Thanks. I admit your answer was a bit more constructive than mine.
Unfortunately, I was very tired at the time. :-P
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jim Roland, RHCE (RedHat Certified Engineer)
Owner, Roland Internet Services
"Never settle with words what you can settle with a flamethrower"
-- Anonymous
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
----- Original Message -----
From: "Tony Nugent" <tony@growzone.com.au>
To: "Linux Network Mailing list" <linux-net@vger.kernel.org>
Sent: Wednesday, March 14, 2001 11:02 PM
Subject: Re: tunneling through fire walls
> On Wed Mar 14 2001 at 17:10, "Joe Eggleston" wrote:
>
> > I had an idea, and I'm wondering if something like this already exists.
>
> oh yessiree, its all right there already, just waiting for you to
> cast the magic incantations... :)
>
> > It seems like it should be possible to use HTTP to tunnel through a
> > firewall/proxy that only allows web traffic. It would require a machine
> > on the outside to de-tunnel the packets and then act as a proxy for
> > machines inside the firewall. Has something like this already been
> > implemented?
>
> Jim's right in his reply that it has already been implemented as
> squid :-) ROTFL!
>
> More seriously, if you consider the "outside" box to the the
> external (exposed) interface of the firewall (running linux of
> couse, and you have shell access to that box, then there are a
> number of ways to go about implementing this.
>
> Squid is one way. Set it up as an "accelerator" (see the docs, just
> need four extra things in the config file), and do something like
> this with the ipchains rules to turn it on:
>
> ipchains -I forward -j REDIRECT 8080 -i eth0 -p tcp -dport 80
>
> What that rule says is: any TCP packets going out through eth0 (the
> external interface) with a destination port of 80, redirect them
> (internally/locally) to port 8080. And on that port you have your
> squid proxy running (on the firewall). Easy transparent web proxy
> configuration, tried and proven to work.
>
> The other thing you can do is to create a port-forwarding redirect
> with ssh, but this has much more use as a way to get specific port
> access to a box on the internal network behind the firewall (rather
> than a way to get out).
>
> As for "tunnelling" (and masquerading) port 80 traffic out of a
> firewall, that's easy too (on the firewall):
>
> ipchains -I forward -j MASQ -i eth0 -p tcp -dport 80
>
> ... which will do the trick quite nicely for you.
>
> You could use routing policies and multiple routing tables (and
> fwmark'ing), you could also do it with "real" ip tunnels (using the
> /sbin/ip utility), but all this is starting to get beyond the scope
> of this particular discussion :)
>
> But the best way to do it is definitely with a (small?) squid proxy.
>
> Have fun with whatever you are experimenting with...
>
> Cheers
> Tony
> -=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
> Tony Nugent <Tony@growzone.com.au> Systems Administrator, RHCE
> LinuxWorks - PO Box 5747 Gold Coast MC Queensland Australia 9726
> Ph: (07) 5526 8020 Mobile: 0408 066 336
> -=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
> -
> : send the line "unsubscribe linux-net" in
> the body of a message to majordomo@vger.kernel.org
>
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
