rsync via tunnel - 3 boxes separated by internet [solved]

Jay Strauss me at
Wed Aug 24 19:25:57 GMT 2005

Hi Wayne, I'm not subscribed anymore, but I once sent you this 
example/FAQ.  I searched the archives (because I needed to implement 
this) and noticed I never posted the solution (like a dummy).  Would you 
post it for me?


Backing up through a firewall

Its very common to have a setup where you can not reach the machine you 
   want to backup directly, because it is behind a firewall.  Below are 
common layouts.

(layout1):   you --internet-- firewall -- target
(layout2):   you --internet-- firewall -- ssh server -- target

where the "firewall" either lets you log in directly using ssh or the 
firewall forwards ssh connections to another machine "ssh server" which 
you can log into.

Either way you can't log into the "target" directly from the outside, 
but the files you want to back up live on the target.

Below are 2 methods for accomplishing this feat, both have advantages 
and disadvantages, your choice.

Method #1 - Use ssh to hop to the target machine

1) Configure passwordless login from the machine which you can log 	into 
(the "firewall" in layout1 and the "ssh server" in layout2) to "target".

Numerous examples of configuring this exist a google away, but in 
general on the machine you can log into, you create a public/private key 
pair. Copy the public key to the "target" and append the contents of the 
public key to the .ssh/auauthorized_keys file.

2) execute your rsync command - its that easy

    you~$ rsync -av --rsync-path="ssh target rsync" firewall:/source/ /dest/

This command looks like it is copying a file from the firewall, but the 
           remote command run on the firewall to start rsync really 
contacts the      target and runs the remote rsync there, so "/source/" 
is coming from the      target.

Advantages of Method #1

      * you can do it without any sys admin help (avoid the BOFH)
      * you can backup any file to which you have access to on the target

Disadvantages of Method #1

      * you have to manage you public/private keys
      * adds another security hole in that if your login onto the 
firewall or ssh server is compromised, the invader can reach the target 

Method #2 - Install and configure an rsync server on the target and use 
an ssh tunnel to reach the rsync sever

Installing the rsync server is beyond the scope of this document, but 
again it's just a google away.

Once your rsync server is up and running you build an ssh tunnel through 
you firewall like:

    you~$ ssh -N -l userid_on_firewall -L 873:target:873 firewall

What this does is connects to the firewall, and directs port 873 on 
"you" through the ssh tunnel, and out the other end at port 873 on the 

Now when rsync is executed, which talks on port 873, the conversation is
directed to the target.

In another window execute

    you~$ rsync -arv localhost::<rsync_server_module_name>/source ./dest

Advantages of Method #2

    * If you are the one administering the rsync server, you have finer
      control over who can access what files

    * Removes the passwordless access to the target machine

Disadvantages of Method #2

    * More issues with file permissions
    * More servers running more stuff to administer

More information about the rsync mailing list