Recently I had the privilege of working on a short term contract in the Middle East, and the Internet access where I was based was severely filtered.
The extent of the filtering was not just at web browser level but also across other common protocols such as email, FTP and even some socket level applications. This posed a problem for me in several ways, one of the main ones being that I was having difficulty sending and receiving updates for a website that I'm the technical lead for, because words matched the filters in my emails, and certain articles posted to said site by its users stopped pages from being browsed.
This got me to thinking about using some kind of encryption to prevent the filters picking up my traffic and effectively bypassing the filters, thus allowing my traffic to get through unaffected.
The solution to my problem was to use SSH tunnels.
"What is an SSH tunnel?" I hear you ask. Put simply, an SSH tunnel is a direct link from your PC that you sit in front of (we shall call this the Client) and a remote machine at an entirely different location preferably outside the control of the filtered zone.
In order to build this solution, you'll need the following:
- A private server to which you have super user access either via console, or SSH
- A client PC onto which you have permission to install software
- Public Internet connections in the 2 respective locations
Step 1 - Setting up the server
Set your server up with any software you require to perform the tasks you wish to achieve. For me, this meant I wanted to send and receive my email, I wanted to access my development host and databases, and I wanted unfiltered access to the web in general.
To achieve this, I installed the following packages onto a Dell PowerEdge server running Ubuntu Linux 7.10 server addition:
I also made sure that my copy of Apache had PHP capabilities, and installed phpMyAdmin into the web server root to allow me to access my database servers. I also installed "webmin" to allow general admin of the server.
Once you have the required packages installed, set up the server packages to operate locally (As though you where using the server from your location), for me this meant the following:
Setting up sshd (the open SSH Daemon) to listen on standard SSH port 22 ready to accept interactive command line logins.
Setting up Postfix, listening on the standard SMTP port of 25 and accepting email for a local addresses within it's domain.
Setting up Dovecot to listen on the standard POP3 port of 110, and to make available the standard mailboxes of any user registered on the system.
Setting up Squid to allow unauthenticated web proxy access via the servers public internet connection from clients connecting to port 8080.
Setting Apache to listen on standard web port 80, and installing PHP MyAdmin in a folder on the web server called DBA.
Installing webmin, and having it listen on its default port of 10000.
Finally once you have all your software set up, you need to ensure there is ONE single inbound port forward of your choice to the SSH port on your server machine. For this solution, I picked a random high port of 9000 (when doing things like this, it's always a good idea to stay away from common port ranges that script kiddies will use automated tools to find). I punched a port forward through the routers firewall from port 9000 on my inbound IP to port 22 on the servers IP address inside the network.
Page 2: Setting up the client