Re: Remote administration of a machine behind NAT
Le Mar 9 septembre 2008 13:39, Alex Samad a écrit :
[...]
> don't see the difference between connectivity via the internet or via an
> openvpn network, if your rule states only allow ssh (+ related traffic +
> only if it originates from your machine )
> over the openvpn network
If you forget the iptables rules, you can almost ever connect from a
client to a server with a public IP (not behind a NAT). But you can not
connect directly to a box behind a NAT. So, the only way to establish a
connexion is to initiate the connexion from the box behind the NAT.
Secondly, you can initiate a SSH connexion, but you will not have every
thing or a VPN to route all the network traffic. As I explained, you have
to initiate the VPN connexion from the NATted box to the other. After,
both boxes are on the same network (VPN).
Now, you have to protect the admin box from an attack initiated from the
NATted box (mother's). Because this box is unsure. So, you set iptables
rules on the admin box to filter every byte which comes from the NATted
box.
Then, you can still go on internet with you normal connexion, but you can
not use it to connect directly to the NATted box, as it is natted and it
does not have a public IP. But you can connect to it using the VPN because
you are both on the same private network. And you box is protected from
malware installed on the NATted box.
I hope I was clear with my explanations.
Regards
Fanfan
--
http://www.cerbelle.net - http://www.afdm-idf.org
Reply to: