Screnario:
[internal_server_1]AA------AB[firewall_1]AC----+
10.2.0.3-^ ^-10.2.0.2 |
internet
10.3.0.3-v v-10.3.0.2 |
[internal_server_2]BA------BB[firewall_2]BC----+
Ports AC,BC has valid internet addresses. All systems run linux and have root acces to all.
Need securely rsync internal_server_1:/some/path into internal_server_2:/another/path
My idea is make ssh secure tunnel between two firewalls, e.g. from firewall_1
firewall1# ssh -N -p 22 -c 3des user2@firewall_2.example.com -L xxx/10.3.0.3/xxxx
and after will run rsync from internal_server_1 somewhat like:
intenal1# rsync -az /some/path user@xxxx.yyyy.com:/another/path
I don't know
- how to make a correct ssh tunnel for rsync (what ports need tunnel)
- and to where i will make the rsync? (remote comp address in case of ssh tunnel)
Any idea or pointer to helpfull internet resource for this case?
thanx.
Best Answer
I'm assuming the SSH port on firewall_2 ("BC" in your diagram) is accessible from the outside. Can computers on network 1 (10.2.0.*) reach the internet directly (i.e. via NAT), or only by proxying via firewall_1? Since you don't specify, I'll assume not.
Probably the simplest thing to do is to tunnel rsync over SSH tunneled over SSH (clearly, "simplest" is relative). First, build the outer tunnel by running this on firewall_1:
Note that this runs the local (firewall_1) end of the tunnel on bound to its internal IP (10.2.0.2), on an arbitrary port (I used 5432).
Then, from server_1, run rsync and use its
-eoption to run it over SSH:This SSHes into port 5432 on the IP address 10.2.0.2, which the outer tunnel forwards to 10.3.0.3 (server_2) port 22 (standard SSH).
BTW, if coordinating the setup on multiple computers (i.e. creating a tunnel from firewall_1 and then using it from server_1) is difficult, let me know; with a bit more complexity, it's possible to fire it all off from server_1 with a single command. Although you should be able to set up the outer tunnel once, and then just leave it up...