[rescue] how to use a NAT/PAT to forward SSH to an internal box

Greg A. Woods rescue at sunhelp.org
Sun Jan 6 01:02:56 CST 2002 

[ On Saturday, January 5, 2002 at 21:00:10 (-0500), Steve Sandau wrote: ]
> Subject: Re: [rescue] how to use a NAT/PAT to forward SSH to an   internalbox
>
> Anyone know enough about the internals of ssh to differentiate incoming
> requests based on the requested server name, *not* the requested server
> IP? That would seem to be the key...

Yes, I know more than enough about the internals of SSH to answer.  SSH
really is just using a TCP connection -- there's no provision for any
kind of inbound gateway de-multiplexing.  You cannot do what George
wants without re-engineering the protocol to provide for an
application-level gateway mechanism that will forward authorised
connection attempts over a second TCP connection on the internal private
network.  Doing that will entail re-coding the clients and at least the
gateway daemon (and maybe even the daemons running on the internal
machines too if you want to get all the host authentication right).  It
would also require the user to supply two hostnames -- one being the
gateway, and one being the private internal hostname

Outbound SSH connections work transparently through a NAT/PAT gateway
because the source address of a TCP connection can be transparently
translated -- the outside world just sees a bunch of SSH connections all
coming from the same machine (i.e. from the firewall).

If you want inbound SSH connections to go to more than one machine then
you "MUST" do something at the TCP/IP level to map addresses and/or
ports in some static and thus predictable manner.

The best way to solve this problem, and the way I've implemented it in
several places, and have seen implemented in many other places, is to do
a multi-hop login, either through the firewall itself, or by mapping all
SSH connections to some internal gateway machine.

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods at acm.org>;  <g.a.woods at ieee.org>;  <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>

More information about the rescue mailing list