Hoping for a little help... Please bear with me whilst I explain in full as there where a few post with similar request but not quite what I am after.


Generally we support clients via ssh tunnels. The client initiates a connection to us, we join the session and bingo - Instant help.

We have come across a client that will NOT alter thier firewall saying we only allow outbound traffic that can pass thru the proxy (Squid).

So my question: Can you set up a connection from a box on an internal network via a proxy server to another box on the internet all via an SSH tunnel.

I hope I have included enough detail.


Thanks in advance.

If the box behind the proxy has a public IP, or they NAT their outbound traffic, you could run up the remote sshd to listen on TCP/80 and have the client connect on this port instead of the default TCP/22 (icky) and bypass the proxy entirely. This makes a few assumptions about their setup though... squid won't perform any TCP socket proxying, only HTTP/HTTPS and FTP.

Do I read this right - the client wants only traffic that goes through the proxy?

Presumably you know how to set up ssh connections through an http proxy?

http://www.pantz.org/os/openbsd/squidsetup.shtml
... this seems right up your street, even though it is for openBSD. The principles should be the same.

Doesn't that link just explain how to setup an SSH tunnel to a host running Squid? His problem is that the ISP won't allow any outbound traffic unless it passes through their squid proxy, which breaks his outbound SSH connection attempts.

He either has to find a hole in their network (ie: exploit their NAT or filtering rules), or ask them to nicely setup a socks proxy for port 22.

There's a tool called 'httptunnel ' floating about which acts as a local socks proxy and can tunnel traffic via HTTP, which could, of course, also use an upstream proxy like squid. Try something like this if all else fails - just don't expect blisteringly fast response times.

... which is why I asked if I had the trouble right... if I punctuate the stated trouble like this:
We have come across a client that will not alter their firewall, saying: "We only allow outbound traffic that can pass thru the proxy." (Squid)

It comes out close to what you suggest.
But this still reads like the client is on a lan (say a corporate net) behind the proxy. The client, somehow, initiates a connection and he joins via ssh as SOP. But he cannot do this because squid is stopping this and the client stipulates - traffic goes through the proxy thanks.

Bypassing, or otherwise penitrating, the proxy would allow for the desired connection. This is true, However, as written, this would be against the client's wishes.

As the problem is described, to offer his support in the manner he is accostomed to, he must connect through the clients proxy server.

This seems logical too. As there seem to be two possible interpretations of the problem - I think a clarification is in order.

Apart from this - the general advise so far should provide a starting point whichever of us got it right

Woo-hoo Shal? Where are you?

My appologies for the delay...DO NOT LAUGH _but_ I got hit by a car and ended up in hospital...Well its pretty funny now but it wasn't at the time.

Anyway getting back to the story at hand.

Simon is quite correct in his sumary.

The linux box that is needed to be connected to is on a LAN behind the firewall and proxy. We need to have this box initiate a connection to our access point. As stated the only outbound traffic is via the proxy.

In re-reading AB's first response are you saying that the client machine could ssh out (via 80) and if we set our box to listen on 80 we should be good to go? If this is a yes can you have the sshd listen on more than one port or can you run multiple sshd's simultaneously?

Again sorry for the delay and thanks for the info so far.

Cheers
Shai

aka the Crash Test Dummy