How to bypass firewall to connect to a proxy server?

I am conducting a small experiment on my office network. I have setup a proxy server on my desktop machine (connected to my LAN) and I have volunteers access the internet via my proxy server. Everything is working well. The problem is people cannot connect to the proxy server through their laptops. I asked my network admin and he said the wireless network has a firewall which prevents users from connecting to my proxy. He said I could tunnel the traffic or use SSH though. I am afraid I do not understand fully what is going on. Is there a way by which users connected on the wireless network can connect to my desktop?

I am using FreeProxy on Windows as my proxy server: http://www.handcraftedsoftware.org/index.php?page=download FreeProxy allows me to create a SOCKS 4/4a/5 proxy. Is that what I need? Part of the experiment involves logging the URL requests of the users. I am doing a measurement study. So, any solution must allow me to log the URL requests of users. Also, what changes do I need to make in the browser configuration.

Bruce

Posted 2011-11-16T23:36:25.763

Reputation: 2 067

Answers

SSH uses TCP port 22, so just set up your proxy client and destination proxy server to listen on TCP port 22 and that should resolve your problem because your network administrator has implied that there is a firewall exception for TCP port 22.

(+1 for an interesting question, and also especially for getting permission from the network administrator before attempting to bypass the firewall.)

Randolf Richardson

Posted 2011-11-16T23:36:25.763

Reputation: 14 002

2Heh. Sneaky approach. – Paul – 2011-11-16T23:55:44.460

@Paul: Actually, it's not uncommon for people to use non-standard port numbers for specific services like proxying. The fact that the network administrator implied that TCP port 22 is open by indicating that SSH could be used for the proxy, so I read that as approval of implicit permission to use TCP port 22 for proxying. You're right about it being "sneaky" (+1 for you) in the more typical situation where permission isn't granted. =D – Randolf Richardson – 2011-11-17T00:03:43.057

1Oh for sure, I meant a sneaky approach to solving the problem rather than going through an ssh tunnelling explanation, which is what I was about to take a deep breath and try to do. – Paul – 2011-11-17T00:12:19.827

@Paul: Oh, sorry, I missed that (that's wonderful, thank you!). Of course, one of the downsides to using such a well-known TCP port such as 22 is the ridiculously high number of viruses, bots, and spammers searching for open SSH ports to hack and exploit (one really good alternative that I strongly recommend is to limit which IPs can make connections and just completely ignore all other attempts to connect, but this isn't always practical if the user doesn't have a static IP).

– Randolf Richardson – 2011-11-17T00:20:47.890

@Paul: Can you take a deep breath and try and explain to me what is going on? I really want to learn more about this. If nothing else, can you please provide me links to articles/blogs/books which I can read to understand this. – Bruce – 2011-11-17T00:51:27.470

1@Randolf: Thanks a lot. It worked like a charm! – Bruce – 2011-11-17T00:51:46.330

@Bruce: You're welcome. If you used SSH to do the proxying, then you'd need an SSH client (that your web browser would connect to locally) and an SSH server (which the SSH client would connect to) to accomplish this. By just using the SSH port for proxy service you've simply eliminated the need to additionally use an extra SSH client and server. (The SSH solution would work very well also, but would also be more complicated to set up.) – Randolf Richardson – 2011-11-17T00:54:56.967

1@Randolf: That is great because I wanted to make minimal changes in my participant's terminals. This is a very elegant solution. – Bruce – 2011-11-17T00:59:46.053

With SSH tunnelling, you need an ssh client on each device wanting to use your proxy, and you would need an SSH server on the proxy server.

The SSH protocol supports port-forwarding any port across an ssh session, called ssh tunnelling.

You can think of this as the remote port the user wants to connect to being accessible locally on their own machine. So lets say the proxy port was 8080, the user would set their proxy settings to 127.0.0.1:8080 - in other words, port 8080 on their own machine. This would get forwarded across the tunnel to port 8080 on the proxy server.

The ssh tunnelling configuration is different for each ssh client. For the standard ssh command line client, you would use the following command to create the tunnel:

ssh -L 8080:localhost:8080 proxy-ip-address

What this is saying is create a (L)ocal port 8080, and tunnel this across the ssh session, and at the other end, send it to localhost:8080

Any packets sent to port 8080 locally would then be sent via the tunnel to the proxy server port 8080.

Paul

Posted 2011-11-16T23:36:25.763

Reputation: 52 173

+1 for making the effort to explain this for Bruce -- this is useful information. – Randolf Richardson – 2011-11-17T01:06:47.723

No problem. Note that the destination portion of the port-forward applies to any IP address and port. You can also use Dynamic port forwarding that effectively uses the remote device as a SOCKs proxy, without the actual proxy server. So the lesson here is that if you have ssh access to a server that itself is not restricted, you can use it to access pretty much anything you want regardless of local firewall restrictions. – Paul – 2011-11-17T01:26:17.373