University Firewalls and Proxies – FIXED

Yeap, I now have fully functional sensor-free internet and it wasn’t such a complicated procedure in the end.

The only thing I needed was a linux webserver that I could track its IP Address, (using a dynDNS service or a static IP), squid proxy server software running on the webserver, a SSH reliable client (I use PUTTY) if you are running on Windows. If on Linux, you’re in luck, SSH client functionality comes out-of-the-box.

How did I do it? Implemented, not academic? Keep reading.

At first, I will explain in abstraction how the whole system kinda works, to get a general idea of computer networks in general.

The image below, describes a typical corporate network in abstraction. There are many pc’s, they get connected together and whatever internet requests and responses they send, get filtered by the corporate router which may be a computer or a set of computers. Getting filtered means that probably there is a firewall operating and also some addresses may be blacklisted for various reasons.

A typical corporate network intranet also may have bridges, repeaters, switches etc, but the network logic pretty much stays the same. You need a gateway to send and receive data from the internet. It doesn’t change much if your network is so big that may have a computer cluster to run a firewall software or a DNS nameserver or a router.

usual corporate network image

 

So, as it can be seen clearly in the picture, when I request data from an address that may have been blacklisted, I won’t get response. Or I’ll receive a response that says that this address is blacklisted blah blah blah.

That’s not the most annoying thing.

The most annoying thing is that even addresses which are not blacklisted but are using SSL and port 443 (banks, facebook, twitter, gmail, google search, everything that must be secure from eavesdropping), sometimes cause network bottlenecks (you can guess why) and worse, sometimes firewalls don’t let the SSL negotiation to happen gracefully. (Poorly adjusted, etc)

So, you think you have internet, but actually, you simply don’t.

You sit there praying so that you can use google search to read some documentation about something you are developing, trying to login into your favourite sky-diving forum (?) and do a lot of other useless internet procrastination.

I found myself there and thought,

if I am to waste my time on the internet, I will do it properly.

Now, this is how this problem is actually solved. The thing you must do, is use a proxy server. The best practice is to securely connect to that server (ssh tunnel in this case, SSL is feasible too, using stunnel). In this case, no one will be aware that you are using a proxy, as it will not be detected.

Because I do a lot of internet banking and I just don’t trust anyone, I prefer it to be that way.

(That goes also for the network administrators with packet filtering fancy tools, such as wireshark. Just try it one day and you will be amazed how easy can be to eavesdrop passwords and other sensitive information. You should always bear in mind though that it is illegal.)

So, enough chit-chat, just connect to your server via ssh, and install squid. That could be done by just writing:

sudo apt-get install squid

It’s a good idea to protect your original squid configuration file, so

sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.original
sudo chmod a-w /etc/squid/squid.conf.original

I am running squid3, so it is /etc/squid3 etc.

Using a terminal editor (nano is the easiest), make some small touches to your configuration file.

sudo nano /etc/squid/squid.conf

Squid default configuration file is pretty strict, so we will leave it that way. Just change the http port, so its not obvious that it is a proxy. (3128 is the default)

http_port 8888

Remember to restart squid after your configuration file changes.

sudo service squid restart

(or service squid3, depends on your version)

Now that our proxy server is up and running, we’ll just create a nice SSH tunnel so all of our data can be encrypted, compressed and can circulate freely around the network. The thing that are we going to do is abstractly described in the picture below.

my hack picture
My hack – workaround to the issue. SSH tunneling encrypts, compresses and lets my data circulate freely across the network.

Ok, just open a terminal and type:

ssh -D 8888 -C user@mydomain.com

Replace the 8888 with the port number you chose as the proxy port, user with your username and mydomain.com with the server’s address.

Then go to network settings and make sure it looks like this:

network settings image
This screenshot is from an Ubuntu machine

You can now thank me for helping you procrastinate on the internet more convenient…

You can also visit whatismyip.com to make sure your proxy server isn’t detected.

One thought on “University Firewalls and Proxies – FIXED”

Leave a Reply