our corporate network at work blocks nearly all non-standard ports, so i'm unable to ssh to my linode when in work or even SFTP to my server, because [per recommendations in the setup articles] i have set up ssh on my linode to use a custom port.

am i correct in thinking that i can set up an ssh tunnel to allow me to bypass the firewall and get to my linode? i must have looked at a zillion tutorials and tried an equal number of command line options, but i cannae get any of them to work. could some kind soul tell me where i'm going wrong, please?

[let's say the ssh port on my linode is '3456']

i've tried:

ssh -f -L 80:my-linode-IP:3456

ssh -f -L 80:username@my-linode-IP:3456

ssh -f username@my-linode-IP -L 80:my-linode-IP:3456 -N

ssh -L 80:my-linode-IP:3456 -l username my-linode-IP:3456 -N

... and about every other combination possible! but i havenae stumbled on the right one yet. i always get a "connect to host my-linode-IP port 22: Connection refused" error

if it makes any difference, my linode is also setup to use authentication via publickey [no password login allowed]. i've not found anything relating to ssh tunnelling that mentions this aspect at all.

_________________
**************************
Mental Diarrhoea
**************************

Are you sure you actually need a tunnel ? If it's only to log in via ssh, just use

ssh -p 3456 <linode>

If your connection's still refused, check that ssh (on your linode) is actually listening on that port (netstat or similar); and that your firewall/iptables agree.

And of course, don't forget your logs -- they can be full of all sorts of useful information.

If your work is anything like mine, they block pretty much everything except 80, 443 and application-specific specials. Configure your sshd to listen on port 443 (get an extra IP address if you run an HTTPS server). Then:

 ssh -p 443 <linode_address>

saves having the network thought police wondering what all that encrypted traffic is doing on one of their allowed ports.

_________________
/ Peter

yes. the linode is listening on that port and that's how i connect from home. but the firewall at work is blocking outgoing traffic to all but a couple of ports....



... those very ones in fact.



i could do that, but then that removes the suposed advantage of running sshd on an obscure custom port, which all the linode setup tutorials advise me to do.

i'm not too bothered about the 'network thought police' as such. i've got a genuine work-related reason for wanting to be able to connect to my linode from behind work's firewall, from time to time. so i doubt i'll get my knuckles rapped over it. i just thought if i could set up a tunnel, it would be less hassle [and several ice-ages quicker!] than trying to convince some network manager to open port 3456 for me.

in spite of all i've read on this, i'm not really sure that i've got the right end of the stick as to whether a tunnel can do what i want or not. most of the examples i've read tend to refer to things like connecting securely to read your email, while connected to an insecure network in a hotel or cybercafé. so i'm finding it confusing, trying to relate it to my situation.

so is it even possible?...

i connect out from work through one of the open ports [80 or 443] and by the magic of ssh tunnelling it gets delivered to my linode on port 3456

_________________
**************************
Mental Diarrhoea
**************************

oh. and just to warn you all in advance.

assuming i ever get this one working, my next idiotic question is going to be about tunnelling into my work computer from outside the firewall.

_________________
**************************
Mental Diarrhoea
**************************

It's just that -- a supposed advantage. Use your firewall to restrict what IPs can connect to port 443.


If it goes out of your work on port 443, it arives at your Linode on port 443. The intervening routers just pass it along. SSH tunnelling can't change that.

_________________
/ Peter

You'll need to set up a VPN from your work computer to your Linode. Inbound connections to your work gateway router(s) on 80 and 443 will be routed to servers in their DMZ (or blocked), so the connection must be established from inside the firewall.

_________________
/ Peter

If you're using key-based authentication and have password authentication disabled, there's probably no real advantage to using an obscure port. Just use port 22. The odds of someone brute-forcing the port are much, much better than the odds of someone brute-forcing public key authentication.

Now, if they block port 22 as well, I think you're pretty much boned.

Use 443, key-based authentication and (optionally) firewall restrictions to control which IPs can access 443. Works for me.

_________________
/ Peter