[rescue] how to use a NAT/PAT to forward SSH to an internalbox

[Steve Sandau]

George Adkins wrote:
> 
> > > the intent of the thread was to discuss ways to make this possible
> > > without redirecting a real-world IP or using nonstandard ports.  (I
> > > wouldn't have brought it up if it were already in use...)
> >

Watching an SSH connection with a packet sniffer shows me that client
resolves the server host name to IP first. Obviously, this needs to be a
"real world" IP address, therefore, it must be your one and only
external IP. Next, the session gets requested on port 22. Either sshd is
listening on your firewall with your one external IP (this could only
connect you to local machine, I think) *or* some other program is
listening. To get where we want to go, it has to be option 2, "some
other program." This other program then, needs to find some information
in the ssh request to tell it which internal machine to route the
connection to. (This assumes we have multiple inside machines. We do,
right?)

As far as I can tell, that's the show stopper. I don't see that the ssh
request carries the requested server hostname in it anywhere. *If* it
did (or does and I can't see it) then the "other program" listening on
port 22 on the firewall could pick the requested server hostname out of
the packet and behave like a proxy and send the request to the
appropriate inside machine.

To make this work, all of the internal machine names would have to
resolve to your one external IP address.

Anyone know enough about the internals of ssh to differentiate incoming
requests based on the requested server name, *not* the requested server
IP? That would seem to be the key...


-- 
Steve Sandau
ssandau at bath.tmac.com