Port redirection / avoiding strict firewall

_kure_ · 10-29-2007, 08:53 AM

Hello,

I have a quite stupid problem at my school - the administrator decided that allowing anything encrypted would be against 'security policy' and allows outgoing traffic only for port 80 (http).

Of course, it has many drawbacks, you cannot connect to secured webpages (443, https), ssh, anything and all passwords are unencrypted (which I don't like). You also can't log into Gmail etc.

I have a webserver out there and an account at other computer. My idea is to route port 80 at the webserver to port 22 at the second machine only for specific (school) IP.

Code:

Computer at school behind firewall:80 <-> 80:webserver:(only for computer at school)22 <-> computer with ssh account

I don't want to use account at the server as I don't consider it to be reasonably safe (remember, it's a webserver), but I guess it won't be so problematic if encrypted traffic goes through.

Now, I have three questions.

Is it possible to achieve with iptables?
Does ssh allow such routing and is it reasonably safe?
Would it be possible to create something like a web proxy at the server which would encrypt connection over standard http port to allow other, less skilled students without ssh accounts elsewhere to access Gmail etc?

Thank you for any suggestions.

ilikejam · 10-29-2007, 09:14 AM

Hi.

If I were doing this sort of thing, I'd set up SSH on your external box to listen on port 80, then do

Code:

ssh -p 80 -D 8000 user@outsidebox

on your local machine. Then use 'localhost' and port 8000 as your SOCKS proxy in your browser. Either that or set up squid to listen on port 80 on the external machine and use that as your HTTP(S) proxy.

If the network admin finds out you're doing this, and beats you to death with a hardback copy of 'The Practice of System and Network Administration (Limoncelli, Hogan 2001)', then we never had this conversation.

Dave

_kure_ · 10-29-2007, 09:23 AM

Quote:

Originally Posted by ilikejam

Hi.

If I were doing this sort of thing, I'd set up SSH on your external box to listen on port 80, then do

Code:

ssh -p 80 -D 8000 user@outsidebox

on your local machine. Then use 'localhost' and port 8000 as your SOCKS proxy in your browser. Either that or set up squid to listen on port 80 on the external machine and use that as your HTTP(S) proxy.

Dave

Two notes: I can't do that.

Code:

School computer        :80 <->   My webserver     <->:22 SSH account at my second university
Outgoing ONLY port 80            anything I set,         I have account, I have links,
but they can't detect            but insecure            but I can't configure the box
ssh on port 80

This is my first question (how to configure such routing at the webserver).

Second one (merely looking for suggestions) - simple web proxy for other students at my webserver?

Quote:

Originally Posted by ilikejam

If the network admin finds out you're doing this, and beats you to death with a hardback copy of 'The Practice of System and Network Administration (Limoncelli, Hogan 2001)', then we never had this conversation.

The admin has set such policy which allows him to eavesdrop. Technically, eavesdropping is illegal in my country (violating privacy) so he can't say what I'm sending to the server unless he has key loggers (...) at every computer - and then he would be immediately fired. He can't do anything, sysadmins are quite hated at our school (they are extremely dumb and just obfuscate things).

ilikejam · 10-29-2007, 10:02 AM

If you can run whatever you want on port 80 on your webserver, then I'd just set up squid on that port. Since the machine is a webserver, though, I'd imagine you'd want Apache/whatever to be running on port 80. Since you can't do both, you'll have to choose between running Apache on its normal port and having a proxy that you and your associates can access.

Dave

_kure_ · 10-29-2007, 03:46 PM

Quote:

Originally Posted by ilikejam

If you can run whatever you want on port 80 on your webserver, then I'd just set up squid on that port. Since the machine is a webserver, though, I'd imagine you'd want Apache/whatever to be running on port 80. Since you can't do both, you'll have to choose between running Apache on its normal port and having a proxy that you and your associates can access.

Dave

Thank you for a very helpful reply. No, I won't turn off the webserver, and it's not a problem to route connections from one port for a specific address to another port, where could run the proxy (I'm merely looking for suggestions of which proxy with "web interface" to use).

It may sound strange to any sysadmin (and you obviously act like one), but Internet at the school is mainly for students to allow them to study and if you have a gmail account shared by the whole class to store documents and you can't access it from school because of f****** sysadmin "security policy", then it defeats the purpose of connection _and_ the sysadmin - he is not needed as nobody can use the computers (no, ftp/webdav/sftp doesn't work too).

ilikejam · 10-29-2007, 04:23 PM

Squid and webmin comes to mind as a web configurable proxy.

Just had another thought. If you can redirect from port 80 to port 22 on the webserver for school IPs, then you could set up a SOCKS proxy that anyone on your school network could use:

Code:

[root@school-pc1]# ssh -p 80 -D '*':8000 user@webserver

would connect to your webserver over port 80 (forwarded to port 22), and leave a SOCKS proxy connection available at school-pc1:8000 for anyone to use.

Dave

_kure_ · 10-30-2007, 07:40 AM

Thank you for reply.

I came across a strange problem with forwarding ports at the webserver:

I'm trying to get ssh forwarding to work, but it's relatively problematic.

I used these commands to test it first with a webpage (forwarding anything that comes to server at port 8080 to Google).

Code:

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8080 -j DNAT --to 72.14.207.99:80
iptables -A FORWARD -p tcp -i eth0 -d 72.14.207.99 --dport 80 -j ACCEPT

Unfortunately, it works only at localhost (e.g. I can forward webserver:8080 -> webserver:80, but not webserver:8080->google:80).

I think it's something with my iptables, some strange rule, but I don't know which one.

Code:

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             eh-in-f99.google.com tcp dpt:www

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-apache (0 references)
target     prot opt source               destination

Chain fail2ban-couriersmtp (0 references)
target     prot opt source               destination

Chain fail2ban-postfix (0 references)
target     prot opt source               destination

Chain fail2ban-ssh (0 references)
target     prot opt source               destination

Code:

iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere            tcp dpt:webcache to:72.14.207.99:80

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Code:

cat /proc/sys/net/ipv4/ip_forward
1

ilikejam · 10-30-2007, 08:06 AM

Hi again.

Unfortunately, I've never used iptables in any serious way. You'll probably get a solution to that part of your problem faster in a new thread, I would imagine.

Dave