On 11/24/2010 04:35 PM, Alan McKinnon wrote:
> I need to get to the work CVS server from home. It's not exposed to the
> internet but never fear! we have ssh -L and a convenient sshd host that is on
> the internets. So, locally
>
> ssh -Llocalhost:1111:cvs.example.com:22 [email protected]
>
> and tell cvs that the server is localhost:1111
>
> I do this all the time for lots of other stuff. Doesn't work for CVS because
> there's no way to tell cvs to tell ssh what port to use.
>
> Google gives lots of hits about using the host-specific Host directive in
> ~/.ssh/config but that won't work for me - it assumes I can see the CVS
> server
> directly and doesn't take into account that I have port forwarding in the way.
>
> Anyone know a way to get cvs to use any port other than 22? I'm receptive to
> alternate cvs clients with this support, just not ones that tweak ssh to do
> it.
>
>
Use a full-blown tunnel instead of redirection magic. At home:
#!/bin/bash
modprobe tun
ssh -w 0:0 -C -f \
[email protected] \
/root/ssh_tunnel
ifconfig tun0 10.0.2.2 netmask 255.255.255.252
# Replace 10.1.1.0/24 with your work subnet.
ip route add 10.1.1.0/24 via 10.0.2.1 dev tun0
And on the workstation at work:
#!/bin/bash
#
# /root/ssh_tunnel
#
# The internal IP of your workstation, on the work network.
INTERNAL_IP="10.1.1.x"
modprobe tun
ifconfig tun0 10.0.2.1 netmask 255.255.255.252
echo 1 > /proc/sys/net/ipv4/ip_forward
# You will probably not want to trash all of your iptables rules.
# Adjust as necessary.
iptables -F
iptables -F -t nat
iptables -P FORWARD DROP
iptables -A FORWARD -d 10.0.2.0/29 -j ACCEPT
iptables -A FORWARD -s 10.0.2.0/29 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.2.2 -j SNAT \
--to-source $INTERNAL_IP
This worked fine for me for about a year. Eventually, I gave in and set
up a real-ass VPN with OpenVPN. If you need to access services remotely
often, I would suggest skipping the intermediate step and going straight
to OpenVPN.
