Using PuTTY (and SSH) to Bypass Firewalls

Subject:
SSH Port Forwarding, and how to use PuTTY to connect to internal hosts without opening more ports on the firewall.

Short:
Attach a local port forward to an existing putty connection.  When you launch that connection the local port forward will become available, and will last until you close the putty session.  To use this local forward, you will need to launch another putty window and connect to your local machine at whatever local port you chose in your local port forward. You will then be connected to your internal machine and have bypassed your firewall.

Long:
Port Forwarding:
SSH provides the ability to do port forwarding that bypasses a firewall's rules.  How it does this is instead of actually connecting to the firewall at a certain port, the SSH software tunnels a given port along with the standard SSH traffic over the existing SSH port.  With a properly configured SSH tunnel, you are able to connect to a port on your local machine, and have all traffic on that port be tunneled to  the port of a destination machine of your choosing.  For example, you setup a SSH port forward from your local machine to a remote mail server, the local port you choose is 2987 and the remote machine and port is mail.blah.com port 25.  (This would solve the issue of MSN not allowing users to connect to an alternate smtp server to send mail.)  To send an email without using the MSN servers, you would setup your mail client to use the smtp server of localhost port 2987 (localhost:2987).  Now any email you send via your localhost:2987 would be actually sent to mail.blah.com:25 and handled by the mailserver there (if there is one).

Another nice feature about SSH's port forwarding, is that you can even setup the end point of a tunnel to a machine that is only viewable in the context of being connected to your SSH server.  Example: I call my firewall stratego and my internal-only linux box risk.  In stratego's host file there is an entry for risk so that whenever I am on stratego and I want to ping risk, all I have to type is `ping risk` instead of `10.x.x.2`.  Ordinarily if I were to try and connect to risk from work it wouldn't connect because risk's ip is non-routable.  However, when I am setting up the local port forward in PuTTY, I set the local port to 2000 (on my desktop) and the destination host and port to risk:22.  Since the destination of the tunnel is relative to the firewall, I don't need to know where risk is as long as the SSH server does.

Putty Setup:
(Click on a tumbnail to view a larger image)
Launch Putty and select the session you wish to add a tunnel to.


Open Connection->SSH->Tunnels and fill in values for the Source port (your machine's port) and the Destination machine and port.  Remember that the ip is relative to the tunnel's end point, not your machine.  Be sure to leave the 'Local' option box checked.


Chick 'Add' to save the tunnel.


Return to the 'Session' screen (which is the opening screen) and click 'Save'.  Then click 'Open' to launch the connection to your remote SSH server.


To establish the tunnel you must first login to the remote server.


Your in!  Now your tunnel is up.


Launch PuTTY again, and this setup a SSH connection to your local machine at whatever port you specified in your tunnel setup in the session you just launched.  Save this new session if you would like, and then 'Open' it.


Now you should be able to login to a machine behind your firewalled SSH server.


And you're in!


Conclusion:
With the above information you should now be able to use your existing SSH logins to remote machines to allow you to do all sorts of fun stuff.  This document discussed a couple options, SSH logins or email routing, but these are only a few of the numerous options that you can do.  If you would like further information about SSH Port Forwarding, I suggest checking out the links in the Resources section and/or giving your favorite search engine a whirl.

Author:
(me)Phil Schultz (boro at borosenclave dot com)

Resources:
SSH Homepage
http://www.openssh.com/

SSH Tunneling part 1 - Local Forwarding By Brian Hatch.
http://www.hackinglinuxexposed.com/articles/20030228.html

SSH Tunneling part 2 - Remote Forwarding By Brian Hatch.
http://www.hackinglinuxexposed.com/articles/20030309.html

SSH Tunneling part 3 - Where does the crypto end? By Brian Hatch.
http://www.hackinglinuxexposed.com/articles/20030316.html

• Site nav:
  • Home
  • MRTG stats
  • Comics (local only)
  • Picture Gallery
• Docs by me:
  • About boro
  • Putty & Firewalls
  • Socket’s Case Mod
• Friend's sites:
  • Beth Schultz
  • Bill English
  • Ed Armstrong
  • Eugene Edwards
  • Jordan Lambert
  • Pat Anderson
  • Seth Barber
• Other sites:
  • Salem LUG
  • Applied Logic
  • ORblogs
  • Salem Heights
  • CS @ Corban
  • Cyber Nations