The sys admin's daily grind: Httptunnel
Pierced Walls
Just a couple of hours after completing this article, Charly headed off on vacation. Before he left, he indulged in a spot of piercing to help him work around the paranoid firewalls waiting for him in the Internet cafes at his holiday location.
As a country boy, the first time I saw body piercing was in the nose of my grandfather's prize bull, long before people started to disfigure their faces and secondary sexual organs with bits of metal. Firewall piercing – setup tricks that route arbitrary TCP traffic through an existing hole such as HTTP(S) – started to become popular in the epoch between rings in bulls' noses and perforated humans, or about the time SUSE 5.3 was released.
Httptunnel [1], which I will be using on vacation, dates back to the same period. Although today, admins could replace the tool with just a couple of iptables lines, it has always been more user friendly, and it is available out of the box with most distributions.
A journey of approximately 12 hours will take me to Occitania [2], an area full of friendly people, beautiful landscapes, and Internet cafes, in which network access means strictly HTTP. Unfortunately, I was planning to publish the events of the international jellyfish-throwing contest, which is held in Occitania on IRC; in other words, I need SSH.
Httptunnel comprises the client and its target. The client, HTC, listens on any port; it will have to be a port above 1024 if you only have normal user privileges. The client encapsulates incoming connections in HTTP and sends them to its target, a port supported by the firewall. If you want to try this with port 443, the command line is:
htc -w -F 4711 kintyre.kuehnast.com:443
When you try this out, it makes sense to set the -w parameter, which keeps the process from running in the background as a daemon. As soon as I get everything working, I'll leave out this parameter. The -F stands for "Forward," and it is followed by the source and target for forwarding. Because the source is a port on my localhost, there is no need to specify a hostname, just a port. The target can be an IP address or a hostname, as shown in the example.
Back to Front
The whole thing needs to be back to front on the server. The HTS server component accepts incoming connections on port 443, strips off the HTTP layer, and passes them on to the configured target port. In the example here, this is port 22; after all, I need an SSH login:
hts -w -F localhost:22 443
Although this might not seem logical, I need to configure the target port 22 first, followed by the port that HTS uses to listen for incoming connections. To try it out, I'll open an SSH connection for localhost, port 4711:
ssh -p 4711 charly@localhost
Now I can log in to the server (Figure 1). Before you start to protest, the jellyfish-throwing contest was just a joke, but now that the vintners in Languedoc have stopped producing industrial alcohol and starting making really good wines, I'm sure you will all be really jealous.
Infos
- Httptunnel: http://www.nocrew.org/software/httptunnel.html
- Occitania: http://en.wikipedia.org/wiki/Occitania
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs