Skip to main content

SSH Tunnel for TCP ports

Recently I was TDY to Kadena AB, and the 18FSS there has some ridiculous rules for the base Internet, both in billeting, and anywhere they provide service across the base (like at the clubs, BX, etc).    Here's their idiotic restrictions:
1) They block any trusted DNS server... you have to use their router as a DNS server, and any port 53 queries to another (trusted) DNS server are blocked
2) They block all ICMP, so you can't traceroute your connection to see where it's going
3) They implement not just web proxying, but full TCP proxying... To get around #2 above, I tried to run a TCP traceroute, but they blocked this attempt by proxying, and disconnecting, my TCP scans.
4) They blocked my OpenVPN tunnel
5) They block MagicJack, which really got under my skin because I couldn't use it to call home
6) They blocked the email from Google, Yahoo, Comcast, GoDaddy, and Microsoft, which was on ports 993, 465, 25, etc.  
7) They blocked my access to the security cameras at home so I couldn't check on my house
8) Of course, they did dirty word/URL searches, and blocked any 'hacking' or numerous other sites.

Basically, they blocked anything not on port 80 or 443, and even those ports were proxied and filtered.   This is just unacceptable.  I complained, as I suggest anyone who visits should.  

How could one get around such an incredulous setup?  SSH to the rescue.  SSH didn't work for my OpenVPN VPN, as I have a UDP VPN, and I'd have to get a UDP to TCP setup using socat or something, which I didn't have set up before I left, so I was screwed for my UDP OpenVPN VPN.   

However, for TCP connections, you can proxy all connections to your local box, and push them through a SSH tunnel, where they'd jump off from your ssh server and go back to their normal port.  So let's say my OpenVPN VPN tunnel was a TCP vs UDP tunnel.  Then the command for this is:

#ssh root@dns-of-choice.org -p 443 -L 1194:localhost:1194 (port:host:hostport, if you want to change ports)

I could then build a TCP tunnel to myself on the localhost port 1194, and fire up my tunnel.  It would go outbound on port 443 to my ssh server, where it would get turned back to 1194 and sent to the destination VPN server.   

If you wanted to have SSH tunnel from the Remote host to the Local host instead of the other way around, the command would be:

#ssh root@dns-of-choice.org  -p 443 -R port:host:hostport  

Comments

Post a Comment

Popular posts from this blog

HP c6180 Printer and Vista

Hp c6180 driver issues with Vista Home Premium My wife has a Vista Home Premium laptop, and the HP C6180 Photosmart printer keeps disappearing from her available printers.  The only way I've found to fix the problem is to reinstall all the HP software. When I do this, I have to download the (large..507M software from HP, or reinstall the printer (ONLY the printer, not the scanner) with the installation disk, as the drivers are not discovered with a "Windows Update" setting.  My guess is that is because HP doesn't like people to install only the printer driver, which would be easy, but they want folks to install all their crapware as well, so they are withholding the drivers from the on-line Microsoft printer database.  So keep your installation CD!  I've also found that unless I install everything on the CD or in the Full Version download (HP Customer Participation Program, HP Imaging Device functions, HP OCR SW, HP All-In-one SW, HP Photosm...
27 comments
Read more

atftpd vs tftpd-hpa

Recently I was trying to tftp files from a Windows computer to a Kali box.   One version of Windows worked, but another didn't.    After much troubleshooting, here were my symptoms: I could tftp a file from-to any Kali box from-to another Kali box I could NOT tftp files to a specific Windows 7 box from any Kali box I could NOT tftp files to a Chrooted-Ubuntu-Chromebook box from a Kali box After MUCH troubleshooting, going through every setting in atftpd, it seemed like it literally was a client OS problem.  Different clients simply would not download files---unacceptable. Thus, I switched to tftpd-hpa.   To install: apt-get install tftpd-hpa files go to/come from /srv/tftp, but it needs to be a tftp user. Thus, I needed to: chroot -R /srv/tftp Also, if you want to be able to put files ON the tftp server (from a client), you need to modify /etc/default/tftpd-hpa: change "TFTP_OPTIONS="--secure"  to "TFTP_OPTIONS="--secure --create" ...
Post a Comment
Read more

Security Onion on the Antsle

My Setup of Security Onion on the Antsle: Recently my IDS box, an Intel Atom D2500 Fanless Mini-ITX PC, D2500CCE, died.  Truth be told, I think it came from the factory in a bad state, as I originally thought I had a bad graphics driver, but I then noticed that, after much troubleshooting, it wasn't a driver issue at all.  The box just sometimes wouldn't boot up correctly with video.  It seems heat related, something like not enough thermal paste on the CPU, as after it is powered off for a while it is more likely to boot than when it is warm.  Along with that issue, this box maxed out at 4GB of RAM (only has 2 memory slots, each of which will only take a 2GB card max) and had a single processor, so it was under powered for Security Onion. So, I decided to quit limping along on P.O.S. boxes, and buy a little more heavyweight box for my networked IDS.   Security Onion requires a minimum of 8GB of RAM, and 4 cores per their specs page htt...
Post a Comment
Read more