Andrius Kairiukstis's Blog

How to install software on firewalled server

Dec 27, 2018
2 minute read

This post outlines a method for installing software on a server with outbound firewall restrictions by using a reverse SSH proxy.

Quick Summary:

  1. Create a local SOCKS proxy: On your local machine, run ssh -D 51010 localhost. This creates a dynamic SOCKS proxy.
  2. Forward the proxy to the remote server: SSH to the firewalled server using ssh -R 51010:127.0.0.1:51010 firewalled-server. This forwards your local SOCKS proxy to the remote machine, effectively creating a “poor man’s VPN.”
  3. Install software via the proxy: Use a tool like proxychains or configure apt.conf to route traffic through the forwarded proxy.

Preparation Steps

  1. On your local (host) machine, open a terminal and establish a dynamic SOCKS proxy:
  ssh -D 51010 localhost
  1. In a new terminal tab on your local machine, SSH to the firewalled server, forwarding the local proxy port 1:
  ssh -R 51010:127.0.0.1:51010 firewalled-server

  • Check that everything works fine (I assume that curl is already installed):

    ALL_PROXY="socks5://127.0.0.1:51010" curl ifconfig.co
ALL_PROXY="socks5h://127.0.0.1:51010" curl ifconfig.co

    If both commands fail, check the sshd settings on the firewalled server (e.g., ensure AllowTcpForwarding is enabled). If only the first command (using socks5://) fails while the second (using socks5h://) succeeds, it indicates that DNS resolution is also likely firewalled, and socks5h (which proxies DNS requests) is necessary 2.

You are now almost ready to install packages.

Installing Packages

Two primary options are available:

  1. Using proxychains to “socksify” apt-get 3:
  proxychains4 -q -f /home/user/.proxychains/proxychains.conf apt-get -yqq install ngrep sngrep

*(Note: The `apt-get` command should typically be part of the `proxychains4` execution line, or `proxychains4` should be configured to automatically wrap subsequent commands if run interactively.)*

  1. Configuring apt to use the SOCKS proxy via apt.conf 4:

    Create or update the proxy setting in /etc/apt/apt.conf or a file in /etc/apt/apt.conf.d/:

  echo 'Acquire::socks::Proxy "socks5h://127.0.0.1:51010/";' \
    >> /etc/apt/apt.conf

Then, install packages as usual with `apt-get`:

  apt-get -yqq install ngrep sngrep

(Remember to comment out or remove the proxy directive in `apt.conf` after the installation is complete.)

  1. For possible issues with ssh -R, see: Server Fault: SSH remote port forwarding failed

  2. For issues with curl and DNS resolution via proxy, check: Unix Stack Exchange: curl & SOCKS proxy DNS resolution

  3. To get proxychains on the remote host if it’s not installed: proxychains4 has few dependencies (see Debian packages for proxychains4). If direct installation isn’t possible, you might need to scp the necessary .deb files (and their dependencies) and install them manually using dpkg -i

  4. For more apt.conf proxy options, see: Ask Ubuntu: Syntax for SOCKS proxy in apt.conf