SSH tunnel & Rsync thru two proxy/firewalls

Solution 1:

I'm assuming the SSH port on firewall_2 ("BC" in your diagram) is accessible from the outside. Can computers on network 1 (10.2.0.*) reach the internet directly (i.e. via NAT), or only by proxying via firewall_1? Since you don't specify, I'll assume not.

Probably the simplest thing to do is to tunnel rsync over SSH tunneled over SSH (clearly, "simplest" is relative). First, build the outer tunnel by running this on firewall_1:

firewall_1# ssh -N -p 22 -c 3des user2@firewall_2.example.com -L 10.2.0.2:5432:10.3.0.3:22

Note that this runs the local (firewall_1) end of the tunnel on bound to its internal IP (10.2.0.2), on an arbitrary port (I used 5432).

Then, from server_1, run rsync and use its -e option to run it over SSH:

server_1# rsync -e "ssh -N -p5432 -c 3des" -a /local/path [email protected]:/remote/path

This SSHes into port 5432 on the IP address 10.2.0.2, which the outer tunnel forwards to 10.3.0.3 (server_2) port 22 (standard SSH).

BTW, if coordinating the setup on multiple computers (i.e. creating a tunnel from firewall_1 and then using it from server_1) is difficult, let me know; with a bit more complexity, it's possible to fire it all off from server_1 with a single command. Although you should be able to set up the outer tunnel once, and then just leave it up...

Solution 2:

SSH has an option called ProxyCommand which allows you to pass all SSH traffic to a command which can be run on a different host. Probably you can chain multiple of these together to achieve what you want to do.

If you can directly connect from internal_server_1 to firewall_2, you can use something like this (for example as value for -e if you're using rsync):

ssh -o ProxyCommand="ssh -W %h:%p firewall_2" internal_server_2