services behind NAT and firewall

Hello
I can't make a port redirect so I wonder if it is possible to make same
kind of tunell from computer behind nat (or firewall) to another that
have public IP ? the problem is that it is firewall builded on keep
state and completaly blocked from Internet side, so this should be
tunell with all-time connection??
I don't have any idea :)

--
m

m <sq8ijk@poczta.onet.pl> wrote in news:d4rpne$n3q$1@news.onet.pl:

> Hello
> I can't make a port redirect so I wonder if it is possible to make same
> kind of tunell from computer behind nat (or firewall) to another that
> have public IP ? the problem is that it is firewall builded on keep
> state and completaly blocked from Internet side, so this should be
> tunell with all-time connection??
> I don't have any idea :)
>

I'm not really certain of what you are asking here. It may be that
OpenVPN will do what you want. It operates over TCP port 443 (https),
which is probably allowed out by most company's Internet firewall rules.
The problem will be if the incoming connection is not allowed at the
other end. If there is a firewall at both ends and neither allows
incoming connections then you have two possibilities:

1. Talk to the firewall administrators and explain your requirements.
They may be able to set up an IPSec tunnel between the two firewalls for
you or allow an Open VPN connection to go through between specified end
points.

2. Separately set up Open VPN type connection to a server out on the
internet running some sort of relay software. If you do this you could
get into trouble with your company if it violates their security policy.

Info on OpenVPN:

http://openvpn.net

Klazmon.

Llanzlan Klazmon napisa³(a):
> m <sq8ijk@poczta.onet.pl> wrote in news:d4rpne$n3q$1@news.onet.pl:
>
>
>>Hello
>>I can't make a port redirect so I wonder if it is possible to make same
>>kind of tunell from computer behind nat (or firewall) to another that
>>have public IP ? the problem is that it is firewall builded on keep
>>state and completaly blocked from Internet side, so this should be
>>tunell with all-time connection??
>>I don't have any idea :)
>>
>
>
> I'm not really certain of what you are asking here. It may be that
> OpenVPN will do what you want.

No, OpenVPN can not do this :(

COMPUTER_2 ==| firewall -- internet -- COMPUTER_1 -- Internet -- COMP_3

and I want to connect from COMP_3 to COMPUTER_2 via COMPUTER_1

COUMPUTER_2 is completely behind firewall and I want to make some kind
of all time connection from COUMPTER_2 to COUMPUTER_1 not from
COMPUTER_1 to COMPUTER_2 like VPN makes :)

--
best
m

m wrote:
> No, OpenVPN can not do this :(
>
> COMPUTER_2 ==| firewall -- internet -- COMPUTER_1 -- Internet -- COMP_3
>
> and I want to connect from COMP_3 to COMPUTER_2 via COMPUTER_1
>
> COUMPUTER_2 is completely behind firewall and I want to make some kind
> of all time connection from COUMPTER_2 to COUMPUTER_1 not from
> COMPUTER_1 to COMPUTER_2 like VPN makes :)

That sounds ugly. If you don't have permission to do so
you can't do it. If you have permission just ask the administrator
of the firewall to allow you to do it.

Regards.

--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

>> I'm not really certain of what you are asking here. It may be that
>> OpenVPN will do what you want.
>
> No, OpenVPN can not do this :(
>
> COMPUTER_2 ==| firewall -- internet -- COMPUTER_1 -- Internet -- COMP_3
>
> and I want to connect from COMP_3 to COMPUTER_2 via COMPUTER_1
>
> COUMPUTER_2 is completely behind firewall and I want to make some kind
> of all time connection from COUMPTER_2 to COUMPUTER_1 not from
> COMPUTER_1 to COMPUTER_2 like VPN makes :)
>

If you have SSH access from COMPUTER_2 to the outside world (eg,
COMPUTER_1), then you can do this with SSH port forwarding.

eg; something like:

on COMPUTER_2:

ssh -R 3333:COMPUTER_2:22 username@COMPUTER_1

This works by opening an SSH tunnel between COMPUTER_2 and COMPUTER_1. On
COMPUTER_1 a local port is opened (here 3333), and every traffic coming
into it will be forwarded across the SSH tunnel back to COMPUTER_2. From
there, it is redirected to the local SSH server.

In other words, once you've done that; on COMPUTER_1 you just have to do:
ssh -p3333 username@localhost

Further informations available in SSH man's pages.

Note that you can use any ports you want instead of 3333 (above 1024;
otherwise you'll have to be root), and you can use COMPUTER_3 instead of
COMPUTER_1, as soon as you have direct access to it.

Hope that helps.

--
Vincent Jaussaud, Kelkoo.com IT Architect
---
UNIX is many things to many people, but it's never been everything to
anybody.

Vincent Jaussaud napisa³(a):
>>>I'm not really certain of what you are asking here. It may be that
>>>OpenVPN will do what you want.
>>
>>No, OpenVPN can not do this :(
>>
>>COMPUTER_2 ==| firewall -- internet -- COMPUTER_1 -- Internet -- COMP_3
>>
>>and I want to connect from COMP_3 to COMPUTER_2 via COMPUTER_1
>>
>>COUMPUTER_2 is completely behind firewall and I want to make some kind
>>of all time connection from COUMPTER_2 to COUMPUTER_1 not from
>>COMPUTER_1 to COMPUTER_2 like VPN makes :)
>>
>
>
> If you have SSH access from COMPUTER_2 to the outside world (eg,
> COMPUTER_1), then you can do this with SSH port forwarding.
>
> eg; something like:
>
> on COMPUTER_2:
>
> ssh -R 3333:COMPUTER_2:22 username@COMPUTER_1
>
great it was exactly what I wanted to :)
Another thing to connect from COMP_3 that I made was to make a rule to
redirect ports on COMPUTER_1, I dont know why without it wasn't working
but now it works

so on COMPUTER_1 sth like this

rdr on $ext_if proto tcp from any to any port 3334 -> 127.0.0.1 port 3333

thanks again :)

--
m