Hello All.
I was playing with iptables and the 'ssh -p' command today trying to
forward external ssh client connections to a box on a different
network, behind a dual-homed gateway. Pretty groovy, thought I would
post it here in case anyone else can use it.
One problem is the ssh client side is getting the key back from the
box behind the gateway, and not the same server key as a previous
connect to the gateway itself returns, so it appears as a spoofed
connection. (which it is!) One way around this is to specify the ip
address of the host instead of the hostname itself. This way you get
two keys for the same host in your .ssh/known_hosts file, when you are
actually getting to connect to two different machines using one host,
and two different destination ports. eg:
ssh barney == barney's key
ssh barney:1222 == fred's key (ssh client thinks it should have
barney's key)
after setting this up, an ssh barney -p 1222 will ssh me to fred,
through barney, even though fred is on a completely different network.
cheers
-----------------------------------------------------------------------------
|
|
[Fred:192.168.1.4] | [Wilma:192.168.1.3]
| | |
| | |
[Hub/Switch]
|
|
(Barney:192.168.1.1 INTIF)
[ ]
[ ]
[ BARNEY GW ]
[ ]
[ ]
(Barney:217.212.212.98 EXTIF)
|
|
|
|
[.oO0 217.212.212.0 network 0Oo.]
---8<------8<------8<------8<------8<------8<------8<------8<------8<---
#!/bin/bash
## (watch for linebreaks in posting !!)
FRED="192.168.1.4"
INTIF="eth1"
EXTIF="eth0"
IPTABLES="/usr/sbin/iptables"
# function to forward from barney <=> fred
forward_ssh()
{
echo "ssh forwarding for port 1222"
# ssh ports
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 1222 -j DNAT
--to-destination $FRED:22
# accept forwarding to external
$IPTABLES -A FORWARD -s $FRED -i $INTIF -o $EXTIF -p tcp --sport 22
-j ACCEPT
# accept forwarding to internal
$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 22 -d $FRED -j ACCEPT
}
# setup for masq
setup_ip_nat()
{
echo "nat"
$IPTABLES -t nat -F
#/sbin/depmod -a
/sbin/insmod ip_tables 2>&1 | tee > /dev/null
/sbin/insmod ip_conntrack 2>&1 | tee > /dev/null
/sbin/insmod ip_conntrack_ftp 2>&1 | tee > /dev/null
/sbin/insmod ip_conntrack_irc 2>&1 | tee > /dev/null
/sbin/insmod iptable_nat 2>&1 | tee > /dev/null
/sbin/insmod ip_nat_ftp 2>&1 | tee > /dev/null
# forwarding enabled
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
}
# flush rules, set defaults
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
echo "output"
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
echo "forward"
$IPTABLES -P FORWARD DROP
#$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
# call ip_masq setup
# be sure to setup nat first or prerouting wont work
setup_ip_nat
# forward cons from gw to fred for ssh connects
forward_ssh
|
Similar Threads
Linear Mode
