[ILUG] DMZ
Gavin McCullagh
gmccullagh at gmail.com
Wed Nov 24 10:04:24 GMT 2010
Hi,
On Wed, 24 Nov 2010, Brendan Halpin wrote:
> I have two machines, A in the DMZ and B in the protected part of the
> network.
>
> B can see A, but A can't see (ping, etc) B unless B has initiated a
> connection (e.g., A can respond to B's HTTP requests).
>
> Is there a secure way to make a more general connection from B to A so
> that A can "see" B in a wider sense (ssh from A to B, read B-mounted
> samba share from A, etc.).
You can start an SSH connection from B->A and forward specific ports from the
localhost on A to the real ports on B, though that may get a little messy,
eg.
B# ssh -R 22:localhost:10022 -R 445:localhost:10445 A
A# ssh -p 10022 localhost
will connect to B
A# smbclient -p 10445 localhost
will connect to samba on B
You can use the standard port (eg 22 for ssh), but not if A already listens
on that port (and ssh must run as root).
It might be tidier to look at the ssh-based VPN (see the ssh man page)
which will create a little VPN between the two over SSH. You could use a
script to maintain the ssh connection, or possibly use autossh. I haven't
done this much myself but the man page has very specific examples.
Gavin
More information about the ILUG
mailing list