Hi,

I need to access a server on a remote site from a Windows workstation via ADSL/NAT port forwarding. The server is running an OS called THEOS and I have just found out from the suppliers that the particular version of THEOS that's running will not accept a workstation connection from an IP-based client that's off the local network. I do have access to a PC on site via an RDP session but this means 'taking over' a user's PC.

One option would be a bridge/vpn to the network but I have also been reading about using iptables to do local port forwarding - there's a Linux server on site so maybe I could bounce a connection through it? THEOS Workstation needs to use UDP port 3256.

A couple of issues for which I'd appreciate some input:

iptables is not currently running on the remote linux server and I am concerned that if I turn it on I will chop off ssh access (on port 8429) and then need to make a trip to site (4 hour round trip) to fix the problem because the Linux server is headless (no monitor/keyboard) and there's no-one technical on site. Any pre-setup I can do and check? I have not really used iptables before.

I can't get my head round whether an SSH tunnel using ssh -D is an option - would this be setup between a pair of Linux servers (possible if workable)? If so, what command/s would I use?

Many thanks

This THEOS box, can it be connected via ssh? If so, if you can connect to the box thats your gateway and tunnel from there. My idea is this:

You ---Internet---- Gateway device -- forward traffic through or act as firewall. eth0 to eth1 for example
------ If traffic is trying to conenct with 65000 forward to eth1:1(alias ;P) which is the gateway box and from there you can do your tunnel.

With 4 hours between you and the hardware, I would take the path of least risk.

It is safe to presume they have a perimeter firewall, and they have opened the RDP port so that you can access remotely? And they have also opened a port, forwarded to the Linux box's SSH port ?

Finally, how do you connect to the THEOS box (GUI app, cmd line, etc.)?

If you have a linux box on your side a fairly easy way to do this is set GatewayPorts to yes in your local linux sshd config file (restart its ssh server) and the ssh -L 3526:ip_of_THEOS_box:3526 user@remote_linux_host

Then just tell your windows workstation to connect to the linux box like its the theos box and all the port 3526 access will get forwarded to the theos box and it'll look local to its network.

Once you've done what you want I'd turn off the GatewayPorts option.

I think the OP indicated connection to the THEOS box is via UDP, so its not as trivial.

No SSH on THEOS - I'm just grateful it has FTP as to get data off the system I am going to run a script to dump a database to csv files, FTP them to the Linux server and then rsync via ssh to head office.

Yep, perimeter firewall to which I have full access as I setup the router.

THEOS supports local serial terminals or local Windows clients using its own, proprietary GUI client software.

Yes, UDP.

Does this refer to the ssh redirection plan?

Thanks

There is no real trouble with establishing a secure connection to an internal box; the question here, if I'm understanding, is how you ensure all the right packets get to THEOS. Some thoughts:

If the firewall/router has VPN software, this might be the most straightforward, and useful. Your system simply becomes a member of the remote network, and THEOS is none the wiser.

Because THEOS uses UDP, to use SSH and a tunnel, you'll have to also do some trickery to force UDP into a FIFO, to push that down the tunnel. Only testing will determine if this will ultimately work for you. ( I'm assuming you don't want to open the UDP port that THEOS listens on, a risky proposition at best.).

A third alternative is to setup a simple Windows box on the inside, that is your connection station. Then you can use RDP, VNC, or even the old, but venerable NetMeeting.

Perhaps yet another option is a serial cable from the Linux box to the THEOS box.

Lets see if any of these grabs your interest.

Cheers,

VPN is a possibility - all routers are Drayteks and support a hardware VPN.

THEOS box is well away from the Linux one and getting them together would be problematic - although a mains-borne/wireless serial link might be a way forward.

I may stick with taking over a local PC via RDP for now because once I have setup the file transfer scripts on the THEOS server they will be run by local staff anyway.

Thanks for the ideas.

Well what I mentioned before will also work with UDP with the use of another program and a slight port change

ssh -L 33526:127.0.0.1:33526 user@remote_linux_host

on the local linux side run socat
socat udp4-listen:3526,reuseaddr,fork tcp:localhost:33526

on remote linux side run socat
socat tcp4-listen:33526,reuseaddr,fork UDP:ip_of_THEOS_box:3526


http://www.zarb.org/~gc/html/udp-in-ssh-tunneling.html

Many thanks to everyone who replied - I think it's time for me to do some work with all that's been suggested.