Hi,

I'm hoping someone out there will be good at using iptables. Here is my dilemma.

At work, they run a very strict network. So the only way to get out of their network is via port 80 and 443 through their proxy. For example, I tried to ssh to my home network but it didn't allow me to.

Here is my setup. I'm running a linux router that runs iptables. How can I specify the router to handle my work ips in a special way? I don't want to change the network I have at home, I want to keep it as is. However, when I try to access my home network (from work) via port 80/443, I want to router to forward or handle it to a specific internal address inside my network that is NOT 80/443. For example, suppose I'm at work and I ssh out to my home via port 80, how can I set it so my router handles that specific ip to an internal address via port 22?

It's a little confusing I know. I'd appreciate any help.


Happy holidays!,
Paul

puTTY should let you Tunnel through to another network using another port.

Beware! The reason your work place is strict about this is that they don't want to jeopardize their network/data by opening their computers to unknown systems. You may be risking your job if you try to subvert company network security policies.

I assume your firewall is running Linux; if not, you probably posted this on the wrong website

I had a similar situation some years ago, where I wanted to setup RDP-connection to my home-based PC which was behind a Linux-FW connecting to the net via ADSL.
Back to your question:

For example, suppose I'm at work and I ssh out to my home via port 80, how can I set it so my router handles that specific ip to an internal address via port 22?
I am assuming your firewall connects to the internet via a modem/router which has it's own IP-address when connecting to the FW

$FWCARD=eth0
$FWIP=192.168.254.253 # IP of your firewall side Internet
$FWMODEM=192.168.254.254

$LANCARD=eth1
$LANIP=192.168.1.254 # IP of your firewall side LAN
$LANNETWORK=192.168.1.0/24

$DESTIP=192.168.1.1 #Host connecting to
$DESTPORT=22 #SSH

$WORKIP=184.73.199.236 # Your work's Public IP
$WORKPORT=80 # Port allowed by work


# Remember to enable IP-forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Make sure routing is in place
route add -net $LANNETWORK gw $LANIP
route add default gw $FWMODEM

# Translate incoming traffic from your work-IP as if it originated from your Firewall
iptables -t nat -A PREROUTING -p TCP -i $FWCARD -s $WORKIP/24 --sport $WORKPORT -j DNAT --to-destination $FWIP

# Log the new incoming traffic:
iptables -A FORWARD -p TCP -i $FWCARD -s $FWIP --sport $WORKPORT -o $LANCARD -d $DESTIP --dport $DESTPORT -m state --state NEW -j LOG --log-level 4 --log-prefix "Incoming SSH from work: "

# Now forward the traffic:
# Incoming
iptables -A FORWARD -p TCP -i $FWCARD -s $FWIP --sport $WORKPORT -o $LANCARD -d $DESTIP --dport $DESTPORT -m state --state NEW, ESTABLISHED, RELATED -j ACCEPT
# Outgoing (Response)
iptables -A FORWARD -p TCP -o $FWCARD -d $FWIP --dport $WORKPORT -i $LANCARD -s $DESTIP --sport $DESTPORT -m state --state ESTABLISHED, RELATED -j ACCEPT



I am unable to test this right now... but should be real close

The problem isn't confusing, but the intent is against LQ rules:
Posts containing information about cracking, piracy, warez, fraud or any topic that could be damaging to either LinuxQuestions.org or any third party will be immediately removed.

As alan99 stated "they don't want to jeopardize their network/data by opening their computers to unknown systems".

Also if your workplace has an IT department, they probably will be able to detect that the traffic on port 80 is encrypted noise, and trace it to your work computer and your home IP address.

I'm closing this thread and may decided to delete it later. Since one might do the same thing to move an open ssh port, or to use different port numbers and forward them to different host on the LAN, I'm leaving the post visible for now at least.