[stunnel-users] "Reverse" tunneling with stunnel.
Peter Pentchev
roam at ringlet.net
Fri Jul 20 17:33:13 CEST 2018
On Tue, Jul 17, 2018 at 10:51:07PM -0600, C. Petro wrote:
> I have a client who is setting up a logging infrastructure involving a
> couple of DMZs forwarding logs into central logging points.
>
> They have to pass compliance audits (SOX, PCI at least) and have some
> rather specific desires in regards to how they want the log traffic to
> move, and which servers *initiate* the connections.
>
> Which is to say they want the internal servers to set up tunnels to the DMZ
> servers and then the forwarders use that tunnel to deliver logs back.
...oof. I went back and reread your original message more carefully.
The truth is, stunnel cannot really do what you want :(
It seems to me that what you want could be accomplished with OpenSSH and
its remote connection forwarding: set up an SSH server in the DMZ,
generate a (possibly passphraseless) key pair on the central server,
add the public key to an the authorized_keys file of an unprivileged
account on the DMZ server, and then, on the central server (again, from
an unprivileged account), run a command like:
ssh -N -R 3000:localhost:3000 accountname at dmz.server
Then SSH will listen for incoming connections on 127.0.0.1:3000 on the DMZ
server and, when a connection comes in, create a connection from 127.0.0.1 to
127.0.0.1:3000 on the central server and start forwarding data.
If needed, the OpenSSH server on the DMZ host may be configured so that it is
very restricted: only public-key authentication, only certain users may
connect, only certain commands may be executed, etc.
Apologies for not reading your first message carefully enough!
G'luck,
Peter
--
Peter Pentchev roam@{ringlet.net,debian.org,FreeBSD.org} pp at storpool.com
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180720/83d06097/attachment.sig>
More information about the stunnel-users
mailing list