I need to make regular ssh connections to a host behind a Bering-uclibc firewall/router. Normally, this is _not_ a problem. In one case, described herein, special circumstances obtain; and I need advice on how to best deal with the situation.
Basic Specifications
--------------------
Destination [A] is a system behind a single IP cable modem. Everything
works as expected in other operations. I want to ssh into [A].
Source [B] is a system behind a black box proxy.
Alternate source [C] is a system on the Internet; but, not in a LAN
attached to either [A] nor [B].
Tested Scenarios
----------------
I. When I do this:
DNAT net loc:$A:22 tcp 60022
then, I can successfully ssh from [C] to [A]; but, the proxy at [B]
prevents ssh from [B] to [A].
II. When I do this:
DNAT net loc:$A:22 tcp 443
shorewall *fails* to allow the connection from anywhere to [A]; and
there are *NO* messages in /var/log/shorewall.log.
III. When I do this:
DNAT net loc:$A tcp 443
and, change sshd on [A] to listen to 443 tcp, instead of tcp 22, then I
can connect from [B] to [A], and everywhere, successfully.
To me, this is an inconvenient kludge; not the least reason being the
non-standard sshd setup, and extra port assignment steps at every ssh
connection.
What in shorewall is interfering with Scenario II?
How can I work around this behavior?
Is there a another solution to this dilemma?
What do you think?
--
Best Regards,
mds
mds resource
877.596.8237
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know. The more I know, the more I know I don't know . . .
--
signature.asc
Description: Digital signature
