[rescue] how to use a NAT/PAT to forward SSH to an internal box

Patrick Giagnocavo rescue at sunhelp.org
Sun Jan 6 02:00:14 CST 2002 

On Sun, Jan 06, 2002 at 02:25:45AM -0500, Greg A. Woods wrote:
> It matters not how you manage to tell the client to use a specific port
> to connect through to a given internal host.  There are an almost
> infinite number of ways to do the mapping, and a very large number of
> them are even practical.
> 
> The simple answer is to supply a table of host/port mappings right
> inside the client wrapper script:
> 
> 	case "$1" in
> 	ihosta.mydomain)

Why put that data in the client script?  Multiple clients=multiple
places to update the script.

> If you want things more dynamic then the easiest thing to do would be to
> use the DNS to look up the port number in something like a TXT record:

Heck no, I wouldn't do that!  This gives everyone the ability to go
after and try to hack your boxes.  Security through obscurity is bad
but why advertise you have other systems on rfc1918 space?

Try this:

set up a single Apache httpd process (set MaxServers to 1 and so
forth) with SSL enabled on the gateway and 

1.  create and self-sign your own SSL certificate

2.  using Lynx (read the man page), log in to the http server and download
the shell script you mention.  You could run this as part of your
.login if you chose, so that on every login the latest version of the
mappings was automatically installed.  Lynx can be scripted.

3.  So now your mapping is encrypted and only available via SSL - if you
include a Basic-Authentication requirement you can prevent those who
don't know the username and password from getting the list from the
server, even if they accept your SSL cert.

Now, you need only one file to be updated whenever you have a new
internal host to get to.  If you use m4 or Perl or whatnot you could
auto-generate the file from the packet filtering ruleset, or even
generate both the p.f. ruleset and the mapping shell script with a few
lines of code.

Of course whether you should go to all this work depends on how many
internal machines you have.

You could also just create different user accounts on the gateway box,
and set up each account to automatically log in to a different box
using SSH's keygen mechanism.  

./patrick

More information about the rescue mailing list