work firewall blocking linode port - SSH tunneling?

our corporate network at work blocks nearly all non-standard ports, so i'm unable to ssh to my linode when in work or even SFTP to my server, because [per recommendations in the setup articles] i have set up ssh on my linode to use a custom port.

am i correct in thinking that i can set up an ssh tunnel to allow me to bypass the firewall and get to my linode? i must have looked at a zillion tutorials and tried an equal number of command line options, but i cannae get any of them to work. could some kind soul tell me where i'm going wrong, please?

[let's say the ssh port on my linode is '3456']

i've tried:

ssh -f -L 80:my-linode-IP:3456

ssh -f -L 80:[email protected]:3456

ssh -f [email protected] -L 80:my-linode-IP:3456 -N

ssh -L 80:my-linode-IP:3456 -l username my-linode-IP:3456 -N

… and about every other combination possible! but i havenae stumbled on the right one yet. i always get a "connect to host my-linode-IP port 22: Connection refused" error

if it makes any difference, my linode is also setup to use authentication via publickey [no password login allowed]. i've not found anything relating to ssh tunnelling that mentions this aspect at all.

8 Replies

Are you sure you actually need a tunnel ? If it's only to log in via ssh, just use ssh -p 3456

If your connection's still refused, check that ssh (on your linode) is actually listening on that port (netstat or similar); and that your firewall/iptables agree.

And of course, don't forget your logs – they can be full of all sorts of useful information. ;)

If your work is anything like mine, they block pretty much everything except 80, 443 and application-specific specials. Configure your sshd to listen on port 443 (get an extra IP address if you run an HTTPS server). Then: ssh -p 443 <linode_address></linode_address> saves having the network thought police wondering what all that encrypted traffic is doing on one of their allowed ports.

@mjrich:

Are you sure you actually need a tunnel ? If it's only to log in via ssh, just use ssh -p 3456

yes. the linode is listening on that port and that's how i connect from home. but the firewall at work is blocking outgoing traffic to all but a couple of ports….

@pclissold:

…If your work is anything like mine, they block pretty much everything except 80, 443…

… those very ones in fact.

@pclissold:

….Configure your sshd to listen on port 443…

…saves having the network thought police wondering what all that encrypted traffic is doing on one of their allowed ports….

i could do that, but then that removes the suposed advantage of running sshd on an obscure custom port, which all the linode setup tutorials advise me to do.

i'm not too bothered about the 'network thought police' as such. i've got a genuine work-related reason for wanting to be able to connect to my linode from behind work's firewall, from time to time. so i doubt i'll get my knuckles rapped over it. i just thought if i could set up a tunnel, it would be less hassle [and several ice-ages quicker!] than trying to convince some network manager to open port 3456 for me.

in spite of all i've read on this, i'm not really sure that i've got the right end of the stick as to whether a tunnel can do what i want or not. most of the examples i've read tend to refer to things like connecting securely to read your email, while connected to an insecure network in a hotel or cybercafé. so i'm finding it confusing, trying to relate it to my situation.

so is it even possible?…

i connect out from work through one of the open ports [80 or 443] and by the magic of ssh tunnelling it gets delivered to my linode on port 3456

oh. and just to warn you all in advance.

assuming i ever get this one working, my next idiotic question is going to be about tunnelling into my work computer from outside the firewall.

:D

@madra:

i could do that, but then that removes the supposed advantage of running sshd on an obscure custom port, which all the linode setup tutorials advise me to do.
It's just that – a supposed advantage. Use your firewall to restrict what IPs can connect to port 443.

@madra:

i connect out from work through one of the open ports [80 or 443] and by the magic of ssh tunnelling it gets delivered to my linode on port 3456
If it goes out of your work on port 443, it arives at your Linode on port 443. The intervening routers just pass it along. SSH tunnelling can't change that.

@madra:

assuming i ever get this one working, my next idiotic question is going to be about tunnelling into my work computer from outside the firewall.
You'll need to set up a VPN from your work computer to your Linode. Inbound connections to your work gateway router(s) on 80 and 443 will be routed to servers in their DMZ (or blocked), so the connection must be established from inside the firewall.

If you're using key-based authentication and have password authentication disabled, there's probably no real advantage to using an obscure port. Just use port 22. The odds of someone brute-forcing the port are much, much better than the odds of someone brute-forcing public key authentication.

Now, if they block port 22 as well, I think you're pretty much boned.

@hoopycat:

Now, if they block port 22 as well, I think you're pretty much boned.
Use 443, key-based authentication and (optionally) firewall restrictions to control which IPs can access 443. Works for me.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct