Jump to content
Server Maintenance This Week. ×

Tunnel FileMaker over SSH through NAT

xochi

By xochi
in FileMaker Server 11

 Share

This topic is 6986 days old. Please don't post here. Open a new topic instead.

Recommended Posts

xochi Mentor

xochi

Posted
Posted

You can connect to a FileMaker server behind a NAT box or firewall using built in SSH features of Mac OS X. This is handy if you run a NAT box or firewall, and have more than one FM Server to connect to.

Note: this procedure gives out your admin password on the server to the client, so use only with a trusted user. I use it for my personal development needs only. It also exposes SSH to the outside world, so make sure you are using strong passwords and have all of the latest system updates.

Steps:

1. Make sure your server machine has port 22 open and your NAT box forwards port 22 to that machine. See your Airport Base Station (or linksys, etc.) help files for how to do this.

2. On the client machine, start SSH with the following command line in the terminal:

ssh -NL 5003:127.0.0.1:5003 loginname@natboxIP

where loginname is the login name of an admin user on the server, and natboxIP is the IP address (or domain name if you have one) of your nat box (the public WAN side, not the private LAN side).

3. You will be prompted to enter the admin password

4. The terminal will hang -- no output will be produced, but the SSH tunnel will be working.

5. To stop the ssh session, type control-C

6. To connect, open FileMaker on the client machine, and use 127.0.0.1 as the host. You should see your remote databases show up.

How it works:

The above command says "on my local machine (127.0.0.1) start forwarding port 5003 to the remote machine's port 5003" SSH will automatically use port 22 (which you have unblocked, right?) and start the ssh server on the remote machine. The traffic is encrypted to and from the server.

Link to comment
Share on other sites
  • 4 months later...
xochi Mentor

xochi

Posted
  • Author
Posted

My main concern was not encryption, but in getting around NAT/single IP limitations.

With this technique, you can run a FM6 and FM7 server on separate boxes, both behind a NAT / firewall device, and access either one from outside the firewall. Normally, since FM6 and FM7 use the same port, you have to choose one machine or the other to have your NAT / firewall do port mapping for.

Link to comment
Share on other sites
xochi Mentor

xochi

Posted
  • Author
Posted

My main concern was not encryption, but in getting around NAT/single IP limitations.

With this technique, you can run a FM6 and FM7 server on separate boxes, both behind a NAT / firewall device, and access either one from outside the firewall. Normally, since FM6 and FM7 use the same port, you have to choose one machine or the other to have your NAT / firewall do port mapping for.

Link to comment
Share on other sites
xochi Mentor

xochi

Posted
  • Author
Posted

My main concern was not encryption, but in getting around NAT/single IP limitations.

With this technique, you can run a FM6 and FM7 server on separate boxes, both behind a NAT / firewall device, and access either one from outside the firewall. Normally, since FM6 and FM7 use the same port, you have to choose one machine or the other to have your NAT / firewall do port mapping for.

Link to comment
Share on other sites
bikergeek Enthusiast

bikergeek

Posted
Posted

Presumably, you still have to have your host machine assigned a static IP, such as by DHCP with manual address, unless your firewall has the ability to map ports dynamically based on MAC address rather than the dynamic IP of the host machine...

Link to comment
Share on other sites
bikergeek Enthusiast

bikergeek

Posted
Posted

Presumably, you still have to have your host machine assigned a static IP, such as by DHCP with manual address, unless your firewall has the ability to map ports dynamically based on MAC address rather than the dynamic IP of the host machine...

Link to comment
Share on other sites
bikergeek Enthusiast

bikergeek

Posted
Posted

Presumably, you still have to have your host machine assigned a static IP, such as by DHCP with manual address, unless your firewall has the ability to map ports dynamically based on MAC address rather than the dynamic IP of the host machine...

Link to comment
Share on other sites
xochi Mentor

xochi

Posted
  • Author
Posted

Correct. You need to have both server machines inside the firewall/router/nat box using fixed addresses. Set your nat box to map the ports to each box respectively. (The server you want to access normally would use 5003, and the server you want to access via ssh would use port 22, typically).

Link to comment
Share on other sites
xochi Mentor

xochi

Posted
  • Author
Posted

Correct. You need to have both server machines inside the firewall/router/nat box using fixed addresses. Set your nat box to map the ports to each box respectively. (The server you want to access normally would use 5003, and the server you want to access via ssh would use port 22, typically).

Link to comment
Share on other sites
xochi Mentor

xochi

Posted
  • Author
Posted

Correct. You need to have both server machines inside the firewall/router/nat box using fixed addresses. Set your nat box to map the ports to each box respectively. (The server you want to access normally would use 5003, and the server you want to access via ssh would use port 22, typically).

Link to comment
Share on other sites

This topic is 6986 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept