[arch-general] tunneling help needed (ssh?)
Hi there, I know this isn't very arch specific but I lack ideas on where else to ask. Problem: A server situated in a network that can't be reached from the outside, all ports are blocked. I want to give specific outside users simple ftp access to a directory on this server (password protected). I'm in control of the server inside the network. I'm in control of another server inside this network that can be reached (at least port 80) but I'd like to avoid using this server. I may have some control over outside servers. So, what can I do?
Maybe somebody has a better solution than this, but to me, the following would be the obvious approach. If host "A" is the fully firewalled server that hosts the FTP directory, and server "B" is the server on which port 80 is accessible, then: 1. Run an FTP daemon on server A which limits access to the users you specify 2. On server B: ssh -L :80:A:21 where "A" is the IP address or hostname of server A Then, clients can FTP to port 80 on server B and their traffic will be forwarded to the FTP daemon on A. It would be better to use some port other than 80 though, because: - If a web server is running already on B, it will probably have bound port 80 - 80 is the well-known port for HTTP, and it's not a great idea to reappropriate it for some other protocol even if it's not being used for HTTP - You have to be root to bind ports < 1024, so the ssh tunnel will have to be started as root So, if you can use some arbitrary port >= 1024 for the tunnel, it would be preferable. I don't think you can do this without involving B at all, if that's the only Internet-facing host on the LAN that you can do anything with.
On Tue, Aug 2, 2011 at 1:56 PM, Taylor Hedberg <tmhedberg@gmail.com> wrote:
Maybe somebody has a better solution than this, but to me, the following would be the obvious approach.
If host "A" is the fully firewalled server that hosts the FTP directory, and server "B" is the server on which port 80 is accessible, then:
1. Run an FTP daemon on server A which limits access to the users you specify 2. On server B:
ssh -L :80:A:21
where "A" is the IP address or hostname of server A
would also need the host to connect to, `A:21` is only the forwarding spec: ssh -CNfc arcfour -L 80:A:22 USER@A ... is what you'd want.
Then, clients can FTP to port 80 on server B and their traffic will be forwarded to the FTP daemon on A.
but don't use antiquated FTP, require the use of SFTP for: 1) simplicity 2) security 3) speed 4) SSH -based ... FTP opens oodles of slow connections per session, and would require fancier forwarding (at least 2 ports) C Anthony
On Tue, Aug 2, 2011 at 2:13 PM, C Anthony Risinger <anthony@xtfx.me> wrote:
would also need the host to connect to, `A:21` is only the forwarding spec:
ssh -CNfc arcfour -L 80:A:22 USER@A
whoops, my bad: ssh -CNfc arcfour -L 80:A:22 USER@localhost :-) my work here is done! C Anthony
C Anthony Risinger, Tue 2011-08-02 @ 14:18:34-0500:
ssh -CNfc arcfour -L 80:A:22 USER@localhost
You need an extra ':' in front of the 80 (":80:A:22"), otherwise it will reject connections to the tunnel port that originate anywhere other than the local host.
On Tue, Aug 2, 2011 at 1:37 PM, Philipp <hollunder@lavabit.com> wrote:
Problem: A server situated in a network that can't be reached from the outside, all ports are blocked. I want to give specific outside users simple ftp access to a directory on this server (password protected).
I'm in control of the server inside the network. I'm in control of another server inside this network that can be reached (at least port 80) but I'd like to avoid using this server.
If there is no webserver on this port you could DNAT to the FTP server. If there is you could consider running WebDAV instead of FTP, and using a reverse proxy to forward the traffic to the inside box on a certain resource.
I may have some control over outside servers. Set up a VPN tunnel between the two machines and DNAT a port from the outside server to the firewalled box.
Hope this gives you some ideas. Jesse
On Tue, Aug 2, 2011 at 2:12 PM, Jesse Young <jesse.young@gmail.com> wrote:
On Tue, Aug 2, 2011 at 1:37 PM, Philipp <hollunder@lavabit.com> wrote:
Problem: A server situated in a network that can't be reached from the outside, all ports are blocked. I want to give specific outside users simple ftp access to a directory on this server (password protected).
I'm in control of the server inside the network. I'm in control of another server inside this network that can be reached (at least port 80) but I'd like to avoid using this server.
If there is no webserver on this port you could DNAT to the FTP server. If there is you could consider running WebDAV instead of FTP, and using a reverse proxy to forward the traffic to the inside box on a certain resource.
I may have some control over outside servers. Set up a VPN tunnel between the two machines and DNAT a port from the outside server to the firewalled box.
Hope this gives you some ideas.
^^^^^^^^^^^^^^^^^^^^ webdav would be perfect in this situation, and is probably the best/most "correct" solution you have. C Anthony
participants (4)
-
C Anthony Risinger
-
Jesse Young
-
Philipp
-
Taylor Hedberg