ... if you didn't want the password prompt...

Or, is it that you'd like to run a webserver at home, load the webpage at school, and then maybe start a JavaVM SSH client?

----------

## ecatmur

Your firewall will prevent you running servers.

You'll have to SSH from inside to a friendly machine outside, and then forward a port on the outside machine back through the SSH tunnel.

A http tunnel in Portage is net-misc/httptunnel http://www.nocrew.org/software/httptunnel.html

You'll need to install it on both ends.

----------

## Promit

When did I say I want to run an external server?

I want to be able to SSH from the Gentoo box through the firewall to external boxes via httptunnel, and I don't know how to set it up.

Is that clear?

----------

## fleed

You'll need to have a friendly box outside which will accept your tunnel and let you connect elsewhere. And it's not nice to be rude to those that are doing their best to help you, is it?

----------

## Promit

I'm sorry; I was just tired.

In any case, I have the friendly box outside and the friendly box inside. The only problem is the distinctly unfriendly firewall I need to tunnel through. And I basically don't know how to set it up to tunnel on either end. I've read other posts but I don't really understand.

----------

## fleed

No worries, just gets me a bit pissed off when ppl ask for help then mistreat those offering that help (for free!).

Have a look at http://www.nocrew.org/software/httptunnel.html if you haven't done so yet.

----------

## Promit

You don't get it; I've already read all that stuff.

The problem is I don't understand what exactly I'm supposed to do. I don't understand networking that well, and I can't keep track of what I'm suppossed to set the host name to and which port is where and what's the difference between a remote port and a local port and so on.

I just need to know how to set this up, in simpler terms.

----------

## tyll

On your friendly box outside:

nano /etc/ssh/sshd_config uncomment Port 22, change to 80

On your friendly box inside:

ssh -p 80 box_outside_address

----------

## Crg

 *Promit wrote:*   

> 
> 
> Now, outgoing first. I have a Linux box (Gentoo) that is going to try to SSH out to other boxes on the Internet (specifically an OS X box, but possibly Linux, BSD, and Windows boxes later, as well). So first of all, what software do I need to emerge?
> 
> preferable to get a tunnel which requires nothing on the external server side, but I can do without that if necessary.
> ...

 

I've never used it but the httptunnel should do what you want - from what appears on the website you just setup ssh as normal on the external site(don't change the port it listens on).

run 

```
hts -F externalserver.name:22 80
```

on on the client to connect out you'll need to run 

```
htc -P your.proxy.com:80 -F 22 externalserver.name:80
```

then the tunnel should be setup so just 

```
ssh localhost
```

 *Promit wrote:*   

> 
> 
> Second, ingoing.
> 
> 

 

You'll probably find you can't, normally a place would close incoming traffic to standard clients.

----------

## Promit

Why do I ssh to localhost instead of the ssh server running hts?

----------

## numbaonestunna

[quote="Promit"]

Second, ingoing. I'm not sure if HTTP is open incoming to the network or not, though I imagine it is. (I'll nmap it tomorrow and figure out for sure.) What do I need to set up on the Gentoo box to get SSH incoming from port 80? (I'll tell you right now NOTHING can change in the firewall can change.) Also, what do I need to do on Windows clients to SSH to the Gentoo box? (I'm using puTTY at the moment, although I suppose that can change if it needs to.)

You said you wanted an incoming server right here.   When you wanted to know if HTTP is open incoming?  And when you wanted to see if your Gentoo box could take incoming connections on 80?  Sheesh, what's with the attitude... you're the one with the questions, not us.

----------

## numbaonestunna

 *Crg wrote:*   

>  *Promit wrote:*   
> 
> Now, outgoing first. I have a Linux box (Gentoo) that is going to try to SSH out to other boxes on the Internet (specifically an OS X box, but possibly Linux, BSD, and Windows boxes later, as well). So first of all, what software do I need to emerge?
> 
> preferable to get a tunnel which requires nothing on the external server side, but I can do without that if necessary.
> ...

 

Maybe he could if he created a tunnel and used a reverse connection.  I think that's what someone else was saying earlier... even if the firewall doesn't permit inbound connections, if you create a tunnel to your friendly box outside, and have a port on that box map to back inside, then someone connecting to your outside friendly box would be automagically routed back inside your network.  Couple that with a Squid proxy internally, and you can go anywhere you want inside your network from outside.

----------

## Promit

 *numbaonestunna wrote:*   

> 
> 
> Maybe he could if he created a tunnel and used a reverse connection.  I think that's what someone else was saying earlier... even if the firewall doesn't permit inbound connections, if you create a tunnel to your friendly box outside, and have a port on that box map to back inside, then someone connecting to your outside friendly box would be automagically routed back inside your network.  Couple that with a Squid proxy internally, and you can go anywhere you want inside your network from outside.

 

How would I set that up?

[EDIT] As usual, networks leave me clueless.

Ok, I have this computer, Local, which can ssh to another box, called Remote. I want Remote to be able to ssh back to Local (me). But Local is shielded by a one-way firewall which is not allowing incoming connections on any ports, at all. Zip, nada, none. Can I set up a reverse ssh tunnel to allow Remote to log in to Local ? And how would I do it?

----------

## Crg

 *Promit wrote:*   

> Why do I ssh to localhost instead of the ssh server running hts?

 

Localhost will be running hts.  You need to run the commands above and this will have hts running on both the localhost and the server.

Basically what happens is you setup hts on your localhost to listen to port 22 and then have it forward all packets (wrapped up in a way that is http compatible so it can go through http proxies etc) to the other server which is running hts which then unwraps it gives it to port 22 where your ssh server is listening.

----------

## fleed

If you can ssh into Remote from Local then you don't even have to bother with hts. Simply setup your ssh connection so that you have a reverse mapping. You just have to use a different port for the connection you'll initiate.

So, you connect from Local to Remote using ssh:

ssh -R 2022:127.0.0.1:22 RemoteMachineName.com

(you're instructing the ssh to connect to RemoteMachineName.com and ask for it to listen on port 2022 and forward data to 127.0.0.1:22 which will be port 22 on your Local machine)

Then, on Remote or any other computer which can connect to remote, you do:

ssh -p 2022 RemoteMachineName.com

(this tells ssh to connect to RemoteMachineName.com on port 2022, which will then be forwarded to Local:22).

YES, you have to tell ssh to connect to RemoteMachineName.com

YES, man would have told you what commands to use, if you had some knowledge of what you had to do but

IF you cannot connect to Remote due to your nazi firewall, then you have to revert to hts and use the commands mentioned in this thread. And maybe the knowledge of how redirecting ports work!

----------

## GentooBox

 *Promit wrote:*   

> Yes, I know there's a million threads about this already, but I don't quite understand what others are doing, so I figure I might as well explain my own setup.
> 
> My school is running an extremely aggressive proxy that blocks pretty much everything except port 80 and the HTTPS port (443 maybe?). It also blocks non HTTP requests (from what I can figure) because setting up SSH to simply listen on port 80 doesn't help worth a damn.
> 
> So I figure I'll set up an http tunnel.
> ...

 

right now im on a school with a really strong firewall.

the only port that is open is port 80.

I want to be able to run messsenger, ICQ and so on.

Is there someway i can do that ?

- I think that i got an idea, but i dont know if it will work.

I setup an reverse SSH tunnel over port 80 (http)

then i somehow redirect vnc data to go into the ssh tunnel to the remote host.

someone know how to redirect data into tunnels ?

----------

## fleed

Hi GentooBox. Do you have a box outside that firewall? A box you have full control over?

----------

## think4urs11

anybody knowing if the following is possible?

given:

- firewalled corporate network with RFC1918 addresses internally (means non routable in the internet, no direct connection possible at all)

- internet connection ONLY via http/https proxy (authenticated via username/password)

- remote box in the internet having ssh up and running (preferably on port 443 to cover traffic in the proxy logs)

solution for windows based systems:

- PuTTY (freeware ssh client, 1 small exe file)

- configure putty to use the http proxy and the CONNECT method

- connect to the external ip of your remote box, port 443

- login

... traffic between internal box and proxy is pure ssh as far as i know, nothing 'covered' in http

... no special installations needed on the remote box

... possible on nearly every windows box, even good secured ones!

solution for gentoo:

a) setting up http-tunnel on inside+outside (repackage all traffic inside http packets)

using default ssh client

b) without http-tunnel???

is there any client capable using the http-proxy CONNECT method available?

maybe i'm just to dump to find it by myself  :Embarassed: 

TIA

T.

----------

## Promit

 *fleed wrote:*   

> 
> 
> So, you connect from Local to Remote using ssh:
> 
> ssh -R 2022:127.0.0.1:22 RemoteMachineName.com
> ...

 

Did that, connected to Remote as normal, nothing special there.

 *Quote:*   

> 
> 
> Then, on Remote or any other computer which can connect to remote, you do:
> 
> ssh -p 2022 RemoteMachineName.com
> ...

 

Did that, and...

```

ssh: connect to address 129.*.*.* port 2022: Connection refused

```

It won't give me a connection. What did I do wrong?

[EDIT]I'm not working through a proxy at the moment, only a firewall.

----------

## GentooBox

 *fleed wrote:*   

> Hi GentooBox. Do you have a box outside that firewall? A box you have full control over?

 

Yes, i have a linux box outside the firewall.

i have never tryed SSH over HTTP, but i would like to test it.

----------

## GentooBox

 *Think4UrS11 wrote:*   

> anybody knowing if the following is possible?
> 
> given:
> 
> - firewalled corporate network with RFC1918 addresses internally (means non routable in the internet, no direct connection possible at all)
> ...

 

 :Very Happy:  - dont think so.

BTW: I found out how NTLM proxi´es works.

i have a gentoo box that uses NTLM auth.

all you have to do is download this:

http://www.geocities.com/rozmanov/ntlm/

setup the server to auth to parentproxy server and connect to the basic server you just created.

----------

## fleed

 *Promit wrote:*   

>  *fleed wrote:*   
> 
> So, you connect from Local to Remote using ssh:
> 
> ssh -R 2022:127.0.0.1:22 RemoteMachineName.com
> ...

 

Is 129.*.*.* the correct machine? Could it be a type for 127.0.0.1?

----------

## fleed

 *Think4UrS11 wrote:*   

> 
> 
> solution for windows based systems:
> 
> - PuTTY (freeware ssh client, 1 small exe file)
> ...

 

I don't think PuTTY can use an http/s proxy so that would not work if you are really locked out of direct connections to the net. I think then htc is your only solution. Since there's a version for windows (http://www.nocrew.org/software/httptunnel/) it should be doable. Then you can connect with putty via the http tunnel and reforward anything you want securely. I don't know what kind of performance impact you'd see since you'd be doing so many forwards and redirections (proxy+ht+ssh over a normal connection) but if it allows you to do what you want, why not do it?

----------

## think4urs11

believe me, PuTTY can do it.

Thats how i connect from the office to my firewall box at home every day.

On my firewall sshd listens on 443, thats all.

(Oh, and only on of our fix ip addresses in the office is allowed to connect to it of course   :Twisted Evil:   )

So do we really have a situation where windows is better in something so essential? I won't believe this  :Wink: 

T.

----------

## Promit

 *fleed wrote:*   

> 
> 
> Is 129.*.*.* the correct machine? Could it be a type for 127.0.0.1?

 

No, it's just the IP that the server's DNS name resolves to. Not that it matters; 127.0.0.1 does the same thing.

----------

## fleed

 *Think4UrS11 wrote:*   

> believe me, PuTTY can do it.
> 
> Thats how i connect from the office to my firewall box at home every day.
> 
> On my firewall sshd listens on 443, thats all.
> ...

 

You're right! I missed that in the menu. Well, since putty has open source, I guess one could just as easily port it to linux. A quick search on google shows that is already available (http://packages.debian.org/unstable/net/putty.html). So indeed we don't have a situation where windows is better, it's just equal in this case ;P

----------

## fleed

 *Promit wrote:*   

>  *fleed wrote:*   
> 
> Is 129.*.*.* the correct machine? Could it be a type for 127.0.0.1? 
> 
> No, it's just the IP that the server's DNS name resolves to. Not that it matters; 127.0.0.1 does the same thing.

 

Have you tried looking at the sshd logs? Run netstat -ltn on that machine to see if sshd is listening on 2022. What happens when you telnet to it?

----------

## GentooBox

 *Quote:*   

> right now im on a school with a really strong firewall.
> 
> the only port that is open is port 80.
> 
> I want to be able to run messsenger, ICQ and so on.
> ...

 

anyone got the answer ?

----------

## Aphex3K

Sorry for interupting, same situation here. Very agressive firewall (plz don't say its nazi, i'm german) only allowing traffic on port 80. (no ftp, no ssh, ...) I've got my Gentoo-Box with sshd at home working fine. I can figure out its ip through dyndns-service.

I'm new to networking under linux but i understood the most of the things sayd here.

Theres only one thing that troubles me for now.

 *fleed wrote:*   

> So, you connect from Local to Remote using ssh:
> 
> ssh -R 2022:127.0.0.1:22 RemoteMachineName.com
> 
> ...
> ...

 

I got confused whats Local, whats remote.

The Remote is my server staying at home? So the Local ist the one i'm sitting actually in front of and want to ssh from to my remote? Am I right???

Thanks in advance

----------

## fleed

 *GentooBox wrote:*   

>  *Quote:*   right now im on a school with a really strong firewall.
> 
> the only port that is open is port 80.
> 
> I want to be able to run messsenger, ICQ and so on.
> ...

 

```
man ssh
```

 does have your answer!

If you want it more digested, though, you'll first need to find what ports you need forwarding and how the protocols work. If they use the same port you initiated the connection on then you should be fine with ssh. If they try connections on different ports, or using udp instead of tcp then you'll have problems and will likely need to use something other than ssh. I think for voice/video you'll certainly run into problems but text chat should be okay.  For ICQ, for example, this tells you what you have to forward. It might actually be easier to just setup a SOCKS proxy server on your machine outside the firewall and forward ssh connections there and use the SOCKS proxy from your firewalled machine though. This should get most of your apps working.

----------

## fleed

 *Aphex3K wrote:*   

> Sorry for interupting, same situation here. Very agressive firewall (plz don't say its nazi, i'm german) only allowing traffic on port 80. (no ftp, no ssh, ...) I've got my Gentoo-Box with sshd at home working fine. I can figure out its ip through dyndns-service.
> 
> I'm new to networking under linux but i understood the most of the things sayd here.
> 
> Theres only one thing that troubles me for now.
> ...

 

First you need to find out what kind of fascit firewall you have. It could be it's simply blocking all connections unless they're made on specific ports, but then it doesn't care about what traffic uses that port. If that's the case then you can simply put your sshd to listen on port 80. Just edit /etc/ssh/sshd_config and put a Listen 80 in there.

If the firewall also blocks traffic that's not http, then you'll have to use something like httptunnel (see previous discussion).

----------

## Aphex3K

I used nmap to find out something about my network-neighbourhood and i found something intressting. I'm not shielded by a firewall (not the one i thought so far) but I sit behind a webproxy. So there is no way around http-tunneling i guess?

----------

## ecatmur

About putty being able to use a HTTP proxy:

OpenSSH does not specifically implement any proxy methods as does PuTTY. Instead you can specify a ProxyCommand in your .ssh/config: *Quote:*   

>      ProxyCommand
> 
>              Specifies the command to use to connect to the server.  The com-
> 
>              mand string extends to the end of the line, and is executed with
> ...

 (ssh_config (5))

What you probably want is to install proxytunnel and use that as the ProxyCommand. No ebuild currently - shouldn't be too hard to make one.

----------

## ecatmur

OK, here's one:

net-misc/proxytunnel/proxytunnel-1.1.3.ebuild:

```
# Copyright 1999-2004 Gentoo Technologies, Inc.

# Distributed under the terms of the GNU General Public License v2

# $Header: $

 

DESCRIPTION="ProxyTunnel is a program that connects stdin and stdout to a server somewhere on the network, through a standard HTTPS proxy"

HOMEPAGE="http://${PN}.sourceforge.net"

SRC_URI="${HOMEPAGE}/files/${P}.tgz"

 

KEYWORDS="~x86"

SLOT="0"

LICENSE="GPL-2"

IUSE=""

 

DEPEND="virtual/glibc"

RDEPEND="virtual/glibc"

 

S="${WORKDIR}"

 

src_compile() {

        emake

}

 

src_install() {

        make install DESTDIR=${D}

        dodoc CHANGES CREDITS LICENSE.txt README

}

```

----------

## paranouei

Been there, done that   :Wink: 

You can actually have full access to any port, any protocol. But first of all, you need a box outside that network.  There are also two dfferent situations, if it is just a firewall blocking everything except port 80, it's easier, but if it is a proxy, you need http tunneling to encapsulate a connection in http requests.

Well, first install http tunnel on both sides, in the firewalled network, and in your box outside. Then you can create a connection, between them.  After you can create connections, for example to the ssh port of the outside box, you can create a ppp over ssh tunnel. You need to have access without password (using ~/.ssh/authorized_keys), and then, you can create a pppd options file to create the ppp link. Have a look at this http://bulma.net/body.phtml?nIdNoticia=1147 (look at the third comment, the one by paranouei) sorry it's spanish, use the fish   :Wink:  .

Well, once you have the ppp link tunnel over ssh over the http tunnel   :Very Happy:  , you just have to set the box inside the network, to use as default gateway the box outsite the network. You also need to enable ip masquerading on the box outside the network. This way, you have created a virtual network between those two computers over http requests, and you are using the box outside as your gateway.

Unlimited access to any port, any protocol    :Laughing: 

----------

## GentooBox

paranouei

If you made a howto with all that, then it would be wonderfull for everyone.

----------

## paranouei

Yes, it would, but... have a look at that link.. it was 2 years ago! It's not very complicated anyway, once you have the right tools (http tunneling, ssh, and pppd). Http tunneling is too easy to get working, the only thing a little bit complicated is pppd over ssh. Anyway now it may be easier to set up some vpn with newest software...

Cheers.

----------

## numbaonestunna

 *fleed wrote:*   

>  *Promit wrote:*    *fleed wrote:*   
> 
> So, you connect from Local to Remote using ssh:
> 
> ssh -R 2022:127.0.0.1:22 RemoteMachineName.com
> ...

 

Yeah, you made a typo.  It should have been 127.0.0.1...

----------

## OdinsDream

 *Aphex3K wrote:*   

> 
> 
> ...
> 
> Very agressive firewall (plz don't say its nazi, i'm german) only allowing traffic on port 80.
> ...

 

Don't take offence to my questioning you on this matter, it's purely something I'm curious about. Were you kidding about the nazi thing, or did you seriously mean that, somehow, comparing something to a "nazi" insults germans?

If you're just kidding, forgive my lack of a sense of humor, but, if not... I'd like to say that, were I german, I certainly don't think I'd be offended by references to the Nazi movement simply because the Nazis happened to also be German (admittedly with exceptions).

The equivalent would be "plz don't say its racist, im white"... As a white, non-racist person, I certainly don't take offence to insults against racist individuals.

I think my point is, I'm sorry that you feel like someone would heartlessly connect you with "nazi" simply because of your being german. Quite a shame.

----------

## fleed

Risking making this topic move forum, I agree. I was even going to comment on that but thought I should keep things on topic. I also think that avoiding it (as in prohibiting games which show the swaztika) does not make the past go away, it just makes people forget their errors and makes it less likely they'll avoid those same errors in the future. 

I think the offence comes from the fact that most (but not all) of the germans applauded the nazis at the time. You gotta be ashamed by that, just like italians should be ashamed of supporting mussolini, etc. Brutal regimes, yes, but with a fair share of approval from the population.

----------

## OdinsDream

 *fleed wrote:*   

> 
> 
> I think the offence comes from the fact that most (but not all) of the germans applauded the nazis at the time. You gotta be ashamed by that, just like italians should be ashamed of supporting mussolini, etc. Brutal regimes, yes, but with a fair share of approval from the population.

 

For one, I do not feel shamed by the acts of people related to me only by ancestry. Since I have no control over things that occurred before I was alive, I cannot assume any responsibility for them.

I may, however, proactively work to fix any wrong-doings that occurred in the past, and their effects as seen today, but I do so along with the entire community, and in no way does my hope for a better future equate to an acceptance of responsibility for the acts of my ancestors.

Make the world a better place, together.

----------

## Aphex3K

Come on guys, i'm sorry for breaking the topic, it was just a note on the sideline. (I mean, "Nazi" is nothing to make fun of, in any way)

So let's keeps this related on the topic. Thanks

----------

