We have a SSH server in our DMZ that we use as an external tunnel to our internal Perforce server for outside users. When an outside user wants to connect to our Perforce server the first start a SSH session on their local machine that routes all connections to localhost:1666 thru a SSH connection to the SSH server and on to the Perforce server. The Perforce client is then configured to look for its server at localhost:1666. One of our users IT department doesn't allow this type of connection and is requiring the connection be routed thru an addition server in THEIR DMZ running Red Hat linux. I've been tasked with helping them configure the Red Hat server but networking isn't an area where I'm strong. Can I do this by configuring iptables on the Red Hat machine? If so how?

Thanks in advance.

To what extent do you want to keep the current model in place? If ssh tunnels work for you, then whilst they are a pretty ugly way to do what you seem to be doing, keep doing it. don't start adding in additional mechanisms, as things will get more confusing. ssh clients can listen to external connections as well as internal when passing traffic through a tunnel, so on the new server, which would be the ssh client you can just set that up as normal and let it forward requests from the local network to it's port 1666 to go via the tunnel as if they were beign established locally. I'd then be using iptables to very tightly control what ip's are allowed to use that service, but that's just standard firewalling.

So have them do the same ssh connection with port forwarding from their Red Hat server to your server. The only difference is they need to use the bind_address as the internal IP address of their Red Hat server (instead of localhost or 127.0.0.1). Then they configure their Perforce clients to connect to <Red Hat server's IP> port 1666.

There's no special routing involved, they just need to setup the ssh tunnel on their DMZ machine.

Maybe I didn't explain the situation well enough.

Here is how it looks for most outside users:

[UserMachine (outside world)] --> [SSH Server (our DMZ)] --> [Perforce (our network)]

Here is how one of the users IT department wants them to connect:

[UserMachine (their network)] --> [RedHat Server (their DMZ)] --> [SSH Server (our DMZ)] --> [Perforce (our network)]

So what's happening is our IT department is saying "The only way we'll allow external connections to the Perforce server is through this SSH Server" and their IT department is saying "The only way we'll allow outgoing connections of this type is by routing them through the RedHat Server".

Maybe it would be possible to create the SSH connection between their RedHat Server and our SSH Server and have them connect to the RedHat Server. Is this possible? How?

Again, this isn't my area of expertise.

Thanks again!

Yes, that's exactly what I said.

From their Red Hat server they would do:

ssh -L their_ip:their_port:perforce_ip:perforce_port your_server_ip

Then their users would point their Perforce clients to their_ip:their_port

It's almost identical to how outside clients are connect now, except that in this case the Red Hat server is the "client computer" and the actual Perforce clients connect to their_ip instead of "localhost".

Make sense?