[TriLUG] ssh 'through' a firewall

davis davis at skink.net
Sat Apr 24 18:12:32 EDT 2004


On Sat, Apr 24, 2004 at 12:22:53PM -0400, Douglas Kojetin wrote:
> hi all-
> 
> thanks for all the comments.  let me explain my setup better (i gave a 
> poor description of it before):
> 
> we use a sonicwall firewall, and behind it are several computers.  i 
> have two IP addresses:  one for the firewall unit, and one that i use 
> for port forwarding through the firewall to a computer (IPs made up).  
> the firewall is in 'stealth' mode.
> 
> internet
>    --- firewall ('external' ip address: 10.0.0.0 with a web-visable 
> hostname; internal ip address: 3.0.0.0)
>           -- box 1 ('external' port forwarded ip address 10.0.0.1 with 
> a web-visable host name, which points to the internal ip 3.0.0.1)
>           -- box 2 through 5 (internal ip 3.0.0.2 through 3.0.0.5)
> 
> what i usually do is:
> 
> # ssh to the port forwarded, web accessible box
> ssh -X user at 10.0.0.1
> # ssh from that machine to other machines behind the sonicwall firewall 
> that do not have port forwarding hostnames/ip addresses)
> ssh -X user at 3.0.0.2
> 
> maybe my setup is inefficient?  should i setup in my firewall the 
> second IP address (10.0.0.1) to port forward SSH at higher ports to the 
> other boxes?  can i do that (say, 2222 for box2, 2223 for box3, 2224 
> for box4, and so on)?
> 
> thanks,
> doug

Hello Again Doug,

I'm kinda confused by your terms.  I thought I understood you better 
beforehand. :) When you say you have two IP addresses, do you mean 
you have two external static ips?

Just cause I am more visible, are you describing something like
this (replace hub with switch if you more accurate):

10...2 == ip address 10.0.0.2

    10...0 +-----+ 3...0     +-----+    3...2  +------+
router -+--+ fw  +-----------+ hub +-+---------+ box2 |
        |  |     |           |     | |         |      |
        |  +-----+           +-----+ |         +------+
        |                            |
        |                            |
        |  +------+                  |  3...3  +------+
        +--+ box1 +                  +---------+ box3 |
   10...2  |      |                  |         |      |
           +------+                  |         +------+
                                     |
                                     |  3...4  +------+
                                     +---------+ box4 |
                                               |      |
                                               +------+

I realize you are using fake ip addresses, but you just so happened
to choose a non routable address as the example address for your 
public side and 3.0.0.0 (a routable address) as your private/internal 
side.  If you could clarfiy that a little, we can help you easier.
"We can give you real ip addys for you configs."  Also some of these
address's are subnet address's so that confuses me as well.



Somehow I think this is really your setup:


     3...n +-----+ 10..1     +-----+   10...2  +--------+
router ----+ fw  +-----------+ hub +-+---------+ box1   |
           |     |           |     | |         | Web    |
           |     |           |     | |         | sever  |
           +-----+           +-----+ |         +--------+
                                     |
                                     |
                                     | 10...3  +--------+
                                     +---------+ box2   |
                                     |         | Private|
                                     |         +--------+
                                     |
                                     | 10...4  +--------+
                                     +---------+ box3   |
                                               | Private|
                                               +--------+


Then I think you are describing this:	

	ssh 3...n
will ssh you to box1 because you have box1 externally visible
as 3...1.

You want to ssh to box2 on occasion without having to login to
box 1.  If so, you can do this simply with routing like so:

	ssh -p 2222 3...n
could ssh you to box 2 if your sonicwall firewall can be configured to
forward port traffic on incoming port 2222 to port 22 on host 10..3.
ditto for the other boxes.  Since you are not using iptables, I can't 
show you the syntax.  However, if you want to try out a iptables
linux firewall.  This would be the syntax.  (Well not exactly.  This
forwards external web traffic on a nonstandard port (8081) to a diff machine
behind the firewall in this case its 192.168.0.2.)

# let incoming traffic on 8080 go to the rs6k
$IPT -A FORWARD -m state --state ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport 8081 -m state --state NEW -j ACCEPT
$IPT -t nat -A PREROUTING -i eth0 -p tcp --syn --dport 8081 -j DNAT --to-destination 192.168.0.2:80



 -- 
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc

-- 
Happy Trails	

John F. Davis
ABC #6334 1992 R100GSPD                                  Durham, North Carolina
http://www.skink.net



More information about the TriLUG mailing list