[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Simple IP-Forwarding problem

On 13 Jul 2005, Marc Mueller wrote:
> i read tons of dokumentation, but i still have not found a fitting 
> solution for my problem - perhaps anyone of you can help me.
> There are 3 servers (A,B,C), each running a ssh-daemon. None of them
> has a connection to the internet for security reasons - neither
> incoming nor outgoing.

Others have already given you the iptables NAT rules to forward ports
from the Internet to A, B and C -- thereby connecting them directly to
the Internet and violating whatever security policy that requires that
they are not accessible that way.

> Only one server in the internet (X) is allowed to open a direct 
> connection to the three servers.
> Local   # Internet # Local
> A---\   #          #
> B---->--#----X-----#---Me
> C---/   #          #
> #          #

I wouldn't advise violating the security policy as you propose - it is
bound to be there for a good reason.

Rather, I would suggest that you access your systems like this:

] ssh X -t ssh A ...

That way you have only one exposed machine, and preserve the security
policy (and the sanity of whoever wrote it. ;)

You may want to look at the options for forwarding the Authentication
Agent and X through the tunnel.

Finally, you can do port forwarding from your local machine to A, B and
C using ssh port forwarding, through X, in this style:

] ssh X -L 2080:A:80 

Then, when you connect to localhost:2080, ssh will open a connection
from X to A on port 80 and forward traffic for you.

With sufficient thrust, pigs fly just fine. However, this is not necessarily a
good idea. It is hard to be sure where they are going to land, and it could be
dangerous sitting under them as they fly overhead.
        -- RFC 1925

Reply to: