[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Simple IP-Forwarding problem



Hi,

* Marc Mueller <spam@gmx.de> [2005-07-13 15:20:33 +0200]:

>I have no administrative access rights on the three servers outside to 
>change any network settings.  :-(
>I can only modify the firewall-rules on the server in the middle.

I too have the same thing. Through my office sshing to any server outside the
local network is not permited. Unfortunately I do not control the main firewall and
even I do not have control over the server on DMZ. So the best way without
compromising the security of any system is to use ssh tunnel (if the server
X in your case allows tunnels to be created, which it should). I use the
following commands:
$ ssh -NfqL22:my.server.net:22 my_user_id@server.dmz.net
$ ssh me@localhost

>
>SSH tunnel would be possible, of course - but it would be an
>additional step for the users each time they want to connect to
>the servers outside - and i have to allow ssh-access on the server
>in the middle, what I'd like to avoid.

Beleive me that it is the simplest way to do what you want without
compromising any security. my.server.net will see all the connections from
your machine as if they originate from server.dmz.net. As far as additional
user-ids is concerned you can create one generic logon for this and even if
seperate user-ids then it is worth it, unless some one has already comeup
with the iptables rules working for you.
-- 
Ajitabh Pandey
http://www.ajitabhpandey.info
ICQ - 150615062
Registered Linux User - 240748
GnuPG Key ID - 35CF8CC4
Key fingerprint = E1A8 657D BE0C 4747 52EC  10C4 1AC2 C124 35CF 8CC4
-----------------------------------
Asha 5k -- Run to Educate!
Saturday, Aug 20th, 2005
http://www.ashaforeducation.org/nycnj/5k
Q:	What's a light-year?
A:	One-third less calories than a regular year.

Attachment: signature.asc
Description: Digital signature


Reply to: