Re: Remote administration of a machine behind NAT

To: debian-user@lists.debian.org
Subject: Re: Remote administration of a machine behind NAT
From: Alex Samad <alex@samad.com.au>
Date: Thu, 11 Sep 2008 06:55:29 +1000
Message-id: <[🔎] 20080910205529.GD13495@samad.com.au>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 3846.83.206.128.14.1220961005.squirrel@webmail.cerbelle.net>
References: <[🔎] 20080908214821.GH12444@think.homelan> <[🔎] 20080908215130.GD12720@samad.com.au> <[🔎] 20080908221228.GK12444@think.homelan> <[🔎] 20080909113928.GG412@samad.com.au> <[🔎] 3846.83.206.128.14.1220961005.squirrel@webmail.cerbelle.net>

On Tue, Sep 09, 2008 at 01:50:05PM +0200, François Cerbelle wrote:
> 
> Le Mar 9 septembre 2008 13:39, Alex Samad a écrit :
> [...]
> > don't see the difference between connectivity via the internet or via an
> > openvpn network, if your rule states only allow ssh (+ related traffic +
> > only if it originates from your machine )
> > over the openvpn network
> 
> If you forget the iptables rules, you can almost ever connect from a
> client to a server with a public IP (not behind a NAT). But you can not
> connect directly to a box behind a NAT. So, the only way to establish a
> connexion is to initiate the connexion from the box behind the NAT.
true, and openvpn can keep the connection up, and can be started on boot
up.  So essentially aslong as both ends are up and they have internet
connection then the vpn will be up

> 
> Secondly, you can initiate a SSH connexion, but you will not have every
> thing or a VPN to route all the network traffic. As I explained, you have
> to initiate the VPN connexion from the NATted box to the other. After,
> both boxes are on the same network (VPN).

but you will, as stated above if both machines have internet connection
then openvpn will create the tunnel.

For example on my laptop I have a openvpn tunnel back to my house, when
I no where near a wireless hot spot it sits there try to connect but
can't one I get a internet connection it make the connection and I am
connected back home

> 
> Now, you have to protect the admin box from an attack initiated from the
> NATted box (mother's). Because this box is unsure. So, you set iptables
> rules on the admin box to filter every byte which comes from the NATted
> box.
> 
> Then, you can still go on internet with you normal connexion, but you can
> not use it to connect directly to the NATted box, as it is natted and it
> does not have a public IP. But you can connect to it using the VPN because
> you are both on the same private network. And you box is protected from
> malware installed on the NATted box.

I thought that is what I implied/said :)

> 
> I hope I was clear with my explanations.
> 
> Regards
> 
> 
> Fanfan
> -- 
> http://www.cerbelle.net - http://www.afdm-idf.org
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 

-- 
"Brie and cheese."

	- George W. Bush
08/23/2001
Crawford, TX
to reporters, on what he imagines reporters eat

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Remote administration of a machine behind NAT
  - From: Andrei Popescu <andreimpopescu@gmail.com>
- Re: Remote administration of a machine behind NAT
  - From: Alex Samad <alex@samad.com.au>
- Re: Remote administration of a machine behind NAT
  - From: Andrei Popescu <andreimpopescu@gmail.com>
- Re: Remote administration of a machine behind NAT
  - From: Alex Samad <alex@samad.com.au>
- Re: Remote administration of a machine behind NAT
  - From: François Cerbelle <francois@cerbelle.net>

Prev by Date: Re: Remote administration of a machine behind NAT
Next by Date: Re: Remote administration of a machine behind NAT
Previous by thread: Re: Remote administration of a machine behind NAT
Next by thread: Re: Remote administration of a machine behind NAT
Index(es):
- Date
- Thread