8 replies to this topic

[mirrorshades]

Ok... I'm adding a few *nix boxes to my home network, and intending to poke little tiny holes in my firewall to SSH in. Is there any kind of proxy/repeater software that will allow me to just have one open port (i.e. 22), but then select the destination on the LAN at run-time? I could do it such that 22 is the linux box, 23 is openbsd, 24 is solaris, etc... but that seems kludgy at best.

Was also considering setting one server up as the main host, then adding specific logons for the others. In other words, if I log on as the user "openbsd", then automatically connect to the openbsd server from there -- the initial server is just a pass-through connection. Then I thought about it some more and figured there must be an easier way, because that just sounds too freaking stupid.

As an example, the UltraVNC software has a repeater program that basically acts as a connection forwarder. You can open one port for VNC, and provide the LAN target... the repeater automatically makes the connection to the target box. Something like that would be ideal.

Of course, it probably compromises the security of SSH somewhat, but since it would just be me coming in (ideally), I'm not really concerned that I might be snooping on myself.

[livinded]

All you have to do is change your sshd config to run on a different port than 22 and then setup port forwarding accordingly on your router. There is nothing special needed to do this, just normal NAT.

[mirrorshades]

No, I guess I didn't explain goodly enough. I want them all to run on port 22, so that I only have to open port 22 through the router. (And so I don't have to remember which box is on which port because I'm essentially lazy at heart. I will go to great lengths to save myself some work.) :)

Some way of determining which box I want to go to at run-time would be ideal:

# ssh debian.mynetwork.example.com
# ssh bsd_box.mynetwork.example.com
# ssh wfw311.mynetwork.example.com

Something like that. I guess that the individual servers don't have to all be running port 22, once I'm onto the LAN it shouldn't matter.

[nullkraft]

The way I do it is to ssh into my server at work and then ssh into any other machine on the network from there.

[Clay584]

Holding with the one port open only routine, there are only a couple options.

First, have your main box act as just a netaccess server if you will and ssh to other devices once in that box...or

If you have more than just one public IP from your ISP, don't use NAT, configure each box with one of the public IP's and the a.server.com, b.server.com, c.server.com will all point to their respective public IP's.

If you don't want to do either of those then you will have to do separate port numbers. There is no getting around that. That is just how NAT works.

[mirrorshades]

The way I do it is to ssh into my server at work and then ssh into any other machine on the network from there.

First, have your main box act as just a netaccess server if you will and ssh to other devices once in that box...or

Yeah... looking like that's probably the best bet. No reason I can't do it that way, I suppose.

How elegantly low-tech. :)

[Ohm]

This is really simple. All you need open is OpenSSH. Connect to the OpenSSH daemon from your remote machine with the -D switch. This will open a proxy server on your machine that will tunnel all connection requests through the SSH tunnel. If all of your applications support SOCKS4 or SOCKS5 then this will work well.

[mirrorshades]

Interesting... I've seen the SOCKS option, but I never gave it much thought. Once I have the proxy running, what would I then specify to get to a particular node on my LAN? I assume the private IPs and local hostnames wouldn't be properly resolved.

No need to answer if it's that straightforward, I'll give it a try in a day or so here either way.

[Ohm]

You assumed wrong. SSH is running on your gateway (or to a machine inside the network via a forwarded port). Names don't "resolve" until that machine attempts to make the connection. You'll be able to connect to any machine the SSH machine can connect to.