[rescue] how to use a NAT/PAT to forward SSH to an internalbox

Steve Sandau rescue at sunhelp.org
Sun Jan 6 10:19:14 CST 2002 

<snip>
> Okay, this is good, but how about doing it on the proxy side, so that the
> client side doesn't require any customization.
> how would you go about making a script for the proxy machine in which you
> could accept the hostname from a client wrapper script?
> 
> with this kind of a mechanism, you can code the proxy script with the
> hostname_to_port information, and then have it send the port info back to the
> client side script.
> 
> Then all you have to do is have NAT running on the gateway box, and already
> have your
> rdr le0 123.45.67.89/32 port 2201 -> 192.168.0.101 port 22
> rdr le0 123.45.67.89/32 port 2202 -> 192.168.0.102 port 22
> rdr le0 123.45.67.89/32 port 2203 -> 192.168.0.103 port 22
> lines already in place in your ipnat.conf, and rules loaded.

If you're going to do this on the firewall, *and* write a wrapper on the
client side, it seems that the easiest thing would be just to provide
some sort of internal-hostname:ssh-port mapping file on the client. You
run a script on the client (call it pssh for private ssh maybe). It
takes the same arguments as ssh, but it looks up the hostname you give
it in a table on the client, and calls ssh with the appropriate port
number so you connect to the firewall running NAT with the right port
for the internal host you had in mind.

Geez, that's simple enough that even *I* could get it too work! If you
wanted to, you could even replace the ssh executable on a box with the
pssh script. For regular ssh connections make the script call ssh with
the standard port 22...

All you have to update on the client is one "hosts" file with internal
machine names and their correct ports. This may not fit you purposes,
George, but since we *have* to do *some* kind of client modification,
why not take the easy way and not have to use anything too odd?
> 
> then the client side script simply passes the port to ssh as it starts it:
> exec ssh -p $port_from_proxy $username at hostname_from_cmd_line
> 
> if the external DNS points at the proxy IP for the hostnames behind it, this
> should be completely transparent from the outside, you would just use the
> script instead of invoking ssh directly. (unless you wanted to ssh into the
> gateway itself)
> 
> we're getting closer here....

-- 
Steve Sandau
ssandau at bath.tmac.com

More information about the rescue mailing list