Find the answer to your Linux question:
Results 1 to 8 of 8
R0lf's Short and Simple SSH Tunneling Tutorial. Kind of. Well... it seems to be fairly popular to try to 'hax0r' your school's web filter. I know that my school's filter ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2004
    Location
    /dev/null
    Posts
    5

    Finally: The coolest way to bypass filters.


    R0lf's Short and Simple SSH Tunneling Tutorial. Kind of.


    Well... it seems to be fairly popular to try to 'hax0r' your school's web filter. I know that my school's filter it very annoying... I can barely get anything done.

    Anyway, though, I have a very nice way of killing it, and I thought I'd share. Yeah, I know that everything worth the weight in beans could've figured this one out, but. For the n00bs, maybe.

    My first thought was: well, proxy! So I went and set up Squid on my home Slack10 box...that worked well... except, sometimes it finds words it doesn't like (packet filtering). So, I decided a SSH tunnel was in order.

    Now, unless you have a really uber school, they're running Windows. We have new shiny Dells that are running XP...but anyway. Go download PuTTY.

    Fire it up... now, the host name is your server box at home or where-ever running SSH and Squid (ports 22 and 3128, respectivly). Then go down to the "Tunnels" tab.

    We want the 'local' box checked...now...
    Source port can be anything, let's use 999... just for fun.
    Destination needs to be 'localhost:3128'
    Now, click the add button.
    And finally, the open button...

    So when you login (Yeah, did I mention you need an account on this box? Okay.), you set up an encrypted SSH tunnel. These things are cool.

    Now, go into Internet Explorer and find the Connection tab (or equiv.) and set the proxy to Hostname: localhost. The port is 999, remember, we set that up in PuTTY.

    Boom.

    So, what just happened?

    We made it so that everytime the computer you're at is connected to on port 999, it encrypts it, sends it through SSH to the remote linux box, and that box decrypts it and send it to itself on port 3128 (the Squid proxy). This means that between the school computer and the linux box is encrypted, and therefore the filter box (Bess, in my case) only sees encrypted data. Very nice..

    My friend did point out that encrypted data going out of the school network from my account does not look good...luckily, our sysadmin thinks it's funny... which is very good for me

    Thanks guys....hope you can put up with me

  2. #2
    Linux Newbie
    Join Date
    Sep 2003
    Location
    St.Charles, Missouri, USA
    Posts
    201
    I went about solving the problem differently. My first thought was like yours: a proxy. So I set up apache as a proxy to use from school. Only problem is that my admin is 1/2 way compentent and disabled the internet options in explorer so, i went abount the proxy thing differently. I figured that since I could 'see' my home puter w/ apache on it from school I would just install a different kind of proxy. I ended up with a cgi-proxy that goes by the name of nph-proxy.cgi. Very usefull and successfull. Now I can see whatever i want and it looks like its coming from my puter at home!
    Powered by Gentoo
    never ever ever use the hardened option in make.conf!

  3. #3
    Just Joined!
    Join Date
    Nov 2004
    Location
    /dev/null
    Posts
    5
    nice. like, using mod_proxy?

  4. #4
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682
    That's pretty cool. I never really bothered with trying to bypass the school's router when I was there...or the apartment's.

    Thankfully, though, it is useless to me as I'm no longer behind routers not under my control.
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy

  5. #5
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    ok, now for the reverse. how to stop the tunneling.

    that seems pretty easy to do what was outline above

    I don't want to come off wrong but this just seems like a good place to share information and where I work there are some somewhat savvy people who would do the tunnel just as described here.

    any easy way to stop the tunneling.

    as a note, I am in an environment where we use cvs and ssh plenty, so tunneling can't be completly blocked. hardware is cisco and using squid proxy.

    just curious, no one (on the admin side here ) is aware of tunneling besides me so I might keep it quiet, but just for information sake

  6. #6
    Just Joined!
    Join Date
    Nov 2004
    Location
    /dev/null
    Posts
    5
    well, the one i'm most worried about is getting my login account revoked. but, on the other win98 machines, there's always the "Cancel" button, not to mention the non-endorsed-password-cracking techniques readily available elsewere.

    the other option would be to block my IP (of the linux-squid server at my house). this is pretty easy, i would bet they'd do that pretty fast.... of course, then it's a matter of me finding free servers to bounce off. not very hard...

    you could be lame and recompile your SSH clients to not allow tunneling. (not putty, but the command line ones. actually, i dont know if this is possible, or easily accomplished...it's probably possible).

    teach courses on being good. (no, just kidding, april fools)

    anyone else? ideas?

    oh! you can lock settings into IE or Firefox or whatever. don't allow them to change the proxy settings. (also easily circumvented).



    i really dont know of good way of allowing some SSH connections and not tunnels.

    maybe you could disallow port forwarding to specific ports (3128, 80, 8080, etc)...


    sorry, i'm working mainly for the other side

  7. #7
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    Quote Originally Posted by r0lf


    sorry, i'm working mainly for the other side
    and I generally do to. I don't think its possible with the services we have to allow to block those tunnels, because we do have to allow some tunneling

    ohh welll, no biggie.

  8. #8
    Just Joined!
    Join Date
    Mar 2010
    Posts
    1

    Cool

    Well this seems like a good idea, im going back to my old school to help out with a robotics thing. I may try this with my home computer.


    Allow me to offer a possible solution to your worries about getting your account banned.

    Install the linux 9.10 Ubuntu operating system on a 2-4gig flashdrive.

    Bootup from the usb into linux. This allows you to use everything on the computer except the harddrive (Your using the flashdrive's OS and disk space). This bypasses all security relating to installing things. Run your shell system from the linux station.

    There are no user accounts, your booting up from a different operating system.

    They might be able to figure out which computer the information is coming from via internet flow, but the info is encrypted. They cannot track the activity to any specific user account.

    If the administrators disable booting from flashdrives/disks in the bios you cant do this.

    But.... well as we all know if a computer breaks its a pain in the *** if you cant boot from your os disk. It is probably still enabled on most systems.


    This works on mac or windows. on a mac hold down option key before apple logo pops up when starting. On windows hold down f12.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •