[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Complicated ssh tunneling task.
> Hello list,
> consider the following setup:
> | |
> | |
> LAN | Internet |Home computer, connected to
> | |Internet via modem
> boxA sits on a LAN, running OpenBSD 3.3. On this box I can get root
> privileges. It has an IP address only for use in private networks
> (RFC 1918, 10.195.x.x). So its IP address will never be visible to the
> internet, to which boxA is connected via:
> boxB. This one is a bridge and firewall, running Novell Netware, doing
> NAT for the LAN. Additionally, it will only pass http traffic from the
> inside of the LAN, via Novell Border Manager http proxy on port 8080.
> I cannot get root on this machine.
> boxC is running Solaris, has an officially assigned IP-address, has
> running sshd on it, and has an account for me, but not a root account.
> boxD is my home box, running OpenBSD 3.3, connected to the internet
> via dialup modem. Its IP address is dynamically assigned. Root access
> for me is no problem.
> If I'm dialed in, I can login from boxD to boxC with ssh.
> I can login from boxA to boxC with ssh using corkscrew from the ports
> collection to pierce the proxy.
> Question is:
> Can I establish a ssh connection from boxA to boxC and use this
> connection later on, to connect from boxD to boxA via boxC?
> Or are there even other, better ways to connect from boxD to boxA in
> this scenario (perhaps using nc?)?
> Note, that while establishing a connection from boxA to boxD using ssh
> and forwarding the traffic through this tunnel would be possible, it
> is not desirable, because boxD would have to be dialed up all the
> time, which would be much too expensive. Setting up a cron job to
> connect boxA to boxD at a certain time is also not possible, because
> boxA would have to know boxD's (dynamic) IP address.
You could use a free dynamic DNS service such as dyndns.org on boxD so
that you can connect it by name despite the dynamic IP. I haven't
checked but there is probably a dynamic dns client somewhere in ports.
Even without a client you can go to dyndns.org from boxD and manually
update your name/address mapping.
The fact that boxB only passes outbound http by proxy is a bit of a
pain. You will need something that can tunnel your connection over http,
such as http://www.nocrew.org/software/httptunnel.html . It's available
in Packages for i386, I didn't check for other platforms. Then, set up a
job on boxA that periodically tries to connect to boxD by name. If boxD
is not online and listening on port 80 boxA retries a few minutes later.