On 13 Jul 2005, Marc Mueller wrote:
i read tons of dokumentation, but i still have not found a fitting
solution for my problem - perhaps anyone of you can help me.
There are 3 servers (A,B,C), each running a ssh-daemon. None of them
has a connection to the internet for security reasons - neither
incoming nor outgoing.
Others have already given you the iptables NAT rules to forward ports
from the Internet to A, B and C -- thereby connecting them directly to
the Internet and violating whatever security policy that requires that
they are not accessible that way.
Only one server in the internet (X) is allowed to open a direct
connection to the three servers.
Local # Internet # Local
A---\ # #
B---->--#----X-----#---Me
C---/ # #
# #
I wouldn't advise violating the security policy as you propose - it is
bound to be there for a good reason.
Rather, I would suggest that you access your systems like this:
] ssh X -t ssh A ...
That way you have only one exposed machine, and preserve the security
policy (and the sanity of whoever wrote it. ;)
You may want to look at the options for forwarding the Authentication
Agent and X through the tunnel.
Finally, you can do port forwarding from your local machine to A, B and
C using ssh port forwarding, through X, in this style:
] ssh X -L 2080:A:80
Then, when you connect to localhost:2080, ssh will open a connection
from X to A on port 80 and forward traffic for you.
Regards,
Daniel