Port Forwarding

thru an Encrypted Tunnel

An Annotated Practical Example

August 27, 2007

Bernard Karmilowicz, Engineer
IntEn Corporation

The following is an annotated example of creating an encrypted tunnel for bypassing fully-blocked or filtered Internet services. All shell commands below are issued on our local host (turnip.vegetable.com) except the "sshd -p 22099" shell command which is issued on our remote host (66.246.195.41) to start a port-forwarding ssh server listening on remote host port 22099.

Let's watch the traffic on our local net from the perspective of our local host...

...first without port forwarding thru an encrypted tunnel:

  1. Confirm our web browser is configured to not use a proxy server (instead use a direct network connection).
  2. Issue the "tcpdump -i eth0 tcp" shell command to start a network packet sniffer.
  3. Navigate to Google. The tcpdump output when not port forwarding thru an encrypted tunnel is: 
      02:09:43.705801 IP turnip.vegetable.com.1216 > od-in-f103.google.com.http: P 1841:2384(543) ack 2566 win 11440
      02:09:43.723871 IP od-in-f103.google.com.http > turnip.vegetable.com.1216: . ack 2384 win 6852
      02:09:43.730308 IP od-in-f103.google.com.http > turnip.vegetable.com.1216: . 2566:3996(1430) ack 2384 win 6852
      02:09:43.730363 IP turnip.vegetable.com.1216 > od-in-f103.google.com.http: . ack 3996 win 14300
      02:09:43.730627 IP od-in-f103.google.com.http > turnip.vegetable.com.1216: P 3996:4925(929) ack 2384 win 6852
      02:09:43.730660 IP turnip.vegetable.com.1216 > od-in-f103.google.com.http: . ack 4925 win 17160

As tcpdump displays the above, the homepage at www.google.com is downloaded to the local user's web browser.

...and then after enabling port forwarding thru an encrypted tunnel:

  1. Confirm our web browser is configured to use a proxy server listening on local port 10011.
  2. The general local command template for the ssh client is "ssh user_name@address_of_remote_ssh_server -D ephemeral_port". Issue the "ssh -p 22099 halle@66.246.195.41 -NTD 10011" shell command for our purpose. All traffic destined for local port 10011 will be encrypted and forwarded to our remote ssh server (at 66.246.195.41, listening on port 22099) running SOCKS v5. The SOCKS server will decrypt the traffic and transmit it as if the traffic originated on the remote ssh server (cool!). We use -NT because we are dynamically forwarding all ports, so will not be running a command and need an associated shell.
  3. Now revisit Google. The tcpdump output when port forwarding thru an encrypted tunnel is: 
      01:56:36.733203 IP turnip.vegetable.com.1209 > 66.246.195.41.22099: P 1213:1309(96) ack 1439 win 8320
      01:56:36.795635 IP 66.246.195.41.22099 > turnip.vegetable.com.1209: P 1439:1487(48) ack 1309 win 9776
      01:56:36.795732 IP turnip.vegetable.com.1209 > 66.246.195.41.22099: . ack 1487 win 8320
      01:56:36.796770 IP turnip.vegetable.com.1209 > 66.246.195.41.22099: P 1309:1853(544) ack 1487 win 8320
      01:56:36.873181 IP 66.246.195.41.22099 > turnip.vegetable.com.1209: . ack 1853 win 11280
      01:56:36.879667 IP 66.246.195.41.22099 > turnip.vegetable.com.1209: . 1487:2947(1460) ack 1853 win 11280

As tcpdump displays the above, the homepage at www.google.com is downloaded to the local user's web browser - but look carefully at the tcpdump output; References to "google" are nowhere to be found! What is this sneaky user doing on remote server 66.246.195.41? The local SysAdmin will not know the local user is surfing the web unrestricted.

The example above assumes the local SysAdmin blocked connections to port 80 (external web servers), but we could have just as easily assumed the SysAdmin blocked port 110 (POP3) instead, and continued the example using an email client (e.g. thunderbird, eudora) rather than a web browser.

Command Review

The following is a concise review the two commands required to setup the port-forwarding encrypted tunnel (presuming you have an account named "halle" on 66.246.195.41):

  1. [sshd setup on remote host] sshd -p 22099
  2. [ssh setup on local host] ssh -p 22099 halle@66.246.195.41 -NTD 10011

Useful additional reading includes Proxy Using SSH Tunnel and Bypassing Corporate Firewalls.