Tunneling PuTTY through a Firewall
January 7, 2005
By Robert Thoelen III
Principal Software Engineer
RTCubed Consulting, LLC
I've noticed quite a bit of interest on how to tunnel through firewalls. Let me say this upfront: I feel your pain. IT departments are increasingly locking down more and more things, which means that those of us that do have legitimate uses of information services for our jobs get squashed when we are behind corporate firewalls. For example, I once tried to get to www.insecure.org, to download nmap. The company blocked the site, but I was trying to get it to scan the machines I administrated, just to verify that I didn't have security holes in my Linux systems.
The definitive 411 on how to get what you need
At the end of this article, you will be able to configure PuTTY to get you through basic firewalls. Plus, you will have information to get you through difficult circumstances when things are really locked down. I've used these techniques sucessfully to get files that I needed from blocked sites, use the Windows Remote Desktop Client to administrate a server remotely, and run X Window System clients remotely and securely.
The Basics
First, download yourself a copy of the development snapshot of PuTTY. Even though they are not official releases, I've never had a problem. You want all the extra features that the development copy provides. Next, start the program, and look on the left side, where there is a menu tree. Find "Connection", and then look for "Proxy" as a sub-menu underneath that. If your school or business manually sets up your internet browser, you can find the information you need to enter here. If they use an automatic script to configure your proxies for Internet Explorer, you can download that script, and then look through it (it is a text file). The proxy name and port can be found in this file.
Now, you will need a machine to connect to. I'm assuming that you have a Linux box set up at your house or somewhere else. You can then type that information into the "Session" menu of PuTTY, save it as a "Saved Session", and then press the "Open" button, and let things fly. Hopefully, this is all you need to make a connection. If so, you're in business!
Sometimes, it is not that easy. Your proxies may block ports other than https, for security reasons. If so, on your Linux server at home, type "sshd -p 443", or configure it to run this command ever time at startup. Note: This only works if you are not running a secure HTTP server on your machine, and quite possibly may not work if your ISP blocks incoming ports like Mail(25), HTTP(80), or HTTPS(443). You may be forced to make a decision, such as upgrade your DSL or Cable Modem service to a business account,to allow these ports to pass through to your home machine. If you are sure that your incoming ports are not blocked through your ISP, then configure PuTTY for SSH as mentioned above, but change the port for SSH to 443 in the "Sessions" menu. Most proxies will not block port 443, because if they do, then secure HTTP connections will not be possible.
Strategies for doing something useful
Okay, you logged in successfully. Now what can you do? Well, if you are running an X Window System server on your end, and you check the "Enable X11 forwarding" box under the "Tunnels" menu in the "SSH" menu of PuTTY, you should be able to start all your favorite programs that use X11, and view them on your end. If you have a decent high-speed connection, this should work pretty well. Best of all, its encrypted, so your actions ought to be private.
You can also establish connections to other Windows machines on your home network that may allow "Remote Desktop" connections. The port for this is 3389. To make this work, first install the Remote Desktop client software on the machine with PuTTY. Then, load up your "Saved Sessions", and go to the "Tunnels" page of PuTTY. Add a source port of "3389", and for a destination, type the IP address or name of the computer on your local network, followed by a colon and the port number. Example: johndoe:3389. When you connect to your remote machine with PuTTY, as long as you stay connected, you should then be able to go to your Remote Desktop client, and point it to "localhost", and everything should work fine.
This technique applies to just about any TCP based function, such as VNC, Windows shared drives, etc. Once you get the hang of configuring tunnels, you'll realize that you now have access to essentially everything that you need.
Conclusion and Disclaimer
I want to be very clear about this: You are responsible for your own actions, and please don't do illegal things with this. I'm publishing this step-by-step guide, because I'm tired of seeing engineers halted in their tracks from doing legitimate business work, simply because IT policies control everything they do. Its very hard to work as an engineer or computer scientist with one hand tied behind your back, especially when the Internet is your source of up to date information. Businesses demand results and answers NOW, not when someone finally gets around to unblocking a website that you have a business need to get to.
Related Links
January 7, 2005
By Robert Thoelen III
Principal Software Engineer
RTCubed Consulting, LLC
I've noticed quite a bit of interest on how to tunnel through firewalls. Let me say this upfront: I feel your pain. IT departments are increasingly locking down more and more things, which means that those of us that do have legitimate uses of information services for our jobs get squashed when we are behind corporate firewalls. For example, I once tried to get to www.insecure.org, to download nmap. The company blocked the site, but I was trying to get it to scan the machines I administrated, just to verify that I didn't have security holes in my Linux systems.
The definitive 411 on how to get what you need
At the end of this article, you will be able to configure PuTTY to get you through basic firewalls. Plus, you will have information to get you through difficult circumstances when things are really locked down. I've used these techniques sucessfully to get files that I needed from blocked sites, use the Windows Remote Desktop Client to administrate a server remotely, and run X Window System clients remotely and securely.
The Basics
First, download yourself a copy of the development snapshot of PuTTY. Even though they are not official releases, I've never had a problem. You want all the extra features that the development copy provides. Next, start the program, and look on the left side, where there is a menu tree. Find "Connection", and then look for "Proxy" as a sub-menu underneath that. If your school or business manually sets up your internet browser, you can find the information you need to enter here. If they use an automatic script to configure your proxies for Internet Explorer, you can download that script, and then look through it (it is a text file). The proxy name and port can be found in this file.
Now, you will need a machine to connect to. I'm assuming that you have a Linux box set up at your house or somewhere else. You can then type that information into the "Session" menu of PuTTY, save it as a "Saved Session", and then press the "Open" button, and let things fly. Hopefully, this is all you need to make a connection. If so, you're in business!
Sometimes, it is not that easy. Your proxies may block ports other than https, for security reasons. If so, on your Linux server at home, type "sshd -p 443", or configure it to run this command ever time at startup. Note: This only works if you are not running a secure HTTP server on your machine, and quite possibly may not work if your ISP blocks incoming ports like Mail(25), HTTP(80), or HTTPS(443). You may be forced to make a decision, such as upgrade your DSL or Cable Modem service to a business account,to allow these ports to pass through to your home machine. If you are sure that your incoming ports are not blocked through your ISP, then configure PuTTY for SSH as mentioned above, but change the port for SSH to 443 in the "Sessions" menu. Most proxies will not block port 443, because if they do, then secure HTTP connections will not be possible.
Strategies for doing something useful
Okay, you logged in successfully. Now what can you do? Well, if you are running an X Window System server on your end, and you check the "Enable X11 forwarding" box under the "Tunnels" menu in the "SSH" menu of PuTTY, you should be able to start all your favorite programs that use X11, and view them on your end. If you have a decent high-speed connection, this should work pretty well. Best of all, its encrypted, so your actions ought to be private.
You can also establish connections to other Windows machines on your home network that may allow "Remote Desktop" connections. The port for this is 3389. To make this work, first install the Remote Desktop client software on the machine with PuTTY. Then, load up your "Saved Sessions", and go to the "Tunnels" page of PuTTY. Add a source port of "3389", and for a destination, type the IP address or name of the computer on your local network, followed by a colon and the port number. Example: johndoe:3389. When you connect to your remote machine with PuTTY, as long as you stay connected, you should then be able to go to your Remote Desktop client, and point it to "localhost", and everything should work fine.
This technique applies to just about any TCP based function, such as VNC, Windows shared drives, etc. Once you get the hang of configuring tunnels, you'll realize that you now have access to essentially everything that you need.
Conclusion and Disclaimer
I want to be very clear about this: You are responsible for your own actions, and please don't do illegal things with this. I'm publishing this step-by-step guide, because I'm tired of seeing engineers halted in their tracks from doing legitimate business work, simply because IT policies control everything they do. Its very hard to work as an engineer or computer scientist with one hand tied behind your back, especially when the Internet is your source of up to date information. Businesses demand results and answers NOW, not when someone finally gets around to unblocking a website that you have a business need to get to.
Related Links