List, what follows is a workable solution to my problem. I will need to change IPS and ports around but that is not a big deal. I have removed a power point that hinted at my network setup but the info below should be able to show what needs to be done.
Thanks Joseph, now to try to explain this to team members that want telnet/ftp/rsh open on a server including on the Internet facing ports! -- Leif Ericksen On Tue, 2007-05-29 at 10:20 -0700, Joseph Spenner wrote: > Leif: > This is kinda what I thought you were trying to do. > I do things like this often, and it's not too hard. > Basically, what you need to do is 'bring the sshd > port(s) local'. Let me give you an example of what I > do, and you can map it to your goal. > > box01: > ip=10.5.3.29 (private lan 1) > > box02: > ip=10.5.3.1 (private lan 1) > ip=162.66.44.1 (Internet facing) > > box03: > ip=199.33.1.33 (Internet facing) > ip=192.168.10.1 (private lan 2) > > box04: > ip=192.168.10.23 (private lan 2 web server) > > box05: > ip=192.168.10.24 (private lan 2 mysql server) > > box06: > ip=192.168.10.25 (private lan 2 proxy server) > > My goal is to access web, proxy, and mysql resources > from box01. > > > box01$ ssh -l [EMAIL PROTECTED] -L 10022:199.33.1.33:22 > (leave this terminal open, and open another) > > box01$ ssh -l [EMAIL PROTECTED] -p 10022 -L > 10080:192.168.10.23:80 -L 10443:192.168.10.23:443 -L > 3306:192.168.10.24:3306 -L 3128:192.168.10.25:3128 > (leave this terminal open) > > Now, on box01, you should have: > 10080/10443: box04's web > 3306: box05's mysql > 3128: box06's proxy > > > If you actually want a SHELL on box04-06 where you can > run applications in X, and have them show up on your > box01 system, this can be done: > > box01$ ssh -l [EMAIL PROTECTED] -p 10022 -L > 20022:192.168.10.x:22 > (leave this terminal open) > > box01$ ssh -p 20022 -X [EMAIL PROTECTED] > > This will give you a shell, X ready, on 192.168.10.x. > Then, you should be able to do this and get a Xlogo: > > box0X$ xlogo > > > Does that make sense? > > > > --- Leif Ericksen <[EMAIL PROTECTED]> wrote: > > > This attachment is saved as a power point using open > > office impress. > > I am not trying to say tell me how to do this, just > > guide me. Such that > > I can get this working. I think To do the double > > bounce I am going to > > need to do port forwarding on the desktop and first > > hop and make the > > third server the SOCS box, or have two or more socks > > and creatively > > forward the ports. Long run I need 443/80 > > 1044,1045, and 5900 to hit my > > destination) > > > > It will be a quick and dirty shot of what I am > > trying to do. > > > > I will go from the corp desktop (winXP) to a hop > > server (port 22 is > > open) from there I will go to another server that > > has unrestricted > > access to the management module. > > > > The Management modules is a device that sits in the > > blade center chassis > > and has access to system console on 14 different > > servers. > > We have 3 firewalls. Intranet to Hop box, Hopbox to > > Extranet server, > > extranet server to interent. > > > > So I am trying to tunnel ports 1044, 1045, 5900 > > (80/443 work just fine) > > from DeskTop to the Management Module. > > > > In short, I want to create a tunnel to take ports > > (1044, 1045, 5900) > > from my desktop, through the firewall to the hop > > server, then from there > > through another firewall to a Linux Blase server > > (one in a chassis of 14 > > servers) that will have unrestricted access to all > > 14 blades. > > > > The management module is a firmware devices, and > > with a web browser > > (40/443) you select remote control and here is where > > ports 5900, 1044, > > 1045 come to play. That in turn starts a Java > > Applet (script) that > > starts a VNC (webmin) like remote control session of > > a blade in the > > chassis it is in. The port 5900 is restricted on > > the firewall and > > unless IBM changed the code we still can not change > > the port for the > > remote console > > Without access to the network level I can not do > > IPV6, without root I > > can not forward Low level ports. > > > > What has been tested and may go away as soon as CIS > > figures it out. > > I can be on the corporate VPN and ssh directly to > > one of my Extranet > > servers. With that i set putty up so that it is a > > SOCS server putty -D > > 8080 -P 22 extranet_server I then configure IE to > > talk to a socks > > server, and I turn off the corporate proxy. I run > > my web session to to > > whatismyip.com and get the IP of the Extranet > > servers. reflecting back > > to the fact that this access may go away and I want > > CIS top bless this I > > have to run through the hop (and in case they want a > > double hop I want > > to see how to pass traffic from the hop box to > > another one of my > > servers) IN theory it should work if I do putty -D > > 8080 =P 22 > > hop_server and get a CIS approved firewall hole to > > talk to the > > management modules on the desired ports. > > > > If I go the double hop route SSH is approved and > > will need no special > > blessing since the final server before the > > management module has no > > firewall restrictions in place. (OK I could use X > > and start Mozilla and > > run the session but that is DOG SLOW. Go get lunch > > come back and your > > screen may be painted) > > > > Again trying to do all this without adding any extra > > software since that > > would need a corporate blessing if it is not > > standard on the server. > > (UGH) > > > > I am not the greatest person to draw a diagram, nor > > explain this with > > text. I think I have been to close to his issue. > > > > Then when this is all over I have to explain this to > > folks that wanted > > to use static passwords even after I showed them ssh > > keys and how cool > > that was. ;) > > > > Any direction would be great, even if it is "you are > > a nut this will not > > work since you do not have root on first hop" or > > "you are a nut this > > will not work with out adding extra software like > > connect" :)) I am > > good natured about this. > > > > -- > > Leif Ericksen
