[plug] Web access *FROM* China

[Evert van Dijk]

Craig Ringer wrote:

>On Mon, 2005-04-04 at 07:46 +0800, William Kenworthy wrote:
>  
>
>>We have a family friend who is currently working in China with who we
>>can communicate fine by Skype (to the same iinet address as the
>>webserver sits on).  However, when she tried to access my webserver
>>(iinet dynamic adsl - holiday photos and school work for her son), she
>>gets a not_found.  This includes dyndns, ip number and iinet URL.
>>    
>>
>
>Sure the DNS lookup fails at her machine? If she's using some sort of
>HTTP proxy, it might produce a web page indicating failure to access the
>site instead.
>
>  
>
>>I suspect blocking as I dont even see a packet hitting the firewall for
>>any of the possible addresses - is this reasonable?
>>    
>>
>
>Yes. I wouldn't be surprised if they blocked HTTP access to all
>dynamic / dial-up / ADSL IP ranges at the national firewall.
>
>  
>
>>I know there are
>>plenty of other possible explanations, but has anyone experienced
>>something similar, or can comment (likely/unlikely to be the cause)?
>>    
>>
>
>SSH tunnelling is your friend. I had no trouble arranging an ssh tunnel
>to the POST's proxy (and, conveniently, mail server) when we had someone
>working from China. Unfortunately he was an idiot who could barely even
>use ssh despite simple step-by-step instructions, but I guess that shows
>how easy it is to make it work.
>
>If she's on Windows, she should grab PuTTY and set up a simple batch
>file to use plink.exe to make a tunnel. I don't recall the details of
>the command line args etc now, but I think it takes 
>openssh's -L localpost:remotehost:remoteport syntax for port forwards.
>If you get her to generate a passwordless ssh key and send the public
>part to you, you can set it up to only offer access to specific
>forwarded ports and not provide shell access.
>
>  
>
This seems like a good technical solution, how ever I might throw some 
mud into the mix. If China is intent on keeping certain content out of 
the country there might be some law in place that forbids any attempts 
to access to those  ip addresses and/or ports. I would hate for your 
friend to be forcibly removed and denied acces to China in the future if 
she is required to be there for work.
Of course I do not recommend calling up the department of censorship (if 
there is such a thing) saying 'hey do you mind if I break through your 
firewall and access those sites that you appear to have blocked?'. But 
you might tackle this with some caution weighing up the benefits and risks

Good luck

E.