[Sussex] IPTables - is this possible?

[Oli]

Richie Jarvis wrote:
> Matthew Macdonald-Wallace wrote:
>> On Wed, 2007-03-21 at 21:45 +0000, Steve Dobbo Dobson wrote:
>>  
>>> Matt
>>>    
>>>> Can anyone advise if this is possible?
>>>>       
>>> Sounds it to me on the limited information given.
>>>     
>>
>> OK, basically there is a firewall in a location at which I often use my
>> laptop that blocks and closely monitors traffic that goes out over
>> anything except http/https/imap/pop3/smtp.
>>
>> I want to set my server up at home so that it is running https, http,
>> ssh and a few other services (mail, database etc).  What I want to be
>> able to do is ssh to port 443 (the default for https) _AND_ be able to
>> access https sites via the same address.  The best example of this is as
>> follows:
>>
>> The firewall has port 443 ready to accept inbound traffic
>> The server has https configured on port 443 and ssh on port 22
>> >From my laptop, I ssh to the firewall port 443 which recognises the
>> packet as ssh and forwards it to port 22 of the server.
>> I then open a mozilla session on my laptop and connect to port 443 of
>> the firewall which recognises the traffic as https and redirects to port
>> 443 of the server.
>>
>> I understand about natted traffic and the like, what I want to do is
>> have a number of services appearing to run on the same port.
>>
>> Can it be done?
>>
>> Matt.
>>   
> If your HTTPS app is not for public consumption, why not use SSH tunnels
> as a way to get through?  Move the HTTPS traffic onto a different unused
> port (say 4430), and run SSH on port 443 - then connect via SSH to port
> 443, and setup a tunnel to port 4430 (4430:localhost:4430) - then
> whenever you connect to your SSH server, you can go to
> https://localhost:4430, and you will hit your webserver.  Of course,
> there is then no need to run HTTPS then, as it will be double encrypted,
> but hopefully you get the idea :)
> 
> SSH is beautiful like this, in that you can run as many tunnels as you
> like, and it all goes via one (un-tcpdump-able) port.  For example,
> today I have been onsite @ HP in Grenoble - they only allow web via
> their (monitored) proxy, but they do allow SSH (muppets ;) ), so I SSH'd
> to my box, which is running squid behind my firewall, and used that to
> access the internet without them being able to see a thing!
> 
> Hope that helps,
> 
> Richie


You might still have a few problems if there is a web proxy in the way
of port 443.  What you can do though is tunnel the SSH connection over
SSL with this cunning script:
http://marc.info/?l=secure-shell&m=92575140832635&w=2

I'm not entirely sure what you need to run on your home machine to
accept these connections and unbundle the SSH (If anything?) - I've only
ever used it for Sourceforge.  The nice guys there have this all set up :-)

HTH

-Oli


-- 
Oli Comber
Systems Developer
3aIT Limited - Official Corporate Sponsor of the British Bobsleigh Team

4-10 Barttelot Rd   Horsham   West Sussex   RH12 1DQ
M: +44 (0)77255 82405   T: +44 (0)870 881 5097   F: +44 (0)870 116 0793

3aIT Limited is a company registered in England and Wales.
CoReg: 3866698   VATReg: 771388600


Visit www.3aIT.co.uk for Design, Systems, Support

Disclaimer:
The information contained within this email is confidential and may be
legally privileged. It is intended solely for the addressee. If you are
not the intended recipient, any disclosure, copying or distribution of
this email is prohibited and may be unlawful. The content of this email
represents the views of the individual and not necessarily 3aIT Limited.
 3aIT Limited reserves the right to monitor the content of all emails in
accordance with lawful business practice. Whilst every effort is made to
ensure that attachments are free from computer viruses before
transmission, 3aIT Limited does not accept any liability in respect of
any virus that is not detected.
3aIT Limited