Wednesday, August 25, 2010

irssi behind proxy (via ssh port forwarding)

A Problem
To get natty technical questions answered, sometimes you hafta go to the source and drop a line to the mavens on IRC (Internet Relay Chat). But IRC uses a specific port (6667) denied by the average corporate firewall. Unfortunately, I could not get irssi functioning through my http proxy at work. What to do? SSH tunneling and port forwarding to the rescue!
ssh -p 443 -L user@homemachine

But what the heck is all that stuff? I will explain.

The Solution
Like most companies, my company allows port 443 traffic through their firewall. I decided to use this open access to create a secure tunnel from my workstation in the office to a machine in my home network that has a running SSH server. I then use a very nice feature of SSH to forward traffic through the tunnel to my machine at home and onto a specific server out in the internet. This *should* be as easy as 1 - 2 - 3 (shown below), though to me, it's a bit mindbending. Read on..

1 - Configure the Home Router/Firewall
In order to get the above solution working, I needed to configure my home firewall to forward requests for port 443 to the SSH server (port 22) at home. Most home routers/firewalls have the ability to setup this hardware-based port forwarding.

2 - SSH Tunnel and Forward
After making sure that the port forwarding described in Step 1 is setup, I then use SSH on my machine at work to:
1) create a secure tunnel to my home machine over port 443 (ssh -p 443 user@homemachine)
2) create a listener on my local machine on port 1234 (-L 1234:)
3) forward requests to a specific IRC server on a specific port via that secure tunnel. In this case, port 6667 on , like so (

The whole shebang is efficiently handled with that one ssh command string:
ssh -p 443 -L user@homemachine

On the host at work
After making sure Step 1 was completed, I received a "Password:" prompt after hitting "enter" on the above SSH command line:
$ ssh -p 443 -L user@homemachine
Last login: Wed Aug 25 11:20:09 2010 from

Now that I'm properly authenticated, I checked to see that the local machine is listening on port 1234. I did this by opening a second command prompt on the machine at work and looking at the output of "netstat -na":
$ netstat -na grep LISTEN

SSH has opened that local port and will forward traffic bound for it to the remote SSH server. But I'm not done yet. IRSSI needs to point to that local port in order to use my home machine to connect to the IRC server. Much like a frog uses one lily pad to hop to another.

3 - IRSSI config change
To point IRSSI to utilize that SSH tunnel, I made two minor tweaks to IRSSI's configuration: proxy_address and proxy_port via the /SET command:
[(status)] /set proxy_address
[(status)] /set proxy_port 1234
[(status)] /set use_proxy ON

[(status)] /set 
15:33 [proxy]
15:33 proxy_address =
15:33 [proxy]
15:33 proxy_port = 1234
15:33 [proxy]
15:33 use_proxy = ON

Note the localhost IP address in "proxy_address" and, of course, the appropriate port that I've opened.

With these tweaks in place and the secure tunnel created, I can then startup IRSSI and successfully connect to the IRC node via the local port, 1234:
11:35 -!- Irssi: Looking up
11:35 -!- Irssi: Connecting to [] port 6667
11:35 -!- Irssi: Connection to established
11:35 ! *** Looking up your hostname...
11:35 ! *** Checking Ident
11:35 ! *** Found your hostname
11:35 ! *** No Ident response
11:35 -!- You have not registered
11:35 -!- Welcome to the freenode Internet Relay Chat Network user
11:35 -!- Your host is[], running version ircd-seven-1.0.0
11:35 -!- This server was created Sat Jan 30 2010 at 01:13:47 CET
11:35 -!- Highest connection count: 6923 (6922 clients) (3140303 connections received)
11:35 -!- - Message of the Day -
11:35 -!- - Welcome to in Norway, EU! Thanks to
11:35 -!- - SSC Networks ( for sponsoring this server!


In the fashion of port forwarding, SSH works its magic to create a listener on the local machine, forward the packets destined for it through an SSH tunnel to my home server and onto somewhere else. In my case, I use my machine at home to forward my IRC requests onto Very cool! Don't forget this same port forwarding feature of SSH can be applied to other TCP applications, such as VLC running on that same remote machine:
ssh -p 443 -L 1234:localhost:5900 user@homemachine

Have a good one,


No comments:

Feel free to drop me a line or ask me a question.