Ssh Tunnel Home To Circumvent Firewall Working Partially With Facebook

[dusf]

There is a firewall at my office blocking the Windows XP box from accessing Gmail, Facebook, Youtube, no doubt some other sites, and any URL with the word proxy in it.

To try and circumvent this I connect with PuTTY using the office proxy on port 8080 to my Ubuntu 10.04's OpenSSH server running at home on port 8080.

The office proxy PuTTY uses to get out (same as the one I must set IE/Firefox to access the internet at the office normally for general office use) is set to HTTP and I have set 'Do DNS lookup at proxy end' to auto, should I set this to yes or no instead of auto? Directly attempting to connect out with PuTTY does not work. I also use my LAN username and password in PuTTY to access the office proxy. I configured PuTTY to forward the source port D55555 (dynamic) to the destination 127.0.0.1.

In FoxyProxy I created a new proxy name SSH tunnel home with the address 127.0.0.1 and the port 55555, configured for SOCKS, should it be SOCKS, if so which version 4 or 5? Should there be a dynamic option here for the port?

When the proxy is not enabled and I try to access Facebook I just see a small graphic from the firewall loading where the webpage should be telling me it's denied in the top left corner. When I add some patterns, as per the screenshot I have linked, or even when I have it set to 'Use proxy SSH tunnel home for all' it loads about 5% of the page as per the second screenshot linked, though it has worked properly twice for a minute or two over my last few days testing which is strange.

http://oi52.tinypic.com/14cw2oi.jpg

http://www.boards.ie/vbulletin/attachment....37&d=1287...

I read on a guide someone made that I should set 'Use SOCKS proxy for DNS looksups' in FoxyProxy but that setting does not seem to be there anymore.

Also, tomorrow when I'm back at work I will try setting the IE LAN network settings to 127.0.0.1:55555 for all protocols because somehow even though I have set FoxyProxy to 'Use proxy SSH tunnel home' Firefox 3.6.10 is attempting a different route for a lot of the content on Facebook. Gmail works fine most of the time, but even when I receive an email in Gmail from facebook, any Facebook avatars within show only a denied graphic where the person's face should be.

If you have even the slightest suggestion, please make me aware of it, thanks.

[Mr-Protocol]

You could run an SSH on a linux box at home. SSH with X11 forwarding to your linux box at home. Then all history and traffic will go through your home address.

You can also try manually changing your DNS to 8.8.8.8 (Google DNS) to see if they are just denying the DNS lookups.

[dusf]

You could run an SSH on a linux box at home. SSH with X11 forwarding to your linux box at home. Then all history and traffic will go through your home address.

You can also try manually changing your DNS to 8.8.8.8 (Google DNS) to see if they are just denying the DNS lookups.

I do have an Open SSH server running at home, and it works from most locations, just not the aforementioned one.

I am unfamiliar with X11 forward, my working method for other locations is as described, but X11 sounds interesting.

I am unable to change the TCP/IP settings on the LAN NIC, but was under the impression that this should all already be going down the tunnel, that is everything and DNS?

[Mr-Protocol]

X11 forwarding is easy... Someone should make a video on how to set it up ;)

Hak5.org/807

Edited October 18, 2010 by Mr-Protocol

[dusf]

X11 forwarding is easy... Someone should make a video on how to set it up ;)

Hak5.org/807

Haha Mr-Protocol, very good and thanks! :)

I will definitely look into the X11, but I still believe what I am trying to achieve is possible with Firefox, I just have to figure out why Firefox is not using the set proxy for every item on Facebook.

I had a similar problem with Texas Hold 'Em Poker, the Facebook app, at my old employer. Because the game was using flash it was bypassing the proxy settings on the machine and using the default ones on the Windows box. The only solution for that problem was to 'SOCKSwrap' all of Firefox using a third party application.

Anyone else with a suggestion?

[wh1t3 and n3rdy]

X11 forwarding, in my opinion, is the best solution there is, unless of course being able to ssh out is blocked.

[dusf]

X11 forwarding, in my opinion, is the best solution there is, unless of course being able to ssh out is blocked.

See that's the thing, I am able to SSH out once I use the on site proxy in PuTTY's connections to get the route out. I'm also able to then point Firefox at the SSH tunnel/proxy created on 127.0.0.1:55555 (or any port of my choosing) and all blocked websites work fine, except Facebook?

Please see screenshot of Facebook when using my SSH tunnel. When using the office proxy I get a graphic with a pic saying 'Denied' and a direct connection just says all websites, including facebook cannot be displayed.

There is an option it FoxyProxy to automatically add patters for the SSH tunnel, but it only searches for strings of text and unfortunately the denied message I receive is a graphic. This shouldn't matter though, because like I said the problem happens when I configure FoxyProxy to 'Use SSH tunnel home for all' so everything on the page, should in theory, be going through my tunnel home, not just parts of Facebook.

Edited October 20, 2010 by dusf

[Infiltrator]

Whenever using a proxy or a SSH server to tunnel your Firefox traffic through, make sure you have the following configuration in Firefox enabled.

network.proxy.socks_remote_dns

This option will force Firefox to use your own SSH server, to perform DNS look ups instead of your schools dns server.

Edit: This is the correct URL: https://calomel.org/firefox_ssh_proxy.html

Give that a shot and see if it works.

Edited October 20, 2010 by Infiltrator

[dusf]

Whenever using a proxy or a SSH server to tunnel your Firefox traffic through, make sure you have the following configuration in Firefox enabled.

network.proxy.socks_remote_dns

This option will force Firefox to use your own SSH server, to perform DNS look ups instead of your schools dns server.

http://www.simplehelp.net/2007/05/19/how-t...ders-in-ubuntu/

Give that a shot and see if it works.

Thanks!

That makes a lot of sense, and I can't wait to get in there and try it but unfortunately I won't be back in again until Sunday.

Forgive me, but I don't see the relevance of the how to share files and folders in Ubuntu reference?

[Infiltrator]

Thanks!

That makes a lot of sense, and I can't wait to get in there and try it but unfortunately I won't be back in again until Sunday.

Forgive me, but I don't see the relevance of the how to share files and folders in Ubuntu reference?

I am really sorry, this is the right article

https://calomel.org/firefox_ssh_proxy.html

[dusf]

Whenever using a proxy or a SSH server to tunnel your Firefox traffic through, make sure you have the following configuration in Firefox enabled.

network.proxy.socks_remote_dns

This option will force Firefox to use your own SSH server, to perform DNS look ups instead of your schools dns server.

Infiltrator you're a genius, many, many thanks! :)

Okay, after confirming I do in fact have 'perform remote DNS lookups on hostnames loading through this proxy' enabled in FoxyProxy, and setting network.proxy.socks_remote_dns to true in Firefox's about:config, Facebook now loads fully, and consistently when 'Use proxy 'SSH tunnel home' for all URLs' is enabled (or when it's the single proxy enabled in Firefox's default proxy settings).

The single remaining problem I have is getting it to work by pattern, as in I can set url wildcards for pages to be loaded automatically through one proxy or another.

Having a rule set for every domain visible in Tools > Page info > media (when on Facebook) doesn't do it.

i.e. *.facebook.com/*

http://static.ak.fbcdn.net/rsrc.php/z7/r/5875srnzL-I.ico <- many media sources like this for which I created the rule:

*.fbcdn.net/*

It of course picks up the pattern partially as about 5/10% of what should load on the page does so, but somehow I am missing the source of some of the media on Facebook because it's still being firewalled/DNS poisoned. Is there anyway I can detect the domains I need to add a pattern for when on Facebook?

(Those familiar with FoxyProxy may know there's an autodetect a firewall blocking feature, but this only works with strings of text like 'This webpage is prohibited' etc, not a small 'denied' graphic that appears in my case)

Edited October 24, 2010 by dusf

[Infiltrator]

You could try is setting up your own proxy server, using phproxy or glype and Apacher, you will also need to use OpenSSL to encrypt the traffic.

[dusf]

You could try is setting up your own proxy server, using phproxy or glype and Apacher, you will also need to use OpenSSL to encrypt the traffic.

Doesn't an SSH tunnel created by PuTTY, and connected to my OpenSSH server running at home create a SOCKS5 proxy with encrpyted traffic?

Spent the evening analysing Wireshark packets picked up when I access Facebook from home. Well what can I say, it is a bank holiday Monday here, everyone's out partying elsewhere but I think I'm pretty rock 'n' roll with my analysing of Wireshark packets!

[Infiltrator]

Doesn't an SSH tunnel created by PuTTY, and connected to my OpenSSH server running at home create a SOCKS5 proxy with encrpyted traffic?

Spent the evening analysing Wireshark packets picked up when I access Facebook from home. Well what can I say, it is a bank holiday Monday here, everyone's out partying elsewhere but I think I'm pretty rock 'n' roll with my analysing of Wireshark packets!

Yes SSH is encrypted and eavesdropping is almost impossible. Now going back to your previous question, are you able to 100% access facebook or is it getting blocked by your schools firewall?

[dusf]

Yes SSH is encrypted and eavesdropping is almost impossible. Now going back to your previous question, are you able to 100% access facebook or is it getting blocked by your schools firewall?

By default Gmail, YouTube and Facebook and many other sites are all blocked at my office.

Using my working SSH connection with the remote DNS socks about:config setting you advised me of, Gmail and Youtube work all the time when I have FoxyProxy recognise to apply my proxy to them for wildcards like *://mail.google.com/* or *youtube* etc.

Facebook is a different story, it will only work 100% with the SSH connection with the remote DNS socks about:config setting when I have FoxyProxy set to use not patterns, but that SSH tunnel ALL the time, it's not registering enough from the patterns *facebook*, and *fbcdn* - visible in FoxyProxy's logs or Firefox's Tools > Page Info > Media when you're on www.facebook.com.

This is why I referenced Wireshark, to try find what FoxyProxy and Firefox are missing, specific to Facebook.

[Infiltrator]

That's very interesting, have you tried using Putty instead of FoxyProxy to establish a connection with your SSH server? And then creating a dynamic socket, that could be used in conjunction with Firefox.

Edited October 25, 2010 by Infiltrator

[dusf]

That's very interesting, have you tried using Putty instead of FoxyProxy to establish a connection with your SSH server? And then creating a dynamic socket, that could be used in conjunction with Firefox.

That's exactly what I have been doing friend, FoxyProxy is just for switching proxies that you input to it, either manually which is allowing me access everything in Facebook with all media, or by pattern (works with all but Facebook which only partially loads when set by pattern) so it automatically does it meaning I can use the same browser for work systems which must be connected to by the work proxy, or blocked sites which go 127.0.0.1:55555 > PuTTY:D55555 > work proxy (only route for putty out) > SSH to OpenSSH server at home > internets :)

Edited October 25, 2010 by dusf

[dusf]

It now works perfectly, even by pattern.

It seems there was some corruption in Firefox, undoing my setting of network.proxy.socks_remote_dns to true and reinstalling fixed that.

Thanks to all for valued input.