Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a quite stupid problem at my school - the administrator decided that allowing anything encrypted would be against 'security policy' and allows outgoing traffic only for port 80 (http).
Of course, it has many drawbacks, you cannot connect to secured webpages (443, https), ssh, anything and all passwords are unencrypted (which I don't like). You also can't log into Gmail etc.
I have a webserver out there and an account at other computer. My idea is to route port 80 at the webserver to port 22 at the second machine only for specific (school) IP.
Code:
Computer at school behind firewall:80 <-> 80:webserver:(only for computer at school)22 <-> computer with ssh account
I don't want to use account at the server as I don't consider it to be reasonably safe (remember, it's a webserver), but I guess it won't be so problematic if encrypted traffic goes through.
Now, I have three questions.
Is it possible to achieve with iptables?
Does ssh allow such routing and is it reasonably safe?
Would it be possible to create something like a web proxy at the server which would encrypt connection over standard http port to allow other, less skilled students without ssh accounts elsewhere to access Gmail etc?
If I were doing this sort of thing, I'd set up SSH on your external box to listen on port 80, then do
Code:
ssh -p 80 -D 8000 user@outsidebox
on your local machine. Then use 'localhost' and port 8000 as your SOCKS proxy in your browser. Either that or set up squid to listen on port 80 on the external machine and use that as your HTTP(S) proxy.
If the network admin finds out you're doing this, and beats you to death with a hardback copy of 'The Practice of System and Network Administration (Limoncelli, Hogan 2001)', then we never had this conversation.
If I were doing this sort of thing, I'd set up SSH on your external box to listen on port 80, then do
Code:
ssh -p 80 -D 8000 user@outsidebox
on your local machine. Then use 'localhost' and port 8000 as your SOCKS proxy in your browser. Either that or set up squid to listen on port 80 on the external machine and use that as your HTTP(S) proxy.
Dave
Two notes: I can't do that.
Code:
School computer :80 <-> My webserver <->:22 SSH account at my second university
Outgoing ONLY port 80 anything I set, I have account, I have links,
but they can't detect but insecure but I can't configure the box
ssh on port 80
This is my first question (how to configure such routing at the webserver).
Second one (merely looking for suggestions) - simple web proxy for other students at my webserver?
Quote:
Originally Posted by ilikejam
If the network admin finds out you're doing this, and beats you to death with a hardback copy of 'The Practice of System and Network Administration (Limoncelli, Hogan 2001)', then we never had this conversation.
The admin has set such policy which allows him to eavesdrop. Technically, eavesdropping is illegal in my country (violating privacy) so he can't say what I'm sending to the server unless he has key loggers (...) at every computer - and then he would be immediately fired. He can't do anything, sysadmins are quite hated at our school (they are extremely dumb and just obfuscate things).
If you can run whatever you want on port 80 on your webserver, then I'd just set up squid on that port. Since the machine is a webserver, though, I'd imagine you'd want Apache/whatever to be running on port 80. Since you can't do both, you'll have to choose between running Apache on its normal port and having a proxy that you and your associates can access.
If you can run whatever you want on port 80 on your webserver, then I'd just set up squid on that port. Since the machine is a webserver, though, I'd imagine you'd want Apache/whatever to be running on port 80. Since you can't do both, you'll have to choose between running Apache on its normal port and having a proxy that you and your associates can access.
Dave
Thank you for a very helpful reply. No, I won't turn off the webserver, and it's not a problem to route connections from one port for a specific address to another port, where could run the proxy (I'm merely looking for suggestions of which proxy with "web interface" to use).
It may sound strange to any sysadmin (and you obviously act like one), but Internet at the school is mainly for students to allow them to study and if you have a gmail account shared by the whole class to store documents and you can't access it from school because of f****** sysadmin "security policy", then it defeats the purpose of connection _and_ the sysadmin - he is not needed as nobody can use the computers (no, ftp/webdav/sftp doesn't work too).
Squid and webmin comes to mind as a web configurable proxy.
Just had another thought. If you can redirect from port 80 to port 22 on the webserver for school IPs, then you could set up a SOCKS proxy that anyone on your school network could use:
would connect to your webserver over port 80 (forwarded to port 22), and leave a SOCKS proxy connection available at school-pc1:8000 for anyone to use.
Unfortunately, I've never used iptables in any serious way. You'll probably get a solution to that part of your problem faster in a new thread, I would imagine.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.