The underlying logic of penetrating firewalls: how proxy IPs work with SSH
Enterprise firewalls usually restrict outbound requests on specific ports, but it is more common to open the SSH port (22) for remote management. Taking advantage of this feature, we can use theproxy IPCreate encrypted tunnels to disguise other protocol traffic as SSH communications. This solution maintains compliance with network activities while enabling access to specific business systems.
Method 1: Local port forwarding in practice
Scenario: need to access the intranet database from outside (assuming running at 192.168.1.100:3306)
Operational Steps:
1. Obtain the address of a high stash proxy server (e.g. 45.76.123.88:30001) via ipipgo.
2. Local execution of orders:
ssh -L local port:destination address:destination port proxy username@proxy IP
Example: ssh -L 3307:192.168.1.100:3306 user@45.76.123.88 -p 30001
3. When the local database tool connects to 127.0.0.1:3307, the traffic will be forwarded to the intranet database through a proxy server
Method 2: Dynamic port forwarding scheme
Scenario: need to access multiple services on different ports on the intranet
Operational Steps:
1. Selection of ipipgo proxy nodes that support the SOCKS5 protocol
2. Local execution of orders:
ssh -D local listening port proxy username@proxy IP
Example: ssh -D 1080 user@45.76.123.88 -p 30001
3. Configure the browser/application proxy setting to SOCKS5://127.0.0.1:1080
4. All traffic is forwarded through the SSH tunnel via a proxy server
| comparison dimension | local port forwarding | dynamic port forwarding |
|---|---|---|
| Applicable Scenarios | Fixed Port Service | Multiport Mixed Access |
| Configuration complexity | Needs to be configured on a case-by-case basis | One-time global configuration |
| Depletion of resources | relatively low | high |
Frequently Asked Questions
Q: Why is the access slow after connection?
A: It is recommended to change the geographic location of the ipipgo proxy node and choose a node with a latency lower than 150ms. Dynamic forwarding is recommended to use residential proxies instead of data center proxies.
Q: How do I ensure connection stability?
A: The long-time static residential IP provided by ipipgo, together with the TCPKeepAlive parameter setting of SSH, can maintain a non-stop connection for more than 8 hours.
Q: What if I need to use both methods?
A: This can be realized by opening multiple SSH sessions. It is recommended to use different proxy nodes for different forwarding methods to avoid single point of failure.
Points for choosing agency services
The key to successful SSH tunneling implementation lies in three features of the proxy service:
1. protocol integrity: ipipgo supports SSH/SOCKS5 full stack
2. IP purity: Residential IPs are less likely to be flagged as risky nodes by firewalls
3. port diversity: Provide non-standard port access capability (e.g., 30001-30050)
By rationalizing ipipgo'sStatic Residential IPtogether withDynamic IP rotationIt can meet the long-term stable operation and maintenance requirements, as well as cope with special scenarios that require frequent changes of export IP. The node resources covering 240 countries are especially suitable for the distributed network architecture of multinational enterprises.
English 
简体中文 
Español 
Deutsch 
Français