Ssh – Stunnel multiple ports through the same Port

firewallport-forwardingsshstunnel

I'm looking for some help regarding an stunnel configuration I'm working on. Basically I want to have a DMZ machine accept inbound connections to port 80 and 110, and then forward them through my firewall on port 22 to a machine that will then forward the traffic to port 80 and 110 locally. Is this even possible?

Basically I would have this on my DMZ:

[http]
listen = localhost:80
connect = server:22
cert = cert.pem

[pop3]
listen = localhost:110
connect = server:22
cert = cert.pem

And on my server I would have:

[http]
listen = localhost:22
connect = localhost:80

[pop3]
listen = localhost:22
connect = localhost:110

Does this make any sense? Port 22 is already open on my firewall and I don't want to have to open 2 more ports.

Any info would be greatly appreciated…

Thanks!

Best Answer

You can maybe use stunnel in addition with sslh : http://www.rutschle.net/tech/sslh.shtml

sslh is a little program that analyse the protocol and redirect the package according to the protocol.

According to the man page:

Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any other protocol that can be tested using a regular expression, can be recognised.

a configuration file example is available at /usr/share/doc/sslh/examples/example.cfg (debian)

this might look like this in the end (I didn't test it):

verbose: true;
foreground: true;
inetd: false;
numeric: false;
transparent: false;
timeout: 2;
user: "nobody";
pidfile: "/var/run/sslh.pid";

listen:
(
    { host: "localhost"; port: "SOME_PORT"; }
);

protocols:
(
    { name: "http"; host: "localhost"; port: "80"; probe: "builtin"; },
    { name: "pop3"; host: "localhost"; port: "110"; probe: [ INSERT_REGEXP_IDENTIFYING_POP3_PACKETS_HERE ]; }
);

your stunnel server.conf would become:

...
[sslh]
listen = localhost:22
connect = localhost:PORT_SSLH_IS_LISTENING_ON
Related Topic