Scenario: You're in an office, with paranoid security, limitting what connections you can establish to the outside world. You have a workstation at home, which you have protected behind a firewall that limits what you let in. You want to remotely connect to that home workstation from work.
Solution: Four easy steps -
No sane firewall will block port 443 (https). Therefore, using this SSH port-changing tutorial, enable a rerouting of connections from port 443 to your SSH server (just change the 2222 in the iptables command line to 443).
root@homegateway# /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to localhost:22
me@work$ ssh -p 443 firstname.lastname@example.org homegateway:me$
Once you've got the capability to SSH to your home gateway, you can
use it to tunnel data to your home server. Set up local port 5901 (vnc:1)
to tunnel to your home workstation, port 5901. Start SSH in daemon mode
-f), without a command (
work:me$ ssh -p 443 -f -N -L 5901:homeworkstation:5901 email@example.com
me@workstation$ vncserver -geometry 800x600 -depth 16 :1 You will require a password to access your desktops. Password: Verify: Would you like to enter a view-only password (y/n)? n xauth: creating new authority file /home/me/.Xauthority New 'X' desktop is workstation:1
We just need to connect to our local port 5901, the tunnel and routing will do everything else for us
me@work$ vncviewer localhost::5901 Connected to RFB server, using protocol version 3.8 Enabling TightVNC protocol extensions Performing standard VNC authentication Password: Authentication successful Desktop name "me's X desktop (workstation:1)"
You'll notice that iptables is capable of delivering packets not just to the local SSH port, but also to an arbitrary port on any machine. So in theory you could redirect incoming gateway port 443 to workstation's port 5901. This has the drawback of only permitting a single VNC connection. With SSH tunnelling, any number of VNC connections can be made, as any number of SSH connections can be made.