[rescue] how to use a NAT/PAT to forward SSH to an internal box

Greg A. Woods rescue at sunhelp.org
Sat Jan 5 13:51:09 CST 2002 

[ On Saturday, January 5, 2002 at 14:03:07 (-0500), George Adkins wrote: ]
> Subject: Re: [rescue] how to use a NAT/PAT to forward SSH to an internal    box
>
> On Saturday 05 January 2002 03:36 am, you wrote:
> 
> > > The intent here is to provide a _transparent_ method to access hosts on a
> > > remote RFC1918 network via SSH by hostname alone, without using
> > > additional live IP's or non-standard ports.
> > >
> > > I want any user anywhere to be able to type:
> > > rubicon# ssh user at ballocks.webbastard.org
> > > and get through to a machine with an IP address of 172.31.110.24
> >
> > You "MUST" use an additional IP# (or a unique non-standard port) per
> > internal host.  Period.  What do you expect?  Black magic?
> 
> Um, yeah.
> 
> the intent of the thread was to discuss ways to make this possible without 
> redirecting a real-world IP or using nonstandard ports.  (I wouldn't have 
> brought it up if it were already in use...)

You can't.  It's fundamentally impossible.

One way or another you have to tell SSH where to connect (IP#/port#).
It defaults to using port#22 at the hostname given on the command-line
and uses a client specific mechanism to determine what IP# corresponds
to that hostname.

Private networks are, by definition private.  My 10.10.10.10 is
different from your 10.10.10.10.  There's no way to distinguish between
the two on the public Internet, and by necessity you're not allowed to
advertise a route for your private networks any more than I'm allowed to
do so.

That means if you want to connect to an internal host on any private
network, from the public Interent, you "MUST" provide a TCP/IP
compatible way to map from some combination of IP#/port# to the internal
host which initialy directs SSH to connect to some IP#/port# that's on a
gateway for the private network.  You can do that with a NAT or PAT
capable router by assigning either unique external public IP#s, or
unique custom port#s, for every corresponding internal host you wish to
connect to.  It's that plain and simple.  There's nothing more magic you
can do, not even theoretically.

(Well, actually there might be some policy-based routing/NAT tricks if
you only ever wanted to connect to one given internal host from one
given external client, but that's about it and your requirements seemed
to be for something more generic than that.  You could also extend the
SSH protocol definition so that it had a built-in concept of having an
application level proxy gateway, re-write all the clients you'd use and
and of course also write such a gateway to run on your firewall, but
then you'd have to do "myssh gateway.hostname internal.hostname" --
i.e. use two hostnames instead of one, but again that's kinda silly.)

The only other obvious solution is the "multi-hop" one.  I.e. SSH to the
firewall, login on the firewall, and then SSH to the desired internal
host (given that your firewall's SSH client can resolve internal IP#s
when given internal hostnames).  If you don't like to allow logins on
the firewall itself then you can transparently NAT all port#22
connections to some specific internal gateway behind the firewall.  Of
course doing the latter will mean that to SSH to the firewall itself,
from the public Internet, you'll have to first login to the internal
gateway box, then SSH to the firewall's internal interface.

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods at acm.org>;  <g.a.woods at ieee.org>;  <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>

More information about the rescue mailing list