View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions Get through a country-wide firewall?
Log in to Ask a Question

Get through a country-wide firewall?

networking

I have set up a proxy server, but i still cant get through a country-wide firewall.. i can visit the web page, once i click the links in the page, my connection will be blocked.. ur suggestions welcome. ty!

8 Replies

If you're using a HTTP proxy, try using a full VPN solution like OpenVPN.

As long as either the IP of your linode or the port OpenVPN uses isn't being blocked, this will basically allow you to browse the Internet from your Linode.

Side note: As a network administrator at a public school district, please don't put an open proxy on your site. I'd hate to have to start blocking Linode IPs! :)

Hey, ty for ur tips.. and i will try using openvpn as soon as possible..

directly note: I generally set password on my proxy server..

@untitled9:

try using a full VPN solution like OpenVPN.

please don't put an open proxy on your site.

I'm somewhere with such a firewall.

In order to get out through the country's http proxy I need a) sshd on my linode running on port 443 and b) my ssh client to issue the CONNECT method (by calling an external application through the ProxyCommand directive).

My solution: use openvpn over a openssh SOCKS proxy (not the preferred way, but I can't seem to connect through HTTP proxy with openvpn, despite it having the ability to).

I need to do some routing changes locally on my laptop to direct all my traffic to the vpn tunnel (except for the traffic to the ssh tunnel). And I block access to the openvpn port on my linode through iptables.

Hope that helps.

@untitled9:

If you're using a HTTP proxy, try using a full VPN solution like OpenVPN.

As long as either the IP of your linode or the port OpenVPN uses isn't being blocked, this will basically allow you to browse the Internet from your Linode.

Side note: As a network administrator at a public school district, please don't put an open proxy on your site. I'd hate to have to start blocking Linode IPs! :)

I used a very easy way to tunnel my web traffic trough ssh. Using Putty on Windows, I did this .bat script :

putty -D 8080 -P 22 -ssh username@servername

Once this tunnel is opened from the local computer to the server, I just had to set the SOCKS proxy in the web browser preferences to point to the 127.0.0.1:8080 and that's it.

Hope this helps!

@orsic:

I used a very easy way to tunnel my web traffic trough ssh. Using Putty on Windows, I did this .bat script :
I'll second this recommendation. It's by far the most simple way to set up a proxy. I use this all the time when working from coffee shops…I proxy email (IMAP), instant messaging, and web through it.

-erik

thanks for that ssh/socks proxy info. so easy and yet so useful and important.

@orsic: 

putty -D 8080 -P 22 -ssh username@servername

I live in Thailand and we also have a country-wide firewall system here. It blocks dangerous sites like EFF (tor.eff.org) and political speech. Also it blocks the more popular adult sites. (I guess they want you to go outside and support the local economy!) Anyway, my main use of the proxy is because my ISP's transparent HTTP proxies foul up apt, yum, gem, etc. very badly. So this isn't only a "free speech" issue.

First, if you do a lot of proxying, I highly recommend the SwitchProxy extension for Firefox. You can switch from normal viewing to your local proxy just by right-clicking your mouse. Browsing through a SSH tunnel can be a bit slow, so it's best used only when necessary.

I have used orsic's method before with OpenSSH. The -D switch to SSH sets up a SOCKS5 proxy, and anything that comes in your ssh goes out the remote sshd. It is nice, however I found the performance to be poor for web browsing, and sometimes it just froze on me, forcing me to kill ssh and reconnect.

The solution I now use is to run a lightweight HTTP proxy on my server, and then use SSH to tunnel myself to the server, like so:

ssh -L 8765:localhost:8765 username@linode-system

I use micro-proxy for the proxy. It's available in Debian Etch and it is indeed very small and simple. You just put it in inetd.conf and you're done. Not only is the performance better than "ssh -D", but micro_proxy conveniently logs my activity, so I can see my browsing history later.

Warning!

Running an HTTP proxy carries its own risks. Make sure it is not accessible from the Internet. I recommend you set your hosts.{allow,deny} files for localhost only and make sure the port is firewalled too, for defense in depth. While the performance is better, this proxy solution led to my leaving my old VPS provider. On my former VPS, I made three mistakes that caused a very serious problem.
4. Ran the proxy on common port 8888

  1. Only blocked port 8888 with iptables, not hosts.{allow,deny}

  2. No automatic loading the firewall rules during boot

One day, my system randomly rebooted due to God-knows-what at my hosting site. Now the firewall was down and the proxy was exposed on a common port number. In short time, a scan found the proxy and immediately used it to send a lot of spam. Within a couple of hours, I discovered the problem, corrected it, and also took myself off half a dozen spam blacklists.

One month later, my VPS provider (an awful company – feel free to send me a PM and I will happily disparage their name in private) took my system down due to detecting the spam. The only way they would bring it back up was by re-installing the original OS (Debian Sarge!), a procedure not stated in their TOS at all. They held my system hostage. I requested just a few minutes to log in and make final backups but they refused. So besides the downtime, I lost some data that was not yet backed up in my weeklies, which cost me financially (a mistake I will not make again).

Now, today is my first day with Linode and, honestly, their operation is like a dream come true. However, I see that their TOS stipulates a $500 penalty if your IP is blacklisted, plus $250 per hour for their trouble to fix it. Now, I have no argument with this policy. In fact, I support tough action against spammers! However, I urge you to take care not to become a victim of spammers because you will be the one who suffers.

(Finally, the spammer problem is not limited to HTTP proxies, although that is a major avenue of attack. Many common PHP apps have vulnerabilities that allow local code execution. You don't need to be root to send spam. I recommend that you use iptables or other software to rate limit your outgoing port 25, port 80, and port 8888 traffic and alert you if the limit is hit. You do not want to get on a spam blacklist!)

If you use openvpn, you need to proxy dns as well.

On client side.

redirect-gateway 'your server's private ip'
dhcp-option DNS 'dnsip in your server's resolve.conf'

On server side.

iptables -t nat -A POSTROUTING -s 'your private subnet' -o eth0 -j MASQUERADE

echo "net.ipv4.ip_forward=1">>/etc/sysctl.conf
sysctl -p

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct