Seemingly obscure port forwarding problem

Seemingly obscure port forwarding problem

Post by jt ol » Fri, 11 Oct 2002 23:47:15



Here's my situation.
I have a potential Mandrake 9.0 Linux Server running behind a
firewall.
It's potential because of just that, for quite a few reasons I am
unable to open ports through the firewall to it.
I can, however, use it to connect to any number of computers outside
the firewall (for example, my computer at my house using ssh).
Here's what I would like to do. I want to be able to, for example,
type in the url of my house computer in some web browser somewhere,
with port 8080, say, and have it forward that connection to the
computer behind the firewall that it is connected to.
Usually, I would just use ssh -R, but the computer I'm trying to
forward connections to doesn't have an open domain name or port to the
outside world, so I can't give ssh a hostname or hostport to forward
to.
There has to be a way to do this.
Does anybody have any ideas?
 
 
 

Seemingly obscure port forwarding problem

Post by scot » Sat, 12 Oct 2002 00:40:31



Quote:> There has to be a way to do this.
> Does anybody have any ideas?

Sure... I don't know about your distro but I assume you are using iptables
with kernel version 2.4.18. If not look up the correct ipchains syntax.

netfilter (the firewall) uses NAT. In other words if I had a computer
inside the network connecting to the internet, the firewall would change
the source address on all outgoing packets to its own address and make it
look like the packets are coming from it. In terms of a server behind the
firewall you need to configure your firewall to change the source and
destination headers to point to the server... You can use DNAT for that...

For this example my internal network is 192.168.1 with the firewall having
the adress 192.168.1.1, and on the internet side having the address
1.2.3.4. The servers address is 192.168.1.2.

make sure forwarding is enabled "echo 1 > /proc/sys/net/ipv4/ip_forward"

iptables -t nat -I PREROUTING -p tcp --dport 22 -j DNAT --to-destination
192.168.1.2

Yeah...i think that'll work for ya...

Scott

 
 
 

Seemingly obscure port forwarding problem

Post by Jonas J Lind » Sat, 12 Oct 2002 01:34:59



> Here's my situation.
> ...
> Usually, I would just use ssh -R, but the computer I'm trying to
> forward connections to doesn't have an open domain name or port to the
> outside world, so I can't give ssh a hostname or hostport to forward
> to.

I think `ssh -R 8080:localhost:80` is what you're looking for. The
hostname doesn't have to be known on the remote side as the port forwarding
in the "-R" case is done on the local side. (Note that the "remote side"
is actually your home computer as the ssh command is run on the computer
behind the firewall.)

This may however not be a good idea as you are effectively creating an
unintended hole in the firewall; but I suppose you've already thought about
that...

/J

 
 
 

Seemingly obscure port forwarding problem

Post by /dev/nul » Sat, 12 Oct 2002 12:05:50


Quote:> I have a potential Mandrake 9.0 Linux Server running behind a
> firewall.

Please clarify something.  Is the "firewall" the mandrake box, or is it
something else?
 
 
 

Seemingly obscure port forwarding problem

Post by jt ol » Mon, 14 Oct 2002 10:31:23



> netfilter (the firewall) uses NAT. In other words if I had a computer
> inside the network connecting to the internet, the firewall would change
> the source address on all outgoing packets to its own address and make it
> look like the packets are coming from it. In terms of a server behind the
> firewall you need to configure your firewall to change the source and
> destination headers to point to the server... You can use DNAT for that...

Well, normally I would do that, in fact, I had already considered
that, but the problem is is that I for quite a few reasons, don't have
access to the firewall itself. So my question is is there another way?
 
 
 

Seemingly obscure port forwarding problem

Post by jt ol » Mon, 14 Oct 2002 10:47:12


Quote:> Please clarify something.  Is the "firewall" the mandrake box, or is it
> something else?

Ok, everything clarified...
I have a Mandrake Linux box behind a firewall. I do not have access to
the firewall, so I can't change anything there.
However, I do have a Redhat Linux box that I can log in to and open
ports up on outside the firewall.
The Mandrake Linux box does not have any external ports or an IP.
The Redhat one does.
Now, with this in mind, can I connect to redhatbox:8080 and have that
be redirected to internalmandrakebox:80?
I have physical access to both the Mandrake and Redhat boxes, but no
physical access to the firewall.
 
 
 

Seemingly obscure port forwarding problem

Post by /dev/nul » Thu, 17 Oct 2002 03:00:47


Quote:> However, I do have a Redhat Linux box that I can log in to and open
> ports up on outside the firewall.

Is the rh box the firewall?  How do you modify the open ports using the rh
box if it's not?
 
 
 

Seemingly obscure port forwarding problem

Post by jt ol » Fri, 18 Oct 2002 03:07:28



> Is the rh box the firewall?  How do you modify the open ports using the rh
> box if it's not?

Sorry, I must not be very good at explaining things.
I have 3 computers.
One is in an internal network. It is running Mandrake and has no
external IP address, and nothing can connect to it from the outside.
This is running at my school.
The second computer is the school's firewall. I don't know much about
this machine, except that for lots of reasons, I can't change what
ports are forwarded or opened, or anything.
The third computer is at my house. It is running Redhat, and I can log
into that. It is outside the school's firewall.
What I would like to do is do something like type in
http://redhatbox:8080/ and what I get in my browser is the
mandrakebox's webpage.
Sorry about the confusion. Can I do this?
 
 
 

Seemingly obscure port forwarding problem

Post by M. Thom » Fri, 18 Oct 2002 08:46:28


Quote:> Sorry, I must not be very good at explaining things.
> I have 3 computers.
> One is in an internal network. It is running Mandrake and has no
> external IP address, and nothing can connect to it from the outside.
> This is running at my school.
> The second computer is the school's firewall. I don't know much about
> this machine, except that for lots of reasons, I can't change what
> ports are forwarded or opened, or anything.
> The third computer is at my house. It is running Redhat, and I can log
> into that. It is outside the school's firewall.
> What I would like to do is do something like type in
> http://redhatbox:8080/ and what I get in my browser is the
> mandrakebox's webpage.
> Sorry about the confusion. Can I do this?

The answer is basically no, unless the school provides for some type
of external access to their systems.  Usually, they setup dialup
access with some kind of security, i.e. password or secureID card, or
they allow access through a VPN connection with additional passwords
or other security measures.

One of the purposes of the firewall is to prevent outside systems from
accessing the internal machines.  Unless your network admin is willing
to reconfigure the firewall to allow a particular system to pass
through, you're out of luck.  Generally, they're not going to want to
create a new, huge, security hole.

You probably should talk to the administrator for the firewall and
find out what options may be available.  They may have networks that
are outside the firewall that can be accessed.  Usually there will be
all sorts of restrictions on hooking a system up to that restricted
network.

 
 
 

Seemingly obscure port forwarding problem

Post by Bob Robillar » Sun, 27 Oct 2002 06:14:18



> I have 3 computers.
> One is in an internal network. It is running Mandrake and has no
> external IP address, and nothing can connect to it from the outside.
> This is running at my school.
> The second computer is the school's firewall. I don't know much about
> this machine, except that for lots of reasons, I can't change what
> ports are forwarded or opened, or anything.
> The third computer is at my house. It is running Redhat, and I can log
> into that. It is outside the school's firewall.
> What I would like to do is do something like type in
> http://redhatbox:8080/ and what I get in my browser is the
> mandrakebox's webpage.

What you need is some forwarding software.  You run some
software on redhatbox that listens for a connection
from mandrakebox.  Then you run some software on mandrakebox
that opens a socket to that redhatbox software.  (The firewall
allows connections that direction, no doubt.  You might
have to pick a well-known port number for the connection,
like the FTP or Telnet ports.)

The main job of the software on redhatbox is to accept
HTTP requests from the outside world and forward them
down the socket opened when mandrakebox connected.
The mandrakebox software receives that HTTP request
and forwards it to httpd running on mandrakebox.

You could probably build the redhatbox software as an
Apache module.  The mandrakebox process is probably better
as a standalone piece of software; it connect()s to
redhatbox and rcv()s from the connected socket.  Whenever
it gets something, it connect()s and send()s to
localhost:8080, rcv()s back from that localhost:8080
socket, and send()s the repsonse back down the redhatbox
socket.  Apache on redhatbox sends the response to the browser.

This would be a fun project.  It's probably also against
your college's official computer use policy.  Kinda like
sharing stolen music files. :-)

Duke

 
 
 

1. Obscure-ish port forwarding problem

Here's my situation.
I have a potential Mandrake 9.0 Linux Server running behind a
firewall.
It's potential because of just that, for quite a few reasons I am
unable to open ports through the firewall to it.
I can, however, use it to connect to any number of computers outside
the firewall (for example, my computer at my house using ssh).
Here's what I would like to do. I want to be able to, for example,
type in the url of my house computer in some web browser somewhere,
with port 8080, say, and have it forward that connection to the
computer behind the firewall that it is connected to.
Usually, I would just use ssh -R, but the computer I'm trying to
forward connections to doesn't have an open domain name or port to the
outside world, so I can't give ssh a hostname or hostport to forward
to.
There has to be a way to do this.
Does anybody have any ideas?

2. Fully functional gdb for X86?

3. port forward port 80 to port 8080

4. My DREAM word-processor

5. HELP Port Forwarding on Linux: Dest Port Known, Source Port High (1024-65535)

6. patch 111713 needed

7. xinetd obscure port usage

8. S3 AGP card how? - PLEASE HELP!

9. obscure port 873

10. IP forwarding is only good for port forwarding of only one IP ?

11. Port forwarding Web port (80)

12. Do I need port forwarding on 25 port to send messages?

13. Unprivileged High Ports with Port Forwarding