[Courses] [courses][security] Port forwarding with SSH and ipchains/iptables

jennyw jennyw at dangerousideas.com
Mon Mar 18 15:59:42 EST 2002


Sometimes I learn better by doing. I have this project that might be
possible to do with SSH and iptables/ipchains, but I'm not sure. Since we're
kind of on the subject, I thought I'd ask (feel free to tell me this is off
topic).

Here's the situation: There are two networks, A and B. Each network has its
own firewall. A client behind Firewall B wants to talk to a Web server
behind Firewall A.  Unfortunately, the service it's connecting to on network
A is an insecure Web app. Moreover, the only exposed IP addresses are the
external interfaces on the firewalls. Additionally, neither Server A nor
Client B can run SSH -- SSH can only run on the firewalls.

Server A (Web server)
     |
 10.0.0.1
Firewall A
 a.b.c.d
     |
<The Internet>
     |
 e.f.g.h
Firewall B
 10.1.0.1
     |
Client B (Web client)

Would it be possible to set things up so that if Client B connected to
a.b.c.d:80 it would have a secure connection to Server A?

Thanks!

Jen

P.S. Why do I want to do this? Weirdly enough, it's to secure a security
application. Silly, but true. The organization is exclusively Windows,
except for things like firewalls. To secure all sites against virus attacks,
we're looking at Trend VCS, which is a master control app. (or program, for
Tron fans) that connects to sub-servers at other sites. Unfortunately, it
does this over HTTP. Even more unfortunately, it does this using IIS
(they'll change this soon). Worse yet, everything is plain text (actually,
Trend says that server to server communication is secured by some
proprietary method that they have no details on, but I have serious doubts).
Inside a LAN, it's not as big a deal, but over the Internet, it's not such a
hot idea. So people use VPNs for this. Which is great, except that I'd like
a simpler solution, and I suspect that SSH can do this. Not sure, though.






More information about the Courses mailing list