Re: Simple IP-Forwarding problem
On 13 Jul 2005, Marc Mueller wrote:
> i read tons of dokumentation, but i still have not found a fitting
> solution for my problem - perhaps anyone of you can help me.
> There are 3 servers (A,B,C), each running a ssh-daemon. None of them
> has a connection to the internet for security reasons - neither
> incoming nor outgoing.
Others have already given you the iptables NAT rules to forward ports
from the Internet to A, B and C -- thereby connecting them directly to
the Internet and violating whatever security policy that requires that
they are not accessible that way.
> Only one server in the internet (X) is allowed to open a direct
> connection to the three servers.
> Local # Internet # Local
> A---\ # #
> C---/ # #
> # #
I wouldn't advise violating the security policy as you propose - it is
bound to be there for a good reason.
Rather, I would suggest that you access your systems like this:
] ssh X -t ssh A ...
That way you have only one exposed machine, and preserve the security
policy (and the sanity of whoever wrote it. ;)
You may want to look at the options for forwarding the Authentication
Agent and X through the tunnel.
Finally, you can do port forwarding from your local machine to A, B and
C using ssh port forwarding, through X, in this style:
] ssh X -L 2080:A:80
Then, when you connect to localhost:2080, ssh will open a connection
from X to A on port 80 and forward traffic for you.
With sufficient thrust, pigs fly just fine. However, this is not necessarily a
good idea. It is hard to be sure where they are going to land, and it could be
dangerous sitting under them as they fly overhead.
-- RFC 1925