Using PUTTY (and SSH) to Bypass Firewalls

Using PUTTY (and SSH) to Bypass Firewalls

SSH provides the ability to do port forwarding that bypasses a firewall's rules. How it does this is instead of actually connecting to the firewall at a certain port, the SSH software tunnels a given port along with the standard SSH traffic over the existing SSH port. With a properly configured SSH tunnel, you are able to connect to a port on your local machine, and have all traffic on that port be tunneled to the port of a destination machine of your choosing. For example, you setup a SSH port forward from your local machine to a remote mail server, the local port you choose is 2987 and the remote machine and port is mail.blah.com port 25. (This would solve the issue of MSN not allowing users to connect to an alternate smtp server to send mail.) To send an email without using the MSN servers, you would setup your mail client to use the smtp server of localhost port 2987 (localhost:2987). Now any email you send via your localhost:2987 would be actually sent to mail.blah.com:25 and handled by the mailserver there (if there is one).

Another nice feature about SSH's port forwarding, is that you can even setup the end point of a tunnel to a machine that is only viewable in the context of being connected to your SSH server. Example: I call my firewall stratego and my internal-only linux box risk. In stratego's host file there is an entry for risk so that whenever I am on stratego and I want to ping risk, all I have to type is `ping risk` instead of `10.x.x.2`. Ordinarily if I were to try and connect to risk from work it wouldn't connect because risk's ip is non-routable. However, when I am setting up the local port forward in PUTTY, I set the local port to 2000 (on my desktop) and the destination host and port to risk:22. Since the destination of the tunnel is relative to the firewall, I don't need to know where risk is as long as the SSH server does.



Configuring an SSH tunnel using PUTTY for Windows

• Run PUTTY.
• On the window that appears (shown in Figure 2 below) select the SSH protocol and enter the address of your NetManager (e.g. intranet.demo.co.uk).

igure 2: Screen shot of initial PUTTY window

• Click on the 'Tunnels' item under 'Connection/SSH' in the category section of this window.
• Enter a port number to listen on your local machine (source port - see Figure 3) which will forward the requests on to your NetManager.

Figure 3: PUTTYtunnelling configuration page

In the 'Destination' box (see Figure 3) enter the address followed by a colon and the port number that you wish the NetManager to forward requests to (use localhost if you want to refer to the NetManager itself). For example, to access the NetManager's web pages you would enter 'localhost:80' or to access a Citrix server you might enter 'appserver:1494'.

• Once you have entered the source port and destination details you must click the 'Add' button.
• You may add as many source and destination details as you want. Remember to click the 'Add' button each time.
• Click on 'Open'. This will open a Window and ask you to log on to your server. Log on as 'ncadmin' or any other interactive user. If the window closes straight away when you type in the password, the account is not interactive. Use the NetManager web-based administration pages to modify the user account, so that they have an interactive account.
• Once you have logged on, the tunnelled connection will be live.
• When configuring your client software (e.g. web-browser or email package), always enter localhost (i.e. the local computer) as the remote address instead of the IP address of your NetManager. If you do not do this, the computer will connect as normal instead of over the ssh tunnel. For example, if you have configured your source port to be '8000' and the destination to be 'localhost:80', you will be able to access the web pages served by your NetManager from a web browser on your local machine by using the URL 'http://localhost:8000/'. Similarly, if you have specified the source port as '1494' and the destination as 'appserver:1494', you will be able to configure the Citrix ICA client to connect to 'localhost'. The NetManager at the other end of the ssh tunnel will forward the traffic to machine 'appserver' on the remote network.