Re: Simple IP-Forwarding problem
SSH tunnel would be possible, of course - but it would be an
additional step for the users each time they want to connect to
the servers outside - and i have to allow ssh-access on the server
in the middle, what I'd like to avoid.
However if no one can help me to solve the problem with iptables i
have to do it with ssh
> I wouldn't advise violating the security policy as you propose - it is
> bound to be there for a good reason.
Indeed, that's right but the server in the middle is not connectable by
everyone - it is limited to our net.
Daniel Pittman schrieb:
On 13 Jul 2005, Marc Mueller wrote:
i read tons of dokumentation, but i still have not found a fitting
solution for my problem - perhaps anyone of you can help me.
There are 3 servers (A,B,C), each running a ssh-daemon. None of them
has a connection to the internet for security reasons - neither
incoming nor outgoing.
Others have already given you the iptables NAT rules to forward ports
from the Internet to A, B and C -- thereby connecting them directly to
the Internet and violating whatever security policy that requires that
they are not accessible that way.
Only one server in the internet (X) is allowed to open a direct
connection to the three servers.
Local # Internet # Local
A---\ # #
C---/ # #
I wouldn't advise violating the security policy as you propose - it is
bound to be there for a good reason.
Rather, I would suggest that you access your systems like this:
] ssh X -t ssh A ...
That way you have only one exposed machine, and preserve the security
policy (and the sanity of whoever wrote it. ;)
You may want to look at the options for forwarding the Authentication
Agent and X through the tunnel.
Finally, you can do port forwarding from your local machine to A, B and
C using ssh port forwarding, through X, in this style:
] ssh X -L 2080:A:80
Then, when you connect to localhost:2080, ssh will open a connection
from X to A on port 80 and forward traffic for you.