If you cannot use a SSH client to bypass the firewall (403 error, connect command not allowed) you can use GNU httptunnel to bypass the firewall. I personally use httptunnel to bypass TRANSPARENT FIREWALLS.
As an example we forward again the Windows Remote Desktop (port 3389).
We use the same scenario as in the SSH 3 article:
There is a RemoteServer in a large company behind a Firewall. You own the MiddleServer, a public available SSH server. Last but not least there is your Workstation — you want to control the RemoteServer from this machine.
MiddleServer:
Start HTTPtunnel on MiddleServer, forward port 80 (incoming) to local SSH Port:
1 | # hts –forward-port localhost:22 80 |
RemoteServer:
Start HTTPtunnel client, forward local port 900 to MiddleServer port 80 (make sure your Web Server is NOT running!):
1 | # htc –forward-port 900 –proxy HTTPProxy:8080 MiddleServer:80 |
News, 18.10.2006:
———————–
New w32 package available, change log:
–compiled with latest cygwin1.dll (v1.5.21)
–including latest cvs version
–included debug builds (for stable and cvs build)
[ad#AdBrite-Text]
Get the updated version: Download GNU httptunnel Windows binaries (v3.3)r2.
Get the old version: Download GNU httptunnel Windows binaries (v3.3).
As GNU httptunnel traffic is not encrypted we create a SSH tunnel in our httptunnel tunnel…:Again we use the same settings for our Putty sessin as in the SSH 3 article:
On the RemoteServer, start a SSH session to the MiddleServer. Change to the “Tunnels Tab” and enter the REMOTE forwarded port:
BUT the SSH server is of course localhost:900 (through the httptunnel).
Now start a session from your Workstation to the MiddleServer:
And now fire-up the Terminal Server Client (mstsc.exe):
Now you control the RemoteServer without change any firewall rules…Its important that you can use only 1 httptunnel per port! Another Hint: the logging goes to the Windows application log!
IMPORTANT: httptunnel does NOT support NTLM proxy authentification!
Another example:
Server (Linux):
1 | # ./hts –no-daemon –D4 –forward-port localhost:22 80 |
Client (Windows):
1 | > htc –no-daemon –D4 –PPROXYSERVER:8080 –F 8888 YOUR-PUBLIC-SERVER:80 |
When you use debuglevel you migth see those keep-alive messages:
1 2 3 4 5 6 7 8 9 | tunnel_write_request: TUNNEL_PAD1 tunnel_read_request: TUNNEL_PAD1 poll() timed out tunnel_write_request: TUNNEL_PAD1 tunnel_read_request: TUNNEL_PAD1 poll() timed out tunnel_write_request: TUNNEL_PAD1 tunnel_read_request: TUNNEL_PAD1 poll() timed out |
After x seconds, the connection will close and re-establish itself:
1 2 3 4 5 6 7 8 9 10 11 12 13 | tunnel_write_request: connection > 300 seconds old tunnel_write_request: closing old connection tunnel_out_disconnect: warning: bytes=4278 != content_length=102400 tunnel_out_disconnect: output disconnected tunnel_out_setsockopts: non-fatal SO_SNDLOWAT error: Protocol not available tunnel_out_setsockopts: non-fatal SO_SNDLOWAT: 0 tunnel_out_setsockopts: SO_LINGER: onoff=1 linger=2000 tunnel_out_setsockopts: non-fatal TCP_NODELAY: 1 tunnel_out_setsockopts: SO_KEEPALIVE: 1 http_write_request: POST http://1.2.3.4:80/index.html?crap=1161192374 HTTP/1.1 tunnel_out_connect: output connected tunnel_write_request: TUNNEL_PAD1 |
From the httport faq:
Q: When I use SSH (or VNC, or
A: Your httptunnel connection has failed on the client end (possibly due to network congestion), but the server end has not recognized that the connection has been lost and won’t allow another connection until the first connection times out. To establish a more stable tunnel, try experimenting with the various options for the htc and hts programs. The following settings seem to work pretty well for me, but your mileage may vary:
1 2 3 | hts –S –max-connection-age 20000 –F localhost:22 8890 htc –F 8890 –strict-content-length –B 5k –max-connection-age 2000 –P proxy.mycompany.com:8080 10.1.1.1:8890 |
Links:
http://www.nocrew.org/software/httptunnel/faq.html (GNU httptunnel faq)
http://www.nocrew.org/software/httptunnel.html (GNU httptunnel home)
http://sebsauvage.net/punching/ (GNU httptunnel how-to)
21 Comments
1 locusok wrote:
haha thanks
2 Thejipster wrote:
You need to set the HTTP keepalive option in Putty to keep an HTTP session going, otherwise you would loose the connection after a pre-defined timeout interval set by the proxy.
3 Lorenzo wrote:
Don’t know why, but it seems the version of cygwin that comes with the latest openssh does not work along with the one who comes with httptunnel.
At beginning, i used httptunnel alone and it seemed to work. After that, I tried installing OpenSSH, and then httptunnel began complaining about it having an older version of cygwin1.dll.
Following the on-screen suggestions, I’ve updated to the latest cygwin from cygwin.com and updated all the .dll to the latest rev..
Now .. there’s no way to make httptunnel to work: when I launch HTS, it just hangs.
removing-Reinstalling cygwin does not solve the issue.
Please, give me some advice, thanks!
4 michu wrote:
you could use openssh and httptunnel in different directories, windows allways looks in the current directory for the dll.
5 Lorenzo wrote:
I fixed the issue (installed on fresh machine) but…
whenever I use SSH or openvpn (in tcp of course) HTC process dies.. any hint?
(using the same cygwin1.dll that came with it)
6 Michu wrote:
You could use filemon from sysinternals to check if you miss some files…
7 Lorenzo wrote:
Hi
I’m sure I’m not missing any file because the HTTPTunnel does actually work, as long as I don’t use it for ‘complex’ traffic like SSH or OpenVPN.
The process remains alive until I open Putty and connect to the localhost:forwardedport or openvpn (same), at wich point HTC simply disappears from the process list (and the tunnel closes of course..)
Thanks!
8 michu wrote:
I will release a debug build of htc, this should help to trace some issues
9 Lorenzo wrote:
Thanks for the new build! I’ll try it immediately and I’ll let you know as soon as possibile.
Again: thanks!
10 Lorenzo wrote:
It seems I had just overlooked the fact that HTTPTunnel does not support NTLM authentication.. and this caused all of the problems.
A shame, since most firewalls are ISA and they do require NTLM auth.. any chance of having it implemented?
Thanks again!
Lo.
11 michu wrote:
You could try to use a NTLM proxy: http://apserver.sourceforge.net/ (old website: http://www.geocities.com/rozmanov/ntlm/). Good luck!
12 raleks wrote:
http://slashstar.com/blogs/dave/archive/2006/11/27/SSH-Tunneling-_2800_on-Windows_2900_-with-OpenSSH-and-Putty-through-an-HTTP-proxy-.aspx
Just find how to tunneling without HTTP proxy :) Have fun! Thanks to Dave!!
13 StarTroll wrote:
I’m trying to get through my company firewall. Until recently I could just use PuTTY to set-up a connection to my home sshd and everything was fine. But now the proxy’s configuration has been changed. It seems that the proxy blocks the http_connect command. And it also uses NTLM authentication.
So, I’ve installed CygWin on my WinXP work PC. In CygWin I’ve installed NTLMAPS, which creates a ‘normal’ HTTP proxy. NTLMAPS connects to the company proxy. This sort of transforms the NTLM proxy into a regular one. My plan was to use HTTPTunnel to connect to my home server (running hts) through the NTLMAPS proxy. This way, I can still use HTTPTunnel (which doesn’t understand NTLM) to bypass the http_connect restriction.
The NTLMAPS proxy works, I can have my Firefox connect through it and receive pages (although it’s slower of course than directly through the company proxy).
But, like Lorenzo, when I try to have ssh use the hts-htc tunnel, the htc client dies with any error message. Seeing the htc is connected to NTLMAPS, it shouldn’t see the NTLM authentication at all, so I doubt Lorenzo’s conclusion is correct, I fear that there is a different problem.
Does anyone have an idea?
14 Adam wrote:
Having similar problems trying to connect through an ISA proxy… any chance you could post a link to your Visual Studio project files & Windows source to allow us to debug more fully?
15 michu wrote:
hey adam, there is no vs project file as this is a cygwin port. I guess you have some ntlm issues, you need to authenticate yourself on the isa proxy…
16 h3liburton wrote:
How can I lunch my home server behind restricted firewall and router to Internet use by your HTTP tunnel without touch router and firewall.
17 michu wrote:
… lunch your homeserver?
18 miser wrote:
I personal use super network tunnel, can find it at http://www.networktunnel.net, it’s more easy.
19 Martik Panosian wrote:
Can I use this to bypass the filtering? im in iran
20 michu wrote:
HTTPtunnel itself does NOT encrypt your network traffic — so the answer is NO. But if you use HTTPtunnel with SSH the answer is YES.
21 Eddie wrote:
I’ve got the server and client running in debug mode and the last line in the client reads:
http_write_request: GET /index.html?crap=1313771171 HTTP/1.1
On the server side the last line reads:
connection from 123.456.789.100:12101
…and just sits there doing nothing. Any idea what is happening?
I’ve tried using Telnet to emulate the client and I get a full response when I manually type in an HTTP GET request.