I''m totally new to this mailinglist so I apologise for all and any profoundly stupid questions that I ask, but I haven''t found what I was looking for anywhere else. Have looked everywhere for this but haven''t found any examples that apply to my configuration. I have one computer that sits behind a firewall and another computer with a public IP-address outside the firewall. I would now want to set up an ip-tunnel between these two so that they can communicate "transparently". I''m desperate for this information as I _need_ to be able to access the computer behind the firewall from the the one with a public ip. Would very much appreciate it if you could be as thorough as possible in your explanations. Thanks in advance, Patrick Börjesson _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Patrick,
I would recommend first consulting with the firewall administrator, as
setting up tunnels through firewalls is not always regarded by security
admins as a friendly action. It may even be against your corporate
policy.
: I''m totally new to this mailinglist so I apologise for all and any
: profoundly stupid questions that I ask, but I haven''t found what I
was
: looking for anywhere else.
Here''s an example of using GRE tunnels ("ip tunnel"):
http://lartc.org/howto/lartc.tunnel.gre.html#AEN333
: I have one computer that sits behind a firewall and another computer
: with a public IP-address outside the firewall. I would now want to set
: up an ip-tunnel between these two so that they can communicate
: "transparently".
If you need any sort of generic tunnel through which the two hosts can
communicate, you can also consider CIPE.
: I''m desperate for this information as I _need_ to be able to access
the
: computer behind the firewall from the the one with a public ip.
Have you thought of using ssh port forwarding?
-Martin
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> I would recommend first consulting with the firewall administrator, as > setting up tunnels through firewalls is not always regarded by > security admins as a friendly action. It may even be against your > corporate policy.Wouldn''t think it to be a problem as it''s just a firewall sitting in the way of the private computers of students at our collage and they haven''t setup any rules of this kind.> Here''s an example of using GRE tunnels ("ip tunnel"): > > http://lartc.org/howto/lartc.tunnel.gre.html#AEN333This tutorial assumes that I have control over the routers connecting the different LANs together. Unfortunately I don''t think they (the admins hosting the firewall) would honour my request for them to setup a ip-tunnel for me specifically. As I haven''t setup an ip-tunnel before I have no idea if it''s even possible to do so if I don''t have control over the firewall I''m behind. Is it or am I out of luck? Is it in that case possible in _any_ way for the computer with the public ip to communicate with the one behind the firewall "directly"?> If you need any sort of generic tunnel through which the two hosts can > communicate, you can also consider CIPE.Haven''t heard of it, but I''ll have a look.> Have you thought of using ssh port forwarding?Haven''t looked into it so much but as I understand you''ll have to control the firewall and setup ssh-forwarding there for it to work, and I haven''t got that control. Thanks for the suggestions, Patrick Börjesson _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Patrick,
: Wouldn''t think it to be a problem as it''s just a firewall
sitting in the
: way of the private computers of students at our collage and they
haven''t
: setup any rules of this kind.
This is your call. There are technical solutions to allow for tunnelling,
but you should be certain that you are not subverting your organizations
security policy.
: > Here''s an example of using GRE tunnels ("ip tunnel"):
: >
: > http://lartc.org/howto/lartc.tunnel.gre.html#AEN333
:
: This tutorial assumes that I have control over the routers connecting
: the different LANs together. Unfortunately I don''t think they (the
: admins hosting the firewall) would honour my request for them to setup
: a ip-tunnel for me specifically.
If your GRE packets from the two hosts you control can traverse the
firewall, then you can create a tunnel between the two hosts. If the
firewall prevents you from passing IP protocol 47 (GRE) bidirectionally,
then you''ll need to look at other solutions. You do not need control
over
the firewall to use GRE tunnels.
: As I haven''t setup an ip-tunnel before I have no idea if
it''s even
: possible to do so if I don''t have control over the firewall
I''m behind.
: Is it or am I out of luck? Is it in that case possible in _any_ way for
: the computer with the public ip to communicate with the one behind the
: firewall "directly"?
Yes.
: > Have you thought of using ssh port forwarding?
:
: Haven''t looked into it so much but as I understand you''ll
have to
: control the firewall and setup ssh-forwarding there for it to work, and
: I haven''t got that control.
[ assume: box S behind firewall, box P in front of firewall ]
The questions you should be asking yourself now are as follows:
- what types of packets can I send from S to P
- what types of packets can I send from P to S
- what types of tunnels can I create with these packets
Quick and dirty summary:
- IPSec, IP protocols 50, 51, and UDP(7)/500
- CIPE, UDP(7)/<your-choice-of-port>
- ssh tunnel, TCP/22, embedded or MUX''d tunnel
- GRE tunnel, IP protocol 47
Good luck,
-Martin
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/