Re: Remote administration of a machine behind NAT

To: debian-user@lists.debian.org
Subject: Re: Remote administration of a machine behind NAT
From: Alex Samad <alex@samad.com.au>
Date: Thu, 11 Sep 2008 06:59:10 +1000
Message-id: <[🔎] 20080910205910.GE13495@samad.com.au>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20080909194231.GD20086@think.homelan>
References: <[🔎] 20080908214821.GH12444@think.homelan> <[🔎] 20080908215130.GD12720@samad.com.au> <[🔎] 20080908221228.GK12444@think.homelan> <[🔎] 20080909113928.GG412@samad.com.au> <[🔎] 3846.83.206.128.14.1220961005.squirrel@webmail.cerbelle.net> <[🔎] 20080909194231.GD20086@think.homelan>

On Tue, Sep 09, 2008 at 10:42:31PM +0300, Andrei Popescu wrote:
> On Tue,09.Sep.08, 13:50:05, François Cerbelle wrote:
>  
> [...]
> 
> > Now, you have to protect the admin box from an attack initiated from the
> > NATted box (mother's). Because this box is unsure. So, you set iptables
> > rules on the admin box to filter every byte which comes from the NATted
> > box.
> 
> Yes, this is my problem
> 
> > Then, you can still go on internet with you normal connexion, but you can
> > not use it to connect directly to the NATted box, as it is natted and it
> > does not have a public IP. But you can connect to it using the VPN because
> > you are both on the same private network. And you box is protected from
> > malware installed on the NATted box.
>  
> What is protecting me from the malware, because I still have to open the 
> firewall for the VPN? Or do you mean I can firewall the traffic going 
> through the VPN?

the open connection to the internet to allow the vpn traffic through
only allow specific traffic through and you have to authenticate with a
x509 certificate, make a 4096 bit key if you want, only a person with
the certificate can create the vpn connect.

Then you put your firewall in place, just make it a outbound only, so
only connections from your machine out are allow.


You can do tricky things with your firewall to stop (!?) DDOS on the
openvpn server end as well

> 
> This is interesting, but it adds additional complexity to the setup.  
> I've set up a reverse ssh tunnel using a (very) restricted key. Hope 
> it's enough.

very much the same setup, again if the tunnel is up and the other person
has malware then they will have access to your machine unless you
firewall. I am not sure where where ssh tunnel packet get injected into
iptables ?


> 
> Regards,
> Andrei
> -- 
> If you can't explain it simply, you don't understand it well enough.
> (Albert Einstein)



-- 
"As a matter of fact, I know relations between our governments is good."

	- George W. Bush
11/08/2005
Washington, DC
On U.S.-South Korean relations

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Remote administration of a machine behind NAT
  - From: Andrei Popescu <andreimpopescu@gmail.com>
- Re: Remote administration of a machine behind NAT
  - From: Alex Samad <alex@samad.com.au>
- Re: Remote administration of a machine behind NAT
  - From: Andrei Popescu <andreimpopescu@gmail.com>
- Re: Remote administration of a machine behind NAT
  - From: Alex Samad <alex@samad.com.au>
- Re: Remote administration of a machine behind NAT
  - From: François Cerbelle <francois@cerbelle.net>
- Re: Remote administration of a machine behind NAT
  - From: Andrei Popescu <andreimpopescu@gmail.com>

Prev by Date: Re: Remote administration of a machine behind NAT
Next by Date: Re: rsync over lan
Previous by thread: Re: Remote administration of a machine behind NAT
Next by thread: Re: Remote administration of a machine behind NAT
Index(es):
- Date
- Thread