Here’s another nice and short post about SSH and tunnels
Here’s something I did in the past for working through DMZ machines, let me explain this scenario:
Immagine you’ve an UNIX machine inside a DMZ and you’d like to get some data from another host located inside the dmz green area, you’ve two options for it:
- Make a pinhole in the firewall (bad bad bad)
- Create a tunnel from the green area to the host inside the DMZ so the dmz machine can use that tunnel to remote forwarding ports from green machine
Obviously we’ll discuss option number two 🙂
Let’s place an example for a quick and dirty explaination
Protected machine inside the dmz green area (protected) : lets’ call it “green“
Machine inside dmz yellow area, used for web services from outside/inside: let’s call it “yellow“
Service port to tunnel: 3306 from green to 6033 to yellow.
Yes, I’d like to transport MySQL (everything else works as well) from green to yellow so applications on yellow can normally open the database located on green.
Green also decides when and how to handle and keep the connection in order to preserve its data.
So, what’s next ?
Let me assume you can ssh from green to yellow without passwords, you’ve already exported ssh rsa public/private keys from a machine to another (or maybe it could be a good argument for the next post 🙂 ), so all you have to do is open a tunnel in this way:
REMOTE_HOST=yellow
REMOTE_PORT=6033
LOCAL_HOST=green
LOCAL_PORT=3306
ssh -2 -f -q -T -N -R $REMOTE_PORT:$LOCAL_HOST:$LOCAL_PORT$REMOTE_HOST &
Issue this command on green machine and you’ll have 6033 port opened on yellow, try to use mysql command line utility to open a database on green and see what happens.
Hope it helps someone, I’ve used it in the past to transport data from a db to another but you can even use for something else: JSON on HTTPD (80) and so on
**** UPDATE ****
See SSH Tunnel between two machines (part two) for an automatic script and use it easily
**** ****
Cheers
Andrea (Ben) Benini
