[rescue] how to use a NAT/PAT to forward SSH to an internalbox
Steve Sandau
rescue at sunhelp.org
Sat Jan 5 22:04:33 CST 2002
> > As far as I can tell, that's the show stopper. I don't see that the ssh
> > request carries the requested server hostname in it anywhere.
>
> Right, perhaps a startup script which would send that data to the "other
> program"
>
> > the "other program" listening on
> > port 22 on the firewall could pick the requested server hostname out of
> > the packet and behave like a proxy and send the request to the
> > appropriate inside machine.
>
> or it could look up the private address and establish a portmap between:
> 1. a port in a designated range of available ports > 1024 and
> 2. port 22 on the destination machine
> and then report that port# back to the initiating script which could pass it
> to the ssh session when it starts it up.
Yeah, some kind of proxy.
I think the ssh client would have to be altered for this... I can't see
that the ssh protocol (at least what I can see with a sniffer) includes
the server name. I can't find anything in a "sniffed" ssh conversation
that specifies the server at all. There just isn't enough information
(that I can see) to determine which of the inside hosts gets the
connection.
If you wanted to, you could probably write a client "wrapper" script and
a server "wrapper" script that would do the port negotiation and the
proxying setup and then allow the client and server to talk to each
other and proxy the exchange.
>
> > To make this work, all of the internal machine names would have to
> > resolve to your one external IP address.
> >
> Yes, in the same way that http:// virtual servers work.
Except the virtual servers like that I've played with are on the same
machine. It also appears that http includes the hostname in the original
request. (I checked this with a sniffer.)
This might be a neat thing to have, even if it did require a special
client. Still, at that point you might as well just set up a proxy on
your firewall on an odd port to take care of each incoming connection...
--
Steve Sandau
ssandau at bath.tmac.com
More information about the rescue
mailing list