[Sussex] IPTables - is this possible?

Richie Jarvis richie at helkit.com
Thu Mar 22 15:38:24 UTC 2007


Matthew Macdonald-Wallace wrote:
> On Wed, 2007-03-21 at 21:45 +0000, Steve Dobbo Dobson wrote:
>   
>> Matt
>>     
>>> Can anyone advise if this is possible?
>>>       
>> Sounds it to me on the limited information given.
>>     
>
> OK, basically there is a firewall in a location at which I often use my
> laptop that blocks and closely monitors traffic that goes out over
> anything except http/https/imap/pop3/smtp.
>
> I want to set my server up at home so that it is running https, http,
> ssh and a few other services (mail, database etc).  What I want to be
> able to do is ssh to port 443 (the default for https) _AND_ be able to
> access https sites via the same address.  The best example of this is as
> follows:
>
> The firewall has port 443 ready to accept inbound traffic
> The server has https configured on port 443 and ssh on port 22
> >From my laptop, I ssh to the firewall port 443 which recognises the
> packet as ssh and forwards it to port 22 of the server.
> I then open a mozilla session on my laptop and connect to port 443 of
> the firewall which recognises the traffic as https and redirects to port
> 443 of the server.
>
> I understand about natted traffic and the like, what I want to do is
> have a number of services appearing to run on the same port.
>
> Can it be done?
>
> Matt.
>   
If your HTTPS app is not for public consumption, why not use SSH tunnels 
as a way to get through?  Move the HTTPS traffic onto a different unused 
port (say 4430), and run SSH on port 443 - then connect via SSH to port 
443, and setup a tunnel to port 4430 (4430:localhost:4430) - then 
whenever you connect to your SSH server, you can go to 
https://localhost:4430, and you will hit your webserver.  Of course, 
there is then no need to run HTTPS then, as it will be double encrypted, 
but hopefully you get the idea :)

SSH is beautiful like this, in that you can run as many tunnels as you 
like, and it all goes via one (un-tcpdump-able) port.  For example, 
today I have been onsite @ HP in Grenoble - they only allow web via 
their (monitored) proxy, but they do allow SSH (muppets ;) ), so I SSH'd 
to my box, which is running squid behind my firewall, and used that to 
access the internet without them being able to see a thing!

Hope that helps,

Richie





More information about the Sussex mailing list