[plug] Web access *FROM* China

[Craig Ringer]

On Mon, 2005-04-04 at 07:46 +0800, William Kenworthy wrote:
> We have a family friend who is currently working in China with who we
> can communicate fine by Skype (to the same iinet address as the
> webserver sits on).  However, when she tried to access my webserver
> (iinet dynamic adsl - holiday photos and school work for her son), she
> gets a not_found.  This includes dyndns, ip number and iinet URL.

Sure the DNS lookup fails at her machine? If she's using some sort of
HTTP proxy, it might produce a web page indicating failure to access the
site instead.

> I suspect blocking as I dont even see a packet hitting the firewall for
> any of the possible addresses - is this reasonable?

Yes. I wouldn't be surprised if they blocked HTTP access to all
dynamic / dial-up / ADSL IP ranges at the national firewall.

> I know there are
> plenty of other possible explanations, but has anyone experienced
> something similar, or can comment (likely/unlikely to be the cause)?

SSH tunnelling is your friend. I had no trouble arranging an ssh tunnel
to the POST's proxy (and, conveniently, mail server) when we had someone
working from China. Unfortunately he was an idiot who could barely even
use ssh despite simple step-by-step instructions, but I guess that shows
how easy it is to make it work.

If she's on Windows, she should grab PuTTY and set up a simple batch
file to use plink.exe to make a tunnel. I don't recall the details of
the command line args etc now, but I think it takes 
openssh's -L localpost:remotehost:remoteport syntax for port forwards.
If you get her to generate a passwordless ssh key and send the public
part to you, you can set it up to only offer access to specific
forwarded ports and not provide shell access.

-- 
Craig Ringer