[rescue] how to transparently forward SSH to an internalbox

[George Adkins]

> If you're going to do this on the firewall, *and* write a wrapper on the
> client side, it seems that the easiest thing would be just to provide
> some sort of internal-hostname:ssh-port mapping file on the client.
No.  how are you supposed to connect to a client on _my_ network via this 
method if I haven't sent you a custom client?  What happens when the mappings 
on the destination network change?  
The client side script needs to be generic.

> run a script on the client (call it pssh for private ssh maybe). It
> takes the same arguments as ssh, but it looks up the hostname you give
> it in a table on the client, and calls ssh with the appropriate port
> number so you connect to the firewall running NAT with the right port
> for the internal host you had in mind.
Yes, that's exactly what I've been saying for three days.
what I'm trying to work out is what the best method for that client to 
request that port information from the proxy host...

> All you have to update on the client is one "hosts" file with internal
> machine names and their correct ports. This may not fit you purposes,
> George, but since we *have* to do *some* kind of client modification,
> why not take the easy way and not have to use anything too odd?
because we _don't_ have to make custom clients.  we can have a generic client 
script which will allow _anyone_ running it to be able to ssh through to a 
private address machine transparently, without any further preparation than 
dropping a script into their home directory and having an account on the 
target machine.

Yes, it requires a little more effort in the design phase, but once it's in 
place, it's fire-and-forget.  if the proxy-ssh part is written right, you 
might even be able to get it to parse the ipnat.conf on it's own, or maybe 
write it to look at it's own conf file and then build the redirect rules and 
load them into ipnat when it comes up