0

I guess the following will be considred a hack, but here goes:

I have machines A and B, and C.
B can open a connection to A, but A cannot open a connection to B (due to FW).
Work: A <--- B
Doesn't work: A ---> B

I want to be able to open a connection from A to B.
Is there a way (tool, preferably an OS tool) to allow a seamless connection initiation from A to B, quite possibly by tunneling on top of an existing connection from B to A?

At the end of the day I want to be able to successfully telnet from A to B: 

telnet B [port number]

Or even to machine C, that B has access to, but A doesn't. From A: 

telnet C [port number]

Later edit:

I've been offered with "static" tunneling. But, I would to have seamless solution.
For example, configure that a connection attempt to a certain range of destination IPs will be tunneled through B, where C is the dynamically varying destination. So telnet 80, will connect to the target passing through B

Gili Nachum
  • 123
  • 4
  • 1
    This sound like you're trying to bypass security measures put in place by your system administrator. I suggest you discuss your problems with that administrator. – John Gardeniers Oct 24 '10 at 21:02
  • You are right. I did... :) I ain't necessarily going to use it, but I would like to have it as part of my toolbox. – Gili Nachum Oct 26 '10 at 07:45

2 Answers2

2

You haven't given any indication of what OS these boxes are running, so I'll assume unix. If that's wrong, please retag your question. That said:

B% ssh A -R 2200:B:22

will log you into A, while making a tunnel from A to B such that when on A you connect to port 2200, ssh tunnels your packets to port 22 on B.

B% ssh A -R 2200:C:22

will also work, provided that B has an uninterrupted network path to C; when on A you connect to port 2200, ssh tunnels you to port 22 on C.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • Nice, but it's too static for my needs. I would to have it working seamlessly. For example, configure that a connection attempt to a *certain* range of destination IPs will be tunneled through B, where C is the dynamically varying destination. So telnet 80, will connect to the target passing through B. – Gili Nachum Oct 26 '10 at 08:07
  • Then you want a VPN between A and the network B is on. Sneaking an ssh connection past your local network admin can usually be concealed, but a full-blown VPN? It will depend on what kind of traffic you can currently get from B to A and back. OpenVPN will do what you want and can be run on any TCP or UDP port that is open from A to B and vice-versa. IPSec is a pig to set up, and requires protocol 50 (ESP) from end to end, as well as traffic from UDP/500 to UDP/500. I can't make any suggestions until you know your network geomotry and firewall ruleset. – MadHatter Oct 26 '10 at 08:17
  • 1) "geomotry" -> "geometry". 2) there's an SSH-based vpn, as well, in later versions of ssh: see eg https://help.ubuntu.com/community/SSH_VPN for more details. – MadHatter Oct 26 '10 at 08:27
0

If you are running UNIX or UNIX-like systems, look into OpenSSH and its Tunnel, TunnelDevice, and PermitTunnel config directives. If your systems support tun devices, it should be possible to configure ssh and sshd to create a point-to-point (layer 3, the default) or an ethernet (layer 2) tunnel between hosts A and B.

In either case, you will then have to configure the tun devices on A and B as you would any other network device (i.e. assign IP addresses, add routes).

And finally, if you want to allow connections from A to C through the A-B tunnel, you will need to ensure that host B allows IP packet forwarding.

Steven Monday
  • 13,599
  • 4
  • 36
  • 45