Re: Some routing advice (connecting through SSH)
On 26 Oct 2001, Adam Warner wrote:
> On Fri, 2001-10-26 at 03:07, George Karaolides wrote:
>
> > Now to determine some more facts about the network geometry. I assume
> > that machine R at your institution has one interface connected to the
> > Internet, with a public IP address, and one on the institution's LAN with
> > a private IP address.
>
> Just one public IP address. But after Code Red they unilaterally
> firewalled all incoming connections, even to the Dept's web servers!
> (something I had to alert people about). I'm not serving public content
> on this machine.
OK, so machine R has one public IP address, routed through your
institution's gateway/firewall.
> It's well firewalled locally (iptables). I'm pretty sure no one will be
> able to connect from anywhere else (I'm employing IP address checking,
> port blocking and of course password protection). Ping is global but
> that's because I believe people should be able to check if a machine
> connected to a public IP address is functioning.
Your security sounds OK, bit do look at some kernel settings in /proc.
For example, enabling syncookies is a good idea, and disabling replies to
broadcast pings:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> > Also, that the services you want to access are also on the institution's LAN.
>
> I think access to services is determined by network card mac address.
>
I think the following would work:
1. Set up an IP tunnel between machines H and R. Now I haven't done this
before but I know it can be done. Look for "IP:tunneling"
(CONFIG_NET_IPIP) in the kernel configuration options, under "Networking
options". Quoting from the help on this:
"This particular tunneling driver implements encapsulation of IP within IP,
which sounds kind of pointless, but can be useful if you want to make your
(or some other) machine appear on a different network than it physically
is...check out http://anchor.cs.binghamton.edu/~mobileip/LJ/index.html";
which kind of sounds like what you need. As I said, I haven't tried this
before, but I am virtually sure that you use this to set up a network
interface representing the "entrance" of the tunnel.
2. Set up the routing table on machine H to route all traffic destined for
your institution's network IP address space (get that from your friendly
admin, if you haven't got it already) to use the tunnel interface.
3. On machine R, enable IP masquerading, with the tunnel interface as the
"internal" interface and the machine's actual publicly available interface
as the "world" interface.
This should be the basis for your solution. The routing on machine H will
make it access the machines at your institution through the tunnel
and machine R, not the Internet. Masquerading on R will make those
machines think they are being accessed by R instead of H, which is what
you want. They will reply to R, and the demasquerading will
then forward everything back to H. Linux networking magic at its best.
I am also virtually sure you can build this to work for all machines in
your private LAN at home, with machine H as gateway.
Though I have no hands-on experience of this, I will, of course, try
and help out with any questions of yours which might arise if you do try
it, to the best of my ability. Do let me know how you get on!
Best regards,
George Karaolides 8, Costakis Pantelides St.,
tel: +35 79 68 08 86 Strovolos,
email: george@karaolides.com Nicosia CY 2057,
web: www.karaolides.com Republic of Cyprus
Reply to: