Say, for example, I have a telnet server behind a corporate firewall, that I want to access from home. Luckily, the company has an SSH server behind their firewall. I can bounce traffic to my little unpublished telnet server off of the corporate SSH server, workDMZhost.
On machine homeDMZhost on my home network, I type:
ssh -g -L 10023:workTelnetHost:23 workDMZhostAuthentication proceeds as usual. The -g allows remote hosts to use the tunnel. Default behavior is to tunnel only on the loopback device. The -L 10023:workTelnetHost:23 listens at port 10023 on homeDMZhost, and forwards traffic on this port to workTelnetHost:23 on the office network.
In my case I can just use the usual user/password authentication. You can set up trusted hosts with public key signatures. I haven't figured that out yet.... and its not even necessary if you just need a quick tunnel for a one-time job.
Now you should have a shell running on workDMZhost. Very nice. You don't need to do anything with it. Just log out, and the tunnel will be closed with the shell.
On any machine on my home network, I can now type:
telnet homeDMZhost 10023
And I will get a secure telnet session to workTelnetHost.
This works even when BOTH are non-routable private networks,
behind NAT firewalls.
Host lookup for workTelnetHost occurs on workDMZhost.
This is good, since in my case, workTelnetHost is not a recognized
machine name on my home network.
I have had problems where I could never get the well-used FlexLM license manager, by Globetrotter software, to work over NAT. It will work over a firewall with a hole for it's port (or so globetrotter claims), but I couldn't get it to work over NAT.
This is a much simpler, and more elegant solution. As soon as I get the chance, I will try to implement it myself and report the results.
Until then, you can try to do this yourself.
And now, back to our old, stale, outdated discussion of my FlexLM problem...
The license.dat file seems to use the FlexLM server's hostname and ethernet address. It MIGHT work if one were to alias the FlexLM server's hostname to the remote NAT server. Have the remote NAT server forward the FlexLM ports to the REAL FlexLM server. However, I haven't been able to test that yet, and I DID get the SSH tunnel to work. I can implement the SSH tunnel without having the sys-admin alter the router and servers for me.
I aliased one of my home machines to the same name as the "real" FlexLM server at work. (It might work with aliasing the loopback IP: 127.0.0.1, but I haven't tested that yet.) My FlexLM client's /etc/hosts file now has a line that looks like
192.168.1.37 snoopy FlexLMserver
On machine snoopy I run the command:
ssh -g -L 1800:FlexLMserver:1800 -L 1801:FlexLMserver:1801 workDMZhost
This makes snoopy a proxy for the machine
FlexLMserver at work.
Now snoopy tunnels packets at ports 1800 and 1801 to
workDMZhost, which then forwards them to the
real FlexLMserver.
My license.dat file has entries like:
SERVER FlexLMserver 00123456789a 1800 DAEMON idl_lmgrd /usr/local/rsi/idl_5.4/bin port=1801Initial license requests go to port 1800, and the daemon for the licensed IDL application is hard-coded to listen at 1801. This is less secure than having the IDL daemon listen at a random port, but then its harder (if even possible) to have the firewall allow the connection.
Now my snoopy machine will forward requests for FlexLM licenses over to our corporate network's real FlexLM server, and we start getting what we paid for in a floating network license.
I'm very disappointed that the software vendor, RSI will not let me talk to an engineer who might actually understand my problem. I'm less mad at globetrotter for not talking to me. RSI is their customer, not me.
Last modified: Wed Nov 23 08:12:17 MST 2005