List, what follows is a workable solution to my problem. I will need to
change IPS and ports around but that is not a big deal. I have removed
a power point that hinted at my network setup but the info below should
be able to show what needs to be done.
Thanks Joseph, now to try to explain this to team members that want
telnet/ftp/rsh open on a server including on the Internet facing ports!
--
Leif Ericksen
On Tue, 2007-05-29 at 10:20 -0700, Joseph Spenner wrote:
Leif:
This is kinda what I thought you were trying to do.
I do things like this often, and it's not too hard.
Basically, what you need to do is 'bring the sshd
port(s) local'. Let me give you an example of what I
do, and you can map it to your goal.
box01:
ip=10.5.3.29 (private lan 1)
box02:
ip=10.5.3.1 (private lan 1)
ip=162.66.44.1 (Internet facing)
box03:
ip=199.33.1.33 (Internet facing)
ip=192.168.10.1 (private lan 2)
box04:
ip=192.168.10.23 (private lan 2 web server)
box05:
ip=192.168.10.24 (private lan 2 mysql server)
box06:
ip=192.168.10.25 (private lan 2 proxy server)
My goal is to access web, proxy, and mysql resources
from box01.
box01$ ssh -l user@box02 -L 10022:199.33.1.33:22
(leave this terminal open, and open another)
box01$ ssh -l user@localhost -p 10022 -L
10080:192.168.10.23:80 -L 10443:192.168.10.23:443 -L
3306:192.168.10.24:3306 -L 3128:192.168.10.25:3128
(leave this terminal open)
Now, on box01, you should have:
10080/10443: box04's web
3306: box05's mysql
3128: box06's proxy
If you actually want a SHELL on box04-06 where you can
run applications in X, and have them show up on your
box01 system, this can be done:
box01$ ssh -l user@localhost -p 10022 -L
20022:192.168.10.x:22
(leave this terminal open)
box01$ ssh -p 20022 -X user@localhost
This will give you a shell, X ready, on 192.168.10.x.
Then, you should be able to do this and get a Xlogo:
box0X$ xlogo
Does that make sense?
--- Leif Ericksen <lericksen@sbcglobal.net> wrote:
This attachment is saved as a power point using open
office impress.
I am not trying to say tell me how to do this, just
guide me. Such that
I can get this working. I think To do the double
bounce I am going to
need to do port forwarding on the desktop and first
hop and make the
third server the SOCS box, or have two or more socks
and creatively
forward the ports. Long run I need 443/80
1044,1045, and 5900 to hit my
destination)
It will be a quick and dirty shot of what I am
trying to do.
I will go from the corp desktop (winXP) to a hop
server (port 22 is
open) from there I will go to another server that
has unrestricted
access to the management module.
The Management modules is a device that sits in the
blade center chassis
and has access to system console on 14 different
servers.
We have 3 firewalls. Intranet to Hop box, Hopbox to
Extranet server,
extranet server to interent.
So I am trying to tunnel ports 1044, 1045, 5900
(80/443 work just fine)
from DeskTop to the Management Module.
In short, I want to create a tunnel to take ports
(1044, 1045, 5900)
from my desktop, through the firewall to the hop
server, then from there
through another firewall to a Linux Blase server
(one in a chassis of 14
servers) that will have unrestricted access to all
14 blades.
The management module is a firmware devices, and
with a web browser
(40/443) you select remote control and here is where
ports 5900, 1044,
1045 come to play. That in turn starts a Java
Applet (script) that
starts a VNC (webmin) like remote control session of
a blade in the
chassis it is in. The port 5900 is restricted on
the firewall and
unless IBM changed the code we still can not change
the port for the
remote console
Without access to the network level I can not do
IPV6, without root I
can not forward Low level ports.
What has been tested and may go away as soon as CIS
figures it out.
I can be on the corporate VPN and ssh directly to
one of my Extranet
servers. With that i set putty up so that it is a
SOCS server putty -D
8080 -P 22 extranet_server I then configure IE to
talk to a socks
server, and I turn off the corporate proxy. I run
my web session to to
whatismyip.com and get the IP of the Extranet
servers. reflecting back
to the fact that this access may go away and I want
CIS top bless this I
have to run through the hop (and in case they want a
double hop I want
to see how to pass traffic from the hop box to
another one of my
servers) IN theory it should work if I do putty -D
8080 =P 22
hop_server and get a CIS approved firewall hole to
talk to the
management modules on the desired ports.
If I go the double hop route SSH is approved and
will need no special
blessing since the final server before the
management module has no
firewall restrictions in place. (OK I could use X
and start Mozilla and
run the session but that is DOG SLOW. Go get lunch
come back and your
screen may be painted)
Again trying to do all this without adding any extra
software since that
would need a corporate blessing if it is not
standard on the server.
(UGH)
I am not the greatest person to draw a diagram, nor
explain this with
text. I think I have been to close to his issue.
Then when this is all over I have to explain this to
folks that wanted
to use static passwords even after I showed them ssh
keys and how cool
that was. ;)
Any direction would be great, even if it is "you are
a nut this will not
work since you do not have root on first hop" or
"you are a nut this
will not work with out adding extra software like
connect" :)) I am
good natured about this.
--
Leif Ericksen
