Hi...

I have an internal network at my home as well as at my office. At home, I use an iptables firewall (with masquerading enabled). I want to be able to access one of the machines on my internal home network from my workstation at my office. My work machine is also behind a firewall, but I don't have access to its configuration.

Here is the problem. I know I can create a chain on my home firewall to do port forwarding from all traffic coming from my work firewall. But I want to specifically only allow traffic from my internal work computer to my internal home computer.

Without having access to the configuration of my work firewall, I was wondering if there is a rule I can create on just my home iptables config that will do this?

Thanks

Assuming that your work network performs Network Address Translation (NAT), this is not possible, as an incoming connection from any computer on your work network will have the same IP.

I would reccomend using a secure protocol, or performing SSH tunneling.

Could you elaborate? Possibly point me towards some kind of howto or other documentation? What I had actually hoped to do was to do a remote desktop (rdp protocol) into my home windows machinewhen I need to. I already have this capability going the other direction (from home to work) as my work network is setup with secure VPN tunneling. However, I would have no clue how to set anything like this up from home.

Since I'm not running linux on the desktop (only on my router/firewall box) I don't know if this is the proper forum to ask this.

It can still be done. Just google for "ssh tunneling". This way you can find one for both your SSH client and so forth.

I would leave my computer on at home and go to work and ping the sh&t out of my home computer while at work. Then go home and look at the logs and see the work IP address. Take that IP and add a rule in iptable to forward only that ip and port 22 (i think that is what ssh) uses to whatever internal computer on my network I want to connect to. Then go to work and connect.

Well, that was going to be my solution, but then I thought how many people are behind my work firewall. I wanted to allow access from only my work machine...not every machine on my internal work network

Hi,

since your work machine is nated, you cannot identify it : that's NOT possible.
using ssh can involve using a username/password, that should be a good protection.

There is no way to see beyond the gateway at work into the internal network from your home. You have to open it on the gateway IP addresses.. i.e. everyone at work. But someone at work would have to try to connect to your home IP in order to know... unlikely. And they still can't log in without a password. Oh the reason I told you to ping is because they might use more than one gateway.. 2 or 3 ip's would have to be forwarded in your iptables then.

you can also connect through ssh from work to home : next time you'll log in at home, you'll have the banner "Last login from xxx.xxx.xxx.xxx" ; unless you've changed thye default behaviour of sshd.

Funny, he's question is on how to do that in the first place. If he could do that this post wouldn't exist.