[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Complicated ssh tunneling task.

To: <dmartini@uni-hohenheim.de>
Subject: Re: Complicated ssh tunneling task.
From: "Richard P. Koett" <lists@telus.net>
Date: Fri, 26 Sep 2003 05:02:56 -0700
Cc: <misc@openbsd.org>
References: <1064574730.3f741f0a784b1@webmail.uni-hohenheim.de>

dmartini@uni-hohenheim.de wrote:
> Hello list,
>
> consider the following setup:
>
>          |                    |
> boxA----boxB------boxC---------boxD
>          |                    |
> LAN      |     Internet       |Home computer, connected to
>          |                    |Internet via modem
>
> boxA sits on a LAN, running OpenBSD 3.3. On this box I can get root
> privileges. It has an IP address only for use in private networks
> (RFC 1918, 10.195.x.x). So its IP address will never be visible to the
> internet, to which boxA is connected via:
>
> boxB. This one is a bridge and firewall, running Novell Netware, doing
> NAT for the LAN. Additionally, it will only pass http traffic from the
> inside of the LAN, via Novell Border Manager http proxy on port 8080.
> I cannot get root on this machine.
>
> boxC is running Solaris, has an officially assigned IP-address, has
> running sshd on it, and has an account for me, but not a root account.
>
> boxD is my home box, running OpenBSD 3.3, connected to the internet
> via dialup modem. Its IP address is dynamically assigned. Root access
> for me is no problem.
>
> If I'm dialed in, I can login from boxD to boxC with ssh.
> I can login from boxA to boxC with ssh using corkscrew from the ports
> collection to pierce the proxy.
>
> Question is:
> Can I establish a ssh connection from boxA to boxC and use this
> connection later on, to connect from boxD to boxA via boxC?
> Or are there even other, better ways to connect from boxD to boxA in
> this scenario (perhaps using nc?)?
>
> Note, that while establishing a connection from boxA to boxD using ssh
> and forwarding the traffic through this tunnel would be possible, it
> is not desirable, because boxD would have to be dialed up all the
> time, which would be much too expensive. Setting up a cron job to
> connect boxA to boxD at a certain time is also not possible, because
> boxA would have to know boxD's (dynamic) IP address.

You could use a free dynamic DNS service such as dyndns.org on boxD so
that you can connect it by name despite the dynamic IP. I haven't
checked but there is probably a dynamic dns client somewhere in ports.
Even without a client you can go to dyndns.org from boxD and manually
update your name/address mapping.

The fact that boxB only passes outbound http by proxy is a bit of a
pain. You will need something that can tunnel your connection over http,
such as http://www.nocrew.org/software/httptunnel.html . It's available
in Packages for i386, I didn't check for other platforms. Then, set up a
job on boxA that periodically tries to connect to boxD by name. If boxD
is not online and listening on port 80 boxA retries a few minutes later.

RPK.

References:
- Complicated ssh tunneling task.
  - From: dmartini@uni-hohenheim.de

Prev by Date: Re: hardware raid
Next by Date: Driver ECI HiFocus ADSL USB
Prev by thread: Re: Complicated ssh tunneling task.
Next by thread: Driver ECI HiFocus ADSL USB
Index(es):
- Date
- Thread