Here's a way I got this working (btw, your setup sounds like it might be easier, I had to do udp-over-tcp-encapsulation-via-ssh to get through the firewall).
Configuration: 1. Zenoss collector - private network 2. Inside Server - private network 3. Outside Server - public network, cannot access Zenoss collector d/t firewall. UDP traffic also not translated through firewall. Solution: UPSIDE: You get snmp and any other tcp/udp traffic DOWNSIDE: There goes ping - since you're aliasing localhost On the Collector (Zenoss on linux): Step 1: Create a loopback device alias: # ifconfig lo:2 127.0.0.2 Step 2: Install socat Step 3: Use socat to port-forward connections** socat udp-listen:161,bind=127.0.0.2,fork,reuseaddr udp-connect:firewallip:firewallport Step 4: Add Device 127.0.0.2 ** For those of you interested, socat does support tun so you could actually put together a poor-man's vpn pretty simply: tun forwarded to local tcp port -> ssh -> remote tcp port forwarded to tun: # socat tun:192.168.1.100/24 tcp-connect:127.0.0.2:9999 & # ssh -f -N -L 9999:127.0.0.1:9999 u...@remotehost [u...@remote]# socat tcp-listen:9999 tun:192.168.1.101/24 & socat also provides its own ssl tunnels as an alternative to ssh, you just need to setup the certs. Step 5: Setup snmp traps Not sure how to set this up so that they map from the proper host ... still working on it though. My setup: Monitor: # socat udp-listen:161,bind=127.0.0.2,fork,reuseaddr tcp-connect:127.0.0.1:8161 & # socat tcp-listen:8162,bind=127.0.0.2,fork,reuseaddr udp-connect:127.0.0.1:162 & # socat tcp-listen:80,bind=127.0.0.2,fork,reuseaddr tcp-connect:127.0.0.1:9081 & # ssh -f -N -L 8161:127.0.0.1:8161 -R 8162:127.0.0.2:8162 -L 9081:127.0.0.1:80 u...@remote Remote Server: # socat tcp-listen:8161,fork,reuseaddr udp-connect:127.0.0.1:161 & # socat udp-listen:162,fork,reuseaddr tcp-connect:127.0.0.1:8162 & By using the bind=127.0.0.2 socat binds to that port only for the ip address given (so I can use standard ports for each of the tunneled hosts). You should check your web server configuration to make sure that it specifically binds to non-local ip addresses. In apache it is "Listen", make sure it is something like: Listen 192.168.1.100:80 #good #Listen 0.0.0.0:80 #not good Good luck! Justin -------------------- m2f -------------------- Read this topic online here: http://forums.zenoss.com/viewtopic.php?p=32957#32957 -------------------- m2f -------------------- _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users
