On Wed Mar 14 2001 at 17:10, "Joe Eggleston" wrote: > I had an idea, and I'm wondering if something like this already exists. oh yessiree, its all right there already, just waiting for you to cast the magic incantations... :) > It seems like it should be possible to use HTTP to tunnel through a > firewall/proxy that only allows web traffic. It would require a machine > on the outside to de-tunnel the packets and then act as a proxy for > machines inside the firewall. Has something like this already been > implemented? Jim's right in his reply that it has already been implemented as squid :-) ROTFL! More seriously, if you consider the "outside" box to the the external (exposed) interface of the firewall (running linux of couse, and you have shell access to that box, then there are a number of ways to go about implementing this. Squid is one way. Set it up as an "accelerator" (see the docs, just need four extra things in the config file), and do something like this with the ipchains rules to turn it on: ipchains -I forward -j REDIRECT 8080 -i eth0 -p tcp -dport 80 What that rule says is: any TCP packets going out through eth0 (the external interface) with a destination port of 80, redirect them (internally/locally) to port 8080. And on that port you have your squid proxy running (on the firewall). Easy transparent web proxy configuration, tried and proven to work. The other thing you can do is to create a port-forwarding redirect with ssh, but this has much more use as a way to get specific port access to a box on the internal network behind the firewall (rather than a way to get out). As for "tunnelling" (and masquerading) port 80 traffic out of a firewall, that's easy too (on the firewall): ipchains -I forward -j MASQ -i eth0 -p tcp -dport 80 ... which will do the trick quite nicely for you. You could use routing policies and multiple routing tables (and fwmark'ing), you could also do it with "real" ip tunnels (using the /sbin/ip utility), but all this is starting to get beyond the scope of this particular discussion :) But the best way to do it is definitely with a (small?) squid proxy. Have fun with whatever you are experimenting with... Cheers Tony -=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=- Tony Nugent <Tony@growzone.com.au> Systems Administrator, RHCE LinuxWorks - PO Box 5747 Gold Coast MC Queensland Australia 9726 Ph: (07) 5526 8020 Mobile: 0408 066 336 -=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=- - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
