OK, let's say that right now, I'm using a windows computer. At home, I have a firewall that only has TCP port 77 open. And normally, I use that port to connect to my linux computer using SSH. But the problem is that I need to open another port. To do this, I'll need to change the firewall settings, and the only way to do that is from the web.

My linux computer only has text-based browsers, and none of them quite work well enough to administer the firewall. (links 2 can see the pages well enough, but it doesn't seem to submit the data correctly.. no changes are ever made). So the only option I have now is to use internet explorer to do it from here.

So here's what I thought I'd do:

(this all being done in a 'disown'ed script, so that I can close all ssh connections before starting the process)
1. stop sshd
2. make an iptables rule to forward all TCP port 77 traffic to the firewall, port 80.
3. point internet explorer to http://<home ip address>:77

and that should work, because port 77 will be forwarded through the firewall to the linux computer, and then from the linux computer back to the firewall -- port 80.

But it doesn't work. Here's the script I use (saying that 333.333.333.333 is my computer here, and 444.444.444.444 is the local firewall address):

#!/bin/bash

/etc/rc.d/init.d/sshd stop &&
sleep 5 &&
iptables -t nat -I PREROUTING \
-p tcp -s 333.333.333.333 --dport 77 \
-j DNAT --to-destination \
444.444.444.444:80 &&
sleep 5m &&
init 6


I put an 'init 6' at the end to reboot, since that's the safest way to make sure sshd is restarted. ;)

So, anyone have any suggestions?

That's cool as almighty....

But, I think the problem lies in poison reverse. It sounds like you are entering and leaving the firewall at the same point which is denied by the firewall due to spoofing issues and concerns.

I suppose you're using a dsl/cable router? I know this is going to sound HORRIBLE, but can you turn on remote administration on it? This would allow you to administer the router from anywhere and probably ease your heartache.

Now, another option would be to do x forwarding from the linux box to windows by using an ssh tunnel and cygwin. There are also some commercial x servers for windows out there that work as well. I haven't ever done this, but, i've heard of tons of people of getting it done.

Do some google for linux searching and i'm sure you'll find someone that knows how to do this. If you don't know what i'm referring to, basically it is forwarding and x window from your linux box back to the windows box. It's pretty simple to do from any linux to linux box. I use it extensively with the administration I do of Solaris and AIX.

Well I *would* turn on remote-admin (just for my IP, of course!), but I'd need access to the firewall to do that. I probably will eventually just try and walk someone through the process, but I'm trying to avoid that. ;)

As for X-Windows, that would also be great to have, but I don't have it installed. I'm not even sure if the system has enough hard drive space to hold it.

But, I think the problem lies in poison reverse. It sounds like you are entering and leaving the firewall at the same point which is denied by the firewall due to spoofing issues and concerns.

Now that sounds interesting. ;) Here's my "mental picture" of what's going on:


------- || -------
| My | |0<-| | <-- port 80
|Comp.|------00->|Linux| <-- port 77
------- || -------
Firewall


As far as the firewall's concerned, the Linux box is accessing the firewall directly, right? (This is how I normally connect to game servers too, since those ports aren't open from here... I just forgot to open the OUTGOING ports I needed on that firewall, so it's not working ;))

You could think of it like that. I'm not to kosher on how the home routers handle things. But, I know that a Cisco pix, which I use extensively, would deny this as it would interpret an attack by spoofing to come from one address to access resources on the firewall.

You're on to something though. I must admit.

I think that maybe the router actually answers on the WAN port. If that's true, then the router is seeing poison reverse and dissallowing traffic. Think of it in terms of interfaces, not IP addresses. So, you enter in on the WAN port, get sent to port 4 on the switch side of the inside, and then it's sent back to the WAN port. See how it would have a problem with this?

Firewalls operate on layer 3 and layer 4 of the OSI model. For that reason, they are more interested in interfaces and not the IP topology involved.

I think I just rambled for quite a bit, but hopefully there was something good in that bit..hehehe

See how it would have a problem with this?

I think you're giving me way too much credit. :)

I actually did just do a search on "poison reverse" and ip spoofing, and now I think I get it. ;) It's just that the firewall is (or rather, "might be") trying to stop my Linux box from monitoring the traffic, right?

Except the routing is going (I'm making these up)

http://141.587.102.99:77 (what I type in.. the WAN address)
|
V
10.0.0.11:77 (the LAN address of the linux box)
|
V
10.0.0.1:11 (the LAN address of the firewall)

So it's not really ending up where it started -- the dest. ip's are different, even though it's actually the same machine.

But maybe what I read wasn't quite what you were getting at.

I just didn't want to reply with "I don't know what you're talking about." Maybe that would've been just as good. :D

Well, as I said, it's not worried about IP addresses. Your traffic flow is correct. However, the interface is the physical place where you plug in the cable.

So, think of it as this:


http://191.191.55.54:77 (Wan Interface)
|
|
|
192.168.1.100:77 (linux box on port 1 of your Router)
|
|
|
192.168.1.1:11 (router, but it is still on the WAN interface)

So, what happens is that traffic flows in on the WAN interface and is redirected to your internal LAN. From there it is then sent back to the firewall, the WAN port. From the firewall it flows back to the linux box (internal LAN port) and then back to the WAN interface.

Is that clear as mud? Ip addresses don't apply to this. Think of the physical plugs of the firewall. It enters on one plug, flows to another plug, and then gets sent back to the original plug. The router doesn't like this and will disallow traffic from getting back to you.

hmm I got a new problem now

I got the remode-admin turned on, and I can access the page just fine now, but the settings don't save! I put the changes into the form, click submit, it seems to go through just fine, but the settings don't save. (exactly what happened from the linux box too .... now I'm thinking maybe it wasn't the browser's fault)

And I have no idea what's wrong, either.

EDIT: i should say -- the USEFUL settings don't change. The "firewall: enable/disable" setting worked, but it didn't affect anything.