work firewall blocking linode port - SSH tunneling?
am i correct in thinking that i can set up an ssh tunnel to allow me to bypass the firewall and get to my linode? i must have looked at a zillion tutorials and tried an equal number of command line options, but i cannae get any of them to work. could some kind soul tell me where i'm going wrong, please?
[let's say the ssh port on my linode is '3456']
i've tried:
ssh -f -L 80:my-linode-IP:3456
ssh -f -L 80:username@my-linode-IP:3456
ssh -f username@my-linode-IP -L 80:my-linode-IP:3456 -N
ssh -L 80:my-linode-IP:3456 -l username my-linode-IP:3456 -N
… and about every other combination possible! but i havenae stumbled on the right one yet. i always get a "connect to host my-linode-IP port 22: Connection refused" error
if it makes any difference, my linode is also setup to use authentication via publickey [no password login allowed]. i've not found anything relating to ssh tunnelling that mentions this aspect at all.
8 Replies
ssh -p 3456
If your connection's still refused, check that ssh (on your linode) is actually listening on that port (netstat or similar); and that your firewall/iptables agree.
And of course, don't forget your logs – they can be full of all sorts of useful information.
ssh -p 443 <linode_address></linode_address>
saves having the network thought police wondering what all that encrypted traffic is doing on one of their allowed ports.
@mjrich:
Are you sure you actually need a tunnel ? If it's only to log in via ssh, just use
ssh -p 3456
yes. the linode is listening on that port and that's how i connect from home. but the firewall at work is blocking outgoing traffic to all but a couple of ports….
@pclissold:
…If your work is anything like mine, they block pretty much everything except 80, 443…
… those very ones in fact.
@pclissold:
….Configure your sshd to listen on port 443…
…saves having the network thought police wondering what all that encrypted traffic is doing on one of their allowed ports….
i could do that, but then that removes the suposed advantage of running sshd on an obscure custom port, which all the linode setup tutorials advise me to do.
i'm not too bothered about the 'network thought police' as such. i've got a genuine work-related reason for wanting to be able to connect to my linode from behind work's firewall, from time to time. so i doubt i'll get my knuckles rapped over it. i just thought if i could set up a tunnel, it would be less hassle [and several ice-ages quicker!] than trying to convince some network manager to open port 3456 for me.
in spite of all i've read on this, i'm not really sure that i've got the right end of the stick as to whether a tunnel can do what i want or not. most of the examples i've read tend to refer to things like connecting securely to read your email, while connected to an insecure network in a hotel or cybercafé. so i'm finding it confusing, trying to relate it to my situation.
so is it even possible?…
i connect out from work through one of the open ports [80 or 443] and by the magic of ssh tunnelling it gets delivered to my linode on port 3456
assuming i ever get this one working, my next idiotic question is going to be about tunnelling into my work computer from outside the firewall.
@madra:
i could do that, but then that removes the supposed advantage of running sshd on an obscure custom port, which all the linode setup tutorials advise me to do.
It's just that – a supposed advantage. Use your firewall to restrict what IPs can connect to port 443.
@madra:
i connect out from work through one of the open ports [80 or 443] and by the magic of ssh tunnelling it gets delivered to my linode on port 3456
If it goes out of your work on port 443, it arives at your Linode on port 443. The intervening routers just pass it along. SSH tunnelling can't change that.
@madra:
assuming i ever get this one working, my next idiotic question is going to be about tunnelling into my work computer from outside the firewall.
You'll need to set up a VPN from your work computer to your Linode. Inbound connections to your work gateway router(s) on 80 and 443 will be routed to servers in their DMZ (or blocked), so the connection must be established from inside the firewall.
Now, if they block port 22 as well, I think you're pretty much boned.
@hoopycat:
Now, if they block port 22 as well, I think you're pretty much boned.
Use 443, key-based authentication and (optionally) firewall restrictions to control which IPs can access 443. Works for me.