2008-12-02

Web filter evasion part 5: SSH Tunneled proxies

View entire series: Web Filter Evasion

This was supposed to be posted quite a while ago to wrap up the Web Filter Evasion series, but I never got around to it.

Combining SSH Tunneling with web proxies is one of the more advanced ways to get past a web filter. You can increase your odds of being able to contact your SSH Server by running it on ports that are more likely to be allowed outbound access: 53 (DNS) and 443 (https) are good examples. If you're using a router or firewall at home, you might be able to do this with Port Address Translation or Port Forwarding.

If you can set up a system to SSH to (as described in the Reverse Tunneling and Quick & Dirty SSH Tunneling articles), you can forward the proxy port to any external proxy server (assuming it works) but the most reliable way is to run Squid Cache (which we've also discussed before) on your SSH server.

I also recently ran across a site that keeps a good up-to-date list of public proxies you could try. The problem with public proxies is that it's one more place your private information goes. Keep that in mind when using any old proxy. It might not be bad for checking 4chan or craigslist, but you might not want to pull up sensitive, personal information while using someone else's proxy.

Here is a bare-bones squid.conf file that works on the binary package for OpenBSD. It only listens on the localhost interface, so it's not likely to be abused by outsiders. It should work on any other Squid install, just make sure the access_log and cache directories exist with the right permissions (or change them in this config example to match what your squid install was using by default. Make sure to run "squid -z" to create the cache if you haven't already.

acl apache rep_header Server ^Apache
acl all src all
http_access allow all
http_port localhost:3128
access_log /var/squid/logs/access.log squid
broken_vary_encoding allow apache
coredump_dir /var/squid/cache
Once you do this, simply start a tunnel from your port 3128 to port 3128 on the proxy server. Configure your browser to use http://localhost:3128 as the proxy server (as shown in Part 4)

If you're running squid on your SSH server with the above configuration file, this will work. Notice I'm running my local proxy tunnel on port 3129, not 3128. Using "~#" over the SSH session, you can see the tunneled TCP connections.

$ ssh axon@labs.h-i-r.net -L3129:localhost:3128

-bash-3.2$ ~#
The following connections are open:
#4 client-session (t4 r0 i0/0 o0/0 fd 8/9 cfd -1)
#5 direct-tcpip: listening port 3129 for localhost port 3128, connect from ::1 port 55373 (t4 r1 i0/0 o0/0 fd 11/11 cfd -1)
#6 direct-tcpip: listening port 3129 for localhost port 3128, connect from ::1 port 55351 (t4 r2 i0/0 o0/0 fd 12/12 cfd -1)
#7 direct-tcpip: listening port 3129 for localhost port 3128, connect from ::1 port 55374 (t4 r3 i0/0 o0/0 fd 13/13 cfd -1)
#8 direct-tcpip: listening port 3129 for localhost port 3128, connect from ::1 port 55375 (t4 r4 i0/0 o0/0 fd 14/14 cfd -1)
From here on out, all the web traffic will go over the tunnel to the proxy.

Note: some browsers will try to resolve DNS OUTSIDE the proxy. This can cause things to not work properly, and might allow the owner of the network to see DNS requests for sites that are blocked. This could raise red flags. If you can, block outgoing DNS traffic from your workstation when tunneling your proxy traffic. This should force the browser to offload DNS resolution to the proxy server on the other end of the tunnel.

There are other ways to tunnel out as well, but I won't be covering them. OpenVPN, Free S/WAN and Hamachi are some other VPN/Tunneling solutions worth looking at.

View entire series: Web Filter Evasion

blog comments powered by Disqus