Tunneling through two firewalls to get to rdesktop

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

I'm stuck.  At my office, I use rdesktop to connect from a FreeBSD
machine to Windows through terminal services on port 3389.  Sometimes
I work from, and I want to do the same.  The thing is, my office is
behind a firewall, my home is behind a firewall.  I control the
latter, but not the former.  I can't figure out how to make it so I
can hit port 3389 on the Windows machine at work when I'm at home.

The arrangement looks like this:

     home  ---  my-fw  ---  work-fw  --- office  ---  windows

home and my-fw are FreeBSD, work-fw is some impenetrable thing I can't
get a shell on, and office runs Solaris.  The three machines I can get
a shell on all run a recent OpenSSH.

I can get through work-fw after great contortions and obtain a shell
on office.  Then, I use port forwarding to get it out of the way: I
make it so that my-fw:2000 hits office:22; that is, on my-fw I can say

   ssh -p 2000 workname@localhost

and log in to office.  This is very nice.  It looks like this:

     home  ---  my-fw  ---  work-fw  --- office  ---  windows
                2000 --------------------> 22

Then it's easy to do ssh within ssh and go from home to office through
my-fw, with

   ssh -t my-fw "ssh -p 2000 workname@localhost"

which looks something like this:

     home  ---  my-fw  ---  work-fw  --- office  ---  windows
      22 ------ 2000 ------------------> 22

That's all easy enough.  Here's where I run into trouble.  What I want
is to be able to run

   rdesktop some-hostname

on home, and have port 3389 go to my-fw, through it to office, and hit
windows:3389, like this:

     home  ---  my-fw  ---  work-fw  --- office  ---  windows
     3389 ------------------------------------------> 3389

(All without using -g on my-fw because it's in the public.) I tried to
do this by gluing two forwarded ports together.  First, I ran this on

  ssh -N -R 3389:windows:3389 me@my-fw

This set up:

     home  ---  my-fw  ---  work-fw  --- office  ---  windows
                3389 -------------------------------> 3389

and then I ran this on home:

  ssh -N -L 3389:home:3389 me@my-fw

which set up:

     home  ---  my-fw  ---  work-fw  --- office  ---  windows
     3389 ----> 3389

and I hoped the two ends on my-fw would glue together into:

     home  ---  my-fw  ---  work-fw  --- office  ---  windows
     3389 ----> 3389 -------------------------------> 3389

which would be the same as

     home  ---  my-fw  ---  work-fw  --- office  ---  windows
     3389 ------------------------------------------> 3389

But it didn't work.  The forwarding on my-fw doesn't want to deal with
having something forward into it on 3389 and then forwarded right out.
I assume this is intentional because it would be insecure, but I
haven't been able to find in the docs where this is explained.

Now I think that I was going about it all the wrong way, and what I
need is some complicated ssh command that will call ssh on one or two
other machines and do some port forwarding, all in one fell swoop.
I'd run something on home that would ssh into my-fw that would ssh
into office on port 2000 that would somehow reach back, grab home:3389
and sent it to windows:3389.  But how would I do this?  I can't figure
it out at all.  Any hints or help would be most appreciated.  Or is it
impossible?  Surely not.

Thanks for any help.

William Denton : Toronto, Canada : http://www.miskatonic.org/ : Caveat lector.

Site Timeline