Hi everybody,
First of all, I wish everybody a great 2002 (and further, obviously).
Now for my question, it's going to be a long post so sit back, relax and read.
At home I have a Linux (RH7.2) server connected to the internet, using IPTables
as my firewall.
At work we can surf through a proxy that supports HTTP and HTTPS (squid).
I wanted to be able to admin my linux box from my work site, using VNC (I know,
real men only use SSH, but I like a GUI). This provided me with 2 problems:
- How do I connect to my linux box through our corporate firewall?
- How can I secure the (unencrypted) VNC traffic?
I solved the first problem with the use of a program called httport
(http://www.htthost.com/). This program forwards certain ports through the (https)
proxy to its rightful destination. I overcame the second problem by tunneling the
VNC traffic through an SSH connection (using SSH forwarding with TeraTerm). I
opened port 5910 on the linux box, to let the encrypted data through the firewall.
The data gets decrypted locally to port 5901, the VNC server.
So, diagrammatically I did the following:
|===== Laptop (work) ===============| |= proxy (work) =| |=== Linux box (home) ===|
| SSH---(port 22)--HTTPort-|--|+(https tunnel)+|--|- (port 22) SSH |
| | | | | |
| VNC client | | | | |
| | | | | | |
| (port 5902) | | | | |
| | | | | | |
| SSH | | | | |
| | | | | | |
| (port 5901)--HTTPort--------|--|+(https tunnel)+|--|- (port 5910) SSH |
| | | | | | |
| | | | | (port 5901) |
| | | | | | |
| | | | | VNC server |
|===================================| |================| |========================|
The laptop side of things is very straightforward, first I startup HTTPort which
forwards two ports through the firewall, local port 22 to remote port 22 (so I can
login using SSH) and local port 5901 to remote port 5910 (for VNC).
Then I SSH to the linux box using TeraTerm's SSH extensions and forward localport 5902
to localport 5901 (which gets forwarded to my linux box by HTTPort). In the SSH shell
I startup the VNC server on it's default port 5901.
Now I can start the VNC client and open a connection to localhost, port 5902 (which gets
encrypted by SSH and forwarded by HTTPort).
Now for the weird thing (and my question). It works, but I haven't told the linux box to
unencrypt (using SSH) data coming in from port 5910 to port 5901. I did tell the Windows
(laptop) side to open an encrypted connection between localport 5902 and remote port 5910
(through HTTPort), but I haven't told linux to send the unencrypted data to port 5901. I
can understand that SSH decrypts the data coming in on port 5910, as part of the SSH
forwarding setup, but I don't understand how SSH knows what to do with the data, i.e. forward
it locally to port 5901?
Am I overlooking something really trivial?
Arjan
