[rescue] how to use a NAT/PAT to forward SSH to an internal box
Greg A. Woods
rescue at sunhelp.org
Sun Jan 6 01:25:45 CST 2002
[ On Sunday, January 6, 2002 at 00:21:52 (-0500), George Adkins wrote: ]
> Subject: Re: [rescue] how to use a NAT/PAT to forward SSH to an internalbox
>
> Yes, if you run with the "Wrapper script" idea, you can have it make contact
> with the server side on an high port number, and then not interfere with
> regular port 22 connections to the translation box.
> I wonder if the "proxy" part would work as a script, of it would need to be
> more sophisticated...
It matters not how you manage to tell the client to use a specific port
to connect through to a given internal host. There are an almost
infinite number of ways to do the mapping, and a very large number of
them are even practical.
The simple answer is to supply a table of host/port mappings right
inside the client wrapper script:
case "$1" in
ihosta.mydomain)
exec real-slogin -p 222 gateway.mydomain
;;
ihostb.mydomain)
exec real-slogin -p 223 gateway.mydomain
;;
ihostc.mydomain)
exec real-slogin -p 224 gateway.mydomain
;;
*.mydomain)
echo "Sorry, unknown internal hostname" 2>&1
exit 1
;;
*)
exec real-slogin $1
;;
esac
If you want things more dynamic then the easiest thing to do would be to
use the DNS to look up the port number in something like a TXT record:
case "$1" in
*.mydomain)
port=$(host -t txt $1)
if [ -n "$port" -a "$port" -gt 0 -a "$port" -lt 1024 ] ; then
exec real-slogin -p $port gateway.mydomain
else
echo "Sorry, '$port' for $1 isn't valid." 2>&1
exit 1
fi
;;
*)
exec real-slogin $1
;;
esac
You might want to do a bit smarter parameter handling in the wrapper
script than I've suggested in my examples, of course...
--
Greg A. Woods
+1 416 218-0098; <gwoods at acm.org>; <g.a.woods at ieee.org>; <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>
More information about the rescue
mailing list