Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>(In this example, I am assuming port 2222 will go to your internal host. $externalip and $internalip are the ip addresses or hostnames of the visible and internal machine, respectively.)</p> <p>You have a couple of options, depending on how permanent you want the proxying to be:</p> <ul> <li><p>Some sort of TCP proxy. On Linux, the basic idea is that <i>before</i> the incoming packet is processed, you want to <i>change its destination</i>&mdash;i.e. prerouting destination NAT:</p> <p><code>iptables -t nat -A PREROUTING -p tcp -i eth0 -d $externalip --dport 2222 --sport 1024:65535 -j DNAT --to $internalip:22</code></p></li> <li><p>Using SSH to establish temporary port forwarding. From here, you have two options again:</p> <ul> <li><p>Transparent proxy, where the client thinks that your visible host (on port 2222) is just a normal SSH server and doesn't realize that it is passing through. While you lose some fine-grained control, you get convenience (especially if you want to use SSH to forward VNC or X11 all the way to the inner host).</p> <ul> <li>From the internal machine: <code>ssh -g -R 2222:localhost:22 $externalip</code></li> <li>Then from the outside world: <code>ssh -p 2222 $externalip</code></li> </ul> <p>Notice that the "internal" and "external" machines do not have to be on the same LAN. You can port forward all the way around the world this way.</p></li> <li><p>Forcing login to the external machine first. This is true "forwarding," not "proxying"; but the basic idea is this: You force people to log in to the external machine (so you control on who can log in and when, and you get logs of the activity), and from there they can SSH through to the inside. It sounds like a chore, but if you <i>set up simple shell scripts on the external machine with the names of your internal hosts, coupled with password-less SSH keypairs</i> then it is very straightforward for a user to log in. So:</p> <ul> <li>On the external machine, you make a simple script, <code>/usr/local/bin/internalhost</code> which simply runs <code>ssh $internalip</code></li> <li>From the outside world, users do: <code>ssh $externalip internalhost</code> and once they log in to the first machine, they are immediately forwarded through to the internal one.</li> </ul> <p>Another advantage to this approach is that people don't get key management problems, since running two SSH services on one IP address will make the SSH client angry.</p></li> </ul></li> </ul> <p>FYI, if you want to SSH to a server and you do not want to worry about keys, do this</p> <pre><code>ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no </code></pre> <p>I have an alias in my shell called "nossh", so I can just do <code>nossh somehost</code> and it will ignore all key errors. Just understand that you are ignoring security information when you do this, so there is a theoretical risk.</p> <p>Much of this information is from a talk I gave at Barcamp Bangkok all about fancy SSH tricks. You can see <a href="http://www.proven-corporation.com/static/ssh/" rel="nofollow noreferrer">my slides</a>, but I recommend the <a href="http://www.proven-corporation.com/static/ssh/ssh.txt" rel="nofollow noreferrer">text version</a> as the S5 slides are kind of buggy. Check out the section called "Forward Anything: Simple Port Forwarding" for info. There is also information on creating a SOCKS5 proxy with OpenSSH. Yes, you can do that. OpenSSH is awesome like that.</p> <p>(Finally, if you are doing a lot of traversing into the internal network, consider setting up a VPN. It sounds scary, but OpenVPN is quite simple and runs on all OSes. I would say it's overkill just for SSH; but once you start port-forwarding through your port-forwards to get VNC, HTTP, or other stuff happening; or if you have lots of internal hosts to worry about, it can be simpler and more maintainable.)</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload