In simple words tunneling is a method of bypassing firewall or proxy restrictions using some tunnelling protocols. It works by creating a "tunnel", or a communications channel that makes the firewall think that it is getting traffic from a web browser. Communications content is delivered through this tunnel to our gateway or your own personal gateway. The gateway extracts your content from the tunnel and sends it to the destination. When your counter party responds everything goes back the same way. Tunnelling can be used when your company, college, university, ISP blocked certain programs, FTP, telnet.
On the other hand, tunneling can also allow inherently insecure protocols to cross your firewall. For this reason, it may be advantageous to use a firewall solution that does content based checking of HTTP connections, so that you can disallow connections that are actually tunneling other protocols. This can be quite difficult to do. SSH tunnelling techniques have a wide range of applications among the other tunnelling protocols.
SSH tunnelling ...
To set up an SSH tunnel, one configures an SSH client to forward a specified local port to a port on the remote machine. Once the SSH tunnel has been established, the user can connect to the specified local port to access the network service. For setting up the ssh application in your machine please read my previous post from here
A Secure Shell (SSH) tunnel consists of an encrypted tunnel created through an SSH protocol connection. Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted channel.
Configuring the ssh tunnel
X11 forwarding
Ubuntu comes with X11 forwarding facility for the server. We have to enable for the current session only on the client side using the following command
$ ssh –X user@myserver
To enable X11 forwarding permanently, you should edit the file ssh_config as sudo as follows
$ sudo gedit /etc/ssh/ssh_config
# for all users, add the line ForwardX11 yes
# To enable it permanently for a specific user
only, add the line to that user’s ~.ssh/config file.
Once that setting has been added, the -X option is no longer required to use X11 Tunneling. Run ssh command to connect to the remote system as you would normally.
To test that the tunneling is working, run xclock after ssh’ing into the remote machine, and it should appear on your client desktop.Thus SSH Tunneling is an excellent way to securely use remote graphical tools!
Logging in Remotely with ssh
To securely log in to a remote host, you can use either of two different syntaxes to specify the user name:
Logging in Remotely with ssh
To securely log in to a remote host, you can use either of two different syntaxes to specify the user name:
$ ssh -l user myserver
or
$ ssh user@myserver
Accessing SSH on a Different Port
For security purposes, a remote host may have its SSH service listening a different port than the default port number 22. If that’s the case, use -p option to ssh to contact that service:
For security purposes, a remote host may have its SSH service listening a different port than the default port number 22. If that’s the case, use -p option to ssh to contact that service:
$ ssh -p 12345 user@myserver.com
[Connect to SSH on port 12345]
Applications
One of the important advantage of the SSH is that you can forward any TCP port with SSH. This is a great way to configure secure tunnels quickly and easily. No configuration is required on the server side.
Tunneling for remote X11 Clients
Inorder to use applications that are available on a remote machine follow the steps
1.[Start ssh connection to myserver]
$ ssh user@myserver
Then terminal for prompt for the password
2.Run the applications
$ echo $DISPLAY -Show the current X display entry
$ xeyes -Show moving desktop eyes
$ gnome-cups-manager -Configure remote printers
$ gksu services-admin -Change system services
$ firefox -starts the web browser
$ xeyes -Show moving desktop eyes
$ gnome-cups-manager -Configure remote printers
$ gksu services-admin -Change system services
$ firefox -starts the web browser
Tunneling for Remote Printing Administration
Let myserver is a print server with the CUPS printing service’s web-based user interface enabled (running on port 631). That GUI is only accessible from the local machine. We tunnel to that service in myserver from the client pc using ssh with the following options:
$ ssh -L 1234:localhost:631 myserver
This example forwards port 1234 on the client PC to localhost port 631 on the server. We can now browse to http://localhost:1234 on the client PC. This will be redirected to cupsd listening on port 631 on the server.
Tunneling to an Internet Service
Another example for using SSH tunneling is when your local machine is blocked from connecting to the Internet (using proxies, firewalls ...), you can get to another machine (myserver) that has an Internet connection and utilize its connectivity.
The following example lets you visit the Google.com web site (HTTP, TCP port 80) across an SSH connection to a computer named myserver that has a connection to the Internet:
$ ssh -L 12345:google.com:80 myserver
With this example, any connection to the local port 12345 is directed across an SSH tunnel to myserver, which in turn opens a connection to Google.com port 80. You can now browse to http://localhost:12345 and use myserver as a relay to the Google.com web site.
Since you’re only using ssh to forward a port and not to obtain a shell on the server, you can add the –N option to prevent the execution of remote commands:
$ ssh -L 12345:google.com:80 –N myserver
Tunnelling to use SSH as a SOCKS Proxy
Inorder to utilize the full power of tunnelling the best way is to get your browser traffic out of your local network via an encrypted tunnel is using the SSH built-in SOCKS proxy feature.This will make you anonymous (in ip) in the outside world and let you break through the firewall/proxy restrictions imposed on your network.
$ ssh -D 12345 myserver
The dynamic (-D) option of ssh lets you log in to myserver (as usual). As long as the connection is open, all requests directed to port 12345 are then forwarded to myserver.
Next, set your browser of choice to use localhost port 12345 as a SOCKS v5 proxy. Do not enter anything on the fields for HTTP and other protocols, They all work over SOCKS.
Next, set your browser of choice to use localhost port 12345 as a SOCKS v5 proxy. Do not enter anything on the fields for HTTP and other protocols, They all work over SOCKS.
Let me conclude...
The SSH tunnelling can be used as a power tool for comunication in environments where limited connectivity is available due to proxies, firewalls and content filtering mechanisms. It provides a secure encrypted channel channel to hide your data from being monitored by anyone. Also the remote access concept will bring your office into your bedroom so that you can login and work on your office machine with your home pc....
Have a nice time in tunnelling ...
0 comments:
Post a Comment
speak out... itz your time !!!