You can't detect that unless they pass on special headers which explictly mention it like X-Forwarded-For or something.
As far as I know you have to use a blacklist. Users who use putty portforwarding, VPN or other more sophisticated methods are undetactable as they behave exactly like normal users.
