Luca, SSH Tunnels are by nature one directional. You will open a listening port on one end, and all traffic will be forwarded to the other end. Of course replies can come back through the tunnel, but no unrelated traffic, it's just like a normal tcp connection. To access the vnc server on A from B, the command you would use would be: user@FB$ ssh -f -N -g -L vncport:A-address:vncport FA This command will establish a listening port on vncport of machine FB. Then your vncclient on B should attempt to connect to FB:vncport, pretending the VNC server on A is really local to FB. SSH will grab that connection, forward it to FA, who will unwrap it, and send it to A. A will then reply and so forth. The -f -N are switches I prefer to use, it tells the ssh to fork to the background, without executing a command. The -g switch tells ssh to listen on all IPs, rather than just localhost. To do the same thing in the other direction, replace all A's with B's and B's with A's. The general form is: -L localPort:destinationAddress:destinationPort hostwithsshd Remember that destinationAddress:destinationPort is run from the hostwithsshd routing tables, so it's okay to use NATed addresses that you yourself can't resolve. Listen on localhostPort, forward all connections to hostwithsshd, unencrypt and send to destination host on destination port. Though SSH is adequate for this sort of task, and is enourmously convenient for setting up quick tunnels, but if you want these tunnels to autonegotiate, you must either look into 'dsa pubkey authentication' to allow passwordless authentication of the tunnels. Also, be sure to block the inet port with iptables, or you'll lose your security of being firewalled, as the tunnel will let machines inside your network from outside. I'm not aware of any way to tell ssh which address to listen on, but I could just be ignorant about that. Instead of using SSH, if this tunnel is one you'd like permenately established, look into ipsec and virtual private networks. You could simply encrypt all traffic between those two networks, and therefore have client A and B transparently point at eachother's respective addresses and have the encryption handled IP level (a better, though more difficult solution). I hope this is helpful. ~Jason > Hi, > I want to realize a ssh tunnel for VNC behind two different factories, where > clients are behind a firewall (one firewall per factory). I have done something with ssh -L, but never for vnc and behind two firewalls. The situation is this: > machine A: mac os x with vnc server > machine B: windows cwith vnc viewer > firewall FA: linux with iptables and masquerading > firewall FB: linux with iptables and masquerading > > I thought to enable the tunnel starting on FB, with something like: ssh -L vnc_port:FA:vnc_port > thus when B tries to connect to A, it will be redirected to the > FA:vnc_port. > Now, what do I have to do on FA? I don't want to use ssh behind FA and FB, so > I'd like to not use ssh over A and B. How can I configure the two firewalls > to do this? > > Thanks, > Luca > > -- > Luca Ferrari, > fluca1978@xxxxxxxxxxx > > > - > : send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > - : send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
