2

I have two machines accessible on the Internet with no NAT involved. Both machines run an SSH service.

I want to connect via SSH/SFTP to Server A on Port 2000 and this connection should be routed to Server B Port 22 (behavior like a HTTP reverse proxy but using SSH/SFTP instead of HTTP)

enter image description here

einpoklum
  • 1,652
  • 3
  • 21
  • 31
W0bble
  • 245
  • 4
  • 14
  • Do you mean something like an iptables rule on "Reverse Proxy" server allowing connections to RS through it using sftp without first having to log into RP? – Grizly Mar 31 '13 at 21:02
  • Yes, but I am not shure if it works with iptables? – W0bble Mar 31 '13 at 21:14
  • Which one is *server A* and *server B* ? If *server A* is *Reverse Proxy*, my first answer could do the job. – F. Hauri - Give Up GitHub Apr 01 '13 at 08:38
  • Why wouldn't it work? Its just routing packets. You cannot reverse-proxy encrypted tunnels anyway, I think he means routing, because otherwise, all routers could generically be termed "Proxies". If you opened a port on RP, enabled routing in the kernel, translated that request to a NAT masqueraded request to RS, and ensured that RS could reply to RP, it should work fine. Really depends on what OS is running on RP, I'm guessing linux, but you don't specify. – Grizly Apr 01 '13 at 22:45
  • Possible solution: http://serverfault.com/a/387231/35383 – Grizly Apr 01 '13 at 22:46

3 Answers3

2

This should be no problem with iptables:

#!/bin/bash
export IP="1.2.3.4"
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables \-t nat \-A POSTROUTING \-o eth0 \-d $IP \-j MASQUERADE
iptables \-A PREROUTING \-t nat \-p tcp \--dport 2000 \-j DNAT \--to $IP:22
etagenklo
  • 5,834
  • 1
  • 27
  • 32
0

Something like:

ssh -o ProxyCommand="ssh -e none userA@serverA:2000 nc -w 1 serverB 22" userB@ServerB

where you connect to serverA with ssh login userA for opening a forward connection to serverB to wich you log in with userB.

Explanation:

The proxy command open a ssh connection to ServerA (with username userA) and initiate a bidirectional connection to port 22 of serverB.

The initial ssh command use this ProxyCommand to establish a bidirectional connection to ServerB where you have to log in with userB.

In fine:

There is a crypted connection from Laptop to ServerA (step 1 in your drawing) and

another crypted connection from Laptop to ServerB (step 1 + step 2), encapsulated in first connection in his first part (step 1), than binded by nc in the second part (step2).

Instead of HTTP, As SSH is bidirectional, when a connection is open, all requests and answers follow the same connection. So there is no need to think about your step 3 and 4.

F. Hauri - Give Up GitHub
  • 1,057
  • 9
  • 14
0

You can use ssh port forward for archive this

ssh -L localportinmypc:hostname_of_the_behind_the_firewall:remoteport hostname_of_my_firewall

Now after this:

sftp -o Port=localportinmyp localhost or ssh -p localportinmyp
c4f4t0r
  • 5,301
  • 3
  • 31
  • 42