[mythtv-users] Accessing MythWeb through firewall

Stephen Boddy stephen.boddy at btinternet.com
Mon Oct 30 11:31:40 UTC 2006 

On Monday 30 October 2006 06:41, Phill Edwards wrote:
> I have MythWeb installed and running on a server which sits behind my
> firewall at home. There is no direct access to it from the internet
> except through my linux gateway which sits between it and the
> internet. The gateway box is another linux server which is running an
> IP Tables firewall and has a port forwarding rule to direct traffic on
> a particular port (12000) to port 80 on my MythWeb box. This works a
> treat.
>
> But...where I'm working now has most outgoing ports blocked except for
> 80, 443 etc, which means I can't access port 12000 on my gateway
> machine so it can't forward that to my MythWeb machine.
>
> I was wondering what suggestions people had for resolving this. I was
> thinking that I could use a mod_rewrite rule on my gateway machine's
> Apache config - eg if URL=http://<gateway.on.internet>/mythtv then
> redirect to real MythWeb box. But when I had a quick look at this I
> got the impression it wouldn't work because it sends a redirect
> command back to the client.
>
> Any suggestions, anyone (apart from getting a hole punched in my
> company's firewall!)

Because your company limits outbound ports and your ISP limits 80 (+others?) 
inbound, the simplest way to do this is set up an ssh tunnel. Your ISP is 
very unlikely to block port 22 (the ssh service), and there's a very good 
chance that your company allows 22 outbound. It's a huge hole that a lot of 
companies don't bother closing, probably because the managers don't 
understand the power, and the techs like the convenience :-) There is a 
possibility though that they tie it down using a "gateway" system and 
restrict outbound ssh to that machine only, and you're unlikely to get an 
account for this without a good justification. Even then, port forwarding can 
be blocked in the config.

If not, set up ssh server on your firewall and/or mythweb box and just do:

ssh -L8080:<localhost|mythweb server>:80 <user>@<your home IP>

from work. This has the added benefit that if you slip up with the password 
access, Google don't come along and kindly delete all your recordings :-) It 
is also good practice to use pub/priv keys which helps prevent dictionary 
attacks from skript kiddies.

Then just point your work browser to http://localhost:8080/mythweb

Finally, a word to the wise. Doing this kind of stuff may be possible. What is 
also possible is that your company will consider it as circumvention of 
security measures, and will take a very dim view of these kinds of 
activities.
-- 
Steve Boddy

More information about the mythtv-users mailing list