Search This Blog

Wednesday, July 13, 2005

Re: Simple IP-Forwarding problem

Hi Daniel,

SSH tunnel would be possible, of course - but it would be an
additional step for the users each time they want to connect to
the servers outside - and i have to allow ssh-access on the server
in the middle, what I'd like to avoid.
However if no one can help me to solve the problem with iptables i
have to do it with ssh

> I wouldn't advise violating the security policy as you propose - it is
> bound to be there for a good reason.

Indeed, that's right but the server in the middle is not connectable by
everyone - it is limited to our net.

Greetings,
-Marc-

Daniel Pittman schrieb:
> On 13 Jul 2005, Marc Mueller wrote:
>
>>i read tons of dokumentation, but i still have not found a fitting
>>solution for my problem - perhaps anyone of you can help me.
>>
>>There are 3 servers (A,B,C), each running a ssh-daemon. None of them
>>has a connection to the internet for security reasons - neither
>>incoming nor outgoing.
>
>
> Others have already given you the iptables NAT rules to forward ports
> from the Internet to A, B and C -- thereby connecting them directly to
> the Internet and violating whatever security policy that requires that
> they are not accessible that way.
>
>
>>Only one server in the internet (X) is allowed to open a direct
>>connection to the three servers.
>>
>>Local # Internet # Local
>>A---\ # #
>>B---->--#----X-----#---Me
>>C---/ # #
>># #
>
>
> I wouldn't advise violating the security policy as you propose - it is
> bound to be there for a good reason.
>
> Rather, I would suggest that you access your systems like this:
>
> ] ssh X -t ssh A ...
>
> That way you have only one exposed machine, and preserve the security
> policy (and the sanity of whoever wrote it. ;)
>
> You may want to look at the options for forwarding the Authentication
> Agent and X through the tunnel.
>
> Finally, you can do port forwarding from your local machine to A, B and
> C using ssh port forwarding, through X, in this style:
>
> ] ssh X -L 2080:A:80
>
> Then, when you connect to localhost:2080, ssh will open a connection
> from X to A on port 80 and forward traffic for you.
>
> Regards,
> Daniel

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)