[Techtalk] remote SSH and NAT
Carla Schroder
carla at bratgrrl.com
Sun Mar 12 17:36:33 EST 2006
On Saturday 11 March 2006 18:23, Mary wrote:
> On Sat, Mar 11, 2006, Carla Schroder wrote:
> > Can I write rules that will let me log directly into stinkpad, or any
> > other LAN host, without having to log into windbag first? Assume all LAN
> > hosts have private, non-routable addresses. Local name resolution is
> > /etc/hosts.
>
> I typically forward a port on windbag, so that when you connect to port
> 10000 of windbag, windbag pops you right through to port 22 (SSH) of
> stinkpad.
>
> I've tended to do it with IP addresses, but I don't think there's any
> reason not to do it with names that will look up. But sticking with what
> I know, lets say that windbag can reach stinkpad on IP address 10.0.0.2,
> and that windbag's external (world) facing interface is eth0:
>
> iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 10000 -j DNAT
> --to-destination 10.0.0.2:22
>
> Then from the outside world you can do:
> $ ssh -p 10000 windbag
> and you'll be sent through to stinkpad directly.
>
That works great for a single LAN host, but then don't you bump into host keys
problems? Because all outgoing traffic is SNAT'ed, so when the remote SSH
client sees a different host key, it doesn't know it's from a different PC,
because the IP is the same. So you get the scary
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
etc. message. I would rather not turn off StrictHostKeyChecking to get past
this, or dink around with replacing host keys a lot.
Maybe a two-step login isn't so bad, or use Real IPs if I simply must have a
one-step ssh login.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carla Schroder
check out my "Linux Cookbook", the ultimate Linux user's
and sysadmin's guide! http://www.oreilly.com/catalog/linuxckbk/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the Techtalk
mailing list