[Courses] [Security] Port forwarding with SSH and ipchains/iptables

Wed Mar 20 12:20:56 EST 2002

From: "Raven, corporate courtesan" <raven at oneeyedcrow.net>
> Out of curiosity, why is this?  (I'm assuming that you mean here
> that the workstations cannot act as ssh servers.  Or do you also mean
> that they can't even have ssh clients installed on them?)

Yes, the workstations cannot have ssh installed on them. They're Windows
boxes. I guess it's possible to install SSH on them, but non-commercial
implementations seem to be in some pre-release stage right now.

Server A (Web server)
     |
 10.0.0.1
Firewall A
 a.b.c.d
     |
<The Internet>
     |
 e.f.g.h
Firewall B
 10.1.0.1
     |
Client B (Web client)

>Heh.  ASCII art.  I was never fond of it before I started doing
>networking, but it's so helpful to explain in situations like this.

Yep!

> This will be middling-complex to set up.  If you want to do this
> for several services, for several servers, you might be better off with
> the VPN.  But it's doable with ssh and port forwarding (part of the
> whole firewalling package).

Why I was asking about SSH instead of VPN ... well, the fewer features
offered the better. I realize that a lot of VPNs have ACLs that you can set,
but I'd feel safer if the product being used to secure the connections
didn't have the ability to offer full-blown access to a computer or network.
I could be paranoid here, of course. Then agian, I've started looking at SSH
port-forwarding, and I saw an article that suggested that having multiple
computers access an SSH forwarded port might not be the best idea. So maybe
we'll go to using a VPN after all ... it'll probably take some testing.

Another issue is that this is for a non-profit organization. This means that
money is not free flowing and so a free implementation is better than one
that costs money. The only free VPN package I'm aware of is FreeS/WAN. I'm
not sure whether it supports ACLs or other ways to limit access to a machine
or network.

Looking briefly through the docs, it doesn't look like there are ways to
control access to various ports or services through FreeS/WAN. My assumption
is that the way to do this would be to install FreeS/WAN on the firewall.
The rules on the external interface would be set to allow IPSEC. FreeS/WAN
would then decrypt packets and then send them to the external interface. The
external interface would have rules such that it would only forward packets
that originate from e.f.g.h (the ext. interface of the client firewall).
Furthermore, it would only forward packets to Server A. Further still, only
packets that come through on port 80.

> Ssh port forwarding is relatively easy, and the firewall part of
> port forwarding isn't too bad, either.  But the VPN may actually be a
> simpler alternative, depending on your site's needs.
> What kernel series are your firewalls running?  2.2 or 2.4?

Hasn't been implemented yet. We're currently using the port-filtering
firewall capabilities of our routers (blocking all incoming traffic plus
NAT). If we setup the Linux firewalls, it'd probably 2.4. Even if everything
works technically, ease of maintenance will be an issue, since I may not
always be available.

I guess another side of security is how easy it is to maintain, especially
if you have staff turnover. This aspect might make us do something like buy
a packaged product. For example, Smoothwall is based on Linux (2.2.19) and
includes FreeS/WAN. Might not be the best, but it might be easier (I believe
they allow you to manage it via a Web browser). If not that, then maybe
SonicWall. I'd love to use Linux to help secure our network, but if it's not
the best choice, then we'll go with something else. And anything I learn
about Linux security can be applied to another project ...

Thanks!

Jen