I have a contractor is using a Windows PC that is outside the corporate network. However, we allow connections via the firewall to certain hosts/ports. Telnet/23 from the contractor's PC to a specific AS400 (iSeries) server is not allowed.
I want to create a pair of SSH tunnels using a Linux box inside the corporate network.
Here is my proposed setup:
OutsideWindowsPC <-> { Internet } <-> InsideLinuxServer <-> InsideAS400Server
We can grant access to certain ports on the Linux server inside the corporate network.
I know it possible to do this, but I cannot stitch the complete solution myself. To be safe, the solution needs to be scalable to about 10 contractors each with their own PC.
In the end, we want to telnet/23 from the contractor's Windows PC to the AS400 server on the corporate network.
Finally, I realise in an ideal world, we would tunnel directly to the AS400 server, or use a secure protocol to connect to the AS400 server. However, politics prevents this type of solution!
Best Answer
It's unclear what you mean by "double tunnel". It sounds like you're just talking about using SSH port-forwarding to allow the contractor to access the AS/400 via the "InsideLinuxServer" computer.
Make sure SSH is allowed from the Internet to the "InsideLinuxServer"
Create a credential on the "InsideLinuxServer" for the contractor to use. (You might want to get more in-depth and prevent shell access on that Linux machine for the contractor, turn off SFTP, etc.)
Have the contractor configure their SSH client to tunnel some local port to port 23 of the AS/400. In "PuTTY" this is done in the Tunnels node of the SSH node of the Connection node of the settings. They'd add a source port as some unused port on their machine (say "2300"), a destination of the IP address or name of the AS/400 with a ":23" appended after it and add it to the forwarded ports list.
After the contractor connects to the "InsideLinuxServer" machine w/ SSH they would be able to TELNET to their own port 2300 (in the case of my example). PuTTY would answer the TCP connection attempt and forward the traffic to the "InsideLinuxServer" which would, in turn, make a TCP connection to port 23 on the AS/400 and forward the traffic.
As far as making it "scalable", for that number of clients I'd just write instructions for them on how to configure PuTTY and send them on their way.
To make things more secure you may want to think about using public key authentication on the SSH server in lieu of passwords. It's a little more setup labor up front but it's safer than using passwords.