Re: interfaces lo:1 lo:2 lo:3? (for remote ssh tunnels)
Will Trillich wrote:
On Fri, Jun 25 at 01:24PM +0800, John Summerfield wrote:
Will Trillich wrote:
On Fri, Jun 25 at 11:46AM +0800, John Summerfield wrote:
Will Trillich wrote:
can linux have multiple 127.0.0.1 interfaces? if so, how?
I'm not talking to myself, I'm talking to someone else. Therefore I
shouldn't use a local interface.
i think one of us doesn't understand the problem solved by
port-forwarding...?
turns out the vast majority of these connections will be coming
from beyond a remote firewall (remote from where the server is
located on the 'net):
Cool. That's the problem tunneling (port forwarding) solves. So does
openvpn, but more generally: it can make two lans separeted by the
hostile Internet seem to be one.
client
192.168.9.9
|
192.168.0.1
client firewall
11.22.33.44
|
| internet
|
22.44.66.88
server's firewall
10.1.1.1
|
10.1.2.3
server
the server can't open a port on the client machine, cuz it can't
get past the client firewall. the client CAN ssh past the server
virewall (that's how the latter is set up) to the server itself
and establish a remote-to-local forwarding rule. if the server
can be made to chat with a localhost interface using a port to
match the forwarding setup, it will work -- for one user per
loopback interface.
I don't understand why the server would be making the connexion request.
By definition, the client does that.
Here's what openvpn does:
traceroute to 192.168.1.252 (192.168.1.252), 30 hops max, 38 byte packets
1 ns (192.168.9.4) 0.359 ms 0.226 ms 0.209 ms
2 gw (192.168.9.1) 0.413 ms 192.168.7.254 (192.168.7.254) 0.929 ms
0.552 ms
3 192.168.1.252 (192.168.1.252) 1058.580 ms 1103.616 ms 1066.529 ms
summer@Dolphin:~$
The internet is between 2 & 3. I can see all hosts on 1.x and other
networks it can route to, and they can see me. Of course, I can add
rules to the firewalls, and I could use NAT.
I'm running openvpn on gw at my end (my firewall, a Powermac running
Woody) and the host at the other end is inside the firewall, a
commercial ADSL router.
Using ssh the way _I_ described. I can connect from my system at home to
hosts at work. In the specific example I gave, I could connect to the
webserver on 127.0.0.1.
With this command:
ssh -L 8088:192.168.4.254:80 192.168.1.252
if I open my browser on http://127.0.0.1:8088/ then ssh forwards the
connexion request to 1.252 and from there makes a connextion request to
port 80 on 192.168.4.254 which could be an ADSL router. The router would
see the request as coming from 1.252.
There's no objection to using eth0:${n}, and you can also use dummy:
How many do you want?
for n in 1 2 3 4 5 6 7 8 9; do ifconfig dummy0:$n 192.168.19.${n};done
about those dummy interfaces... can they be made into loopback
devices? and if so, how?
You don't want loopback devices. The loopback device is for me to send
messages to myself: the client and server are on the same box.
_I_ would use the IP address of an existing interface. Servers can
generally accept many requests to the one port and IP address.
On this box, I can address my webserver with either of these IP addresses:
summer@Dolphin:~$ ifconfig | grep inet
inet addr:192.168.9.114 Bcast:192.168.9.255 Mask:255.255.255.0
inet addr:127.0.0.1 Mask:255.0.0.0
summer@Dolphin:~$
Whether I actually get the same content depends on the configuration of
the web server, but that's a topic for another time.
--
Cheers
John
-- spambait
1aaaaaaa@computerdatasafe.com.au Z1aaaaaaa@computerdatasafe.com.au
Reply to: