Re: SSH to a box behind NAT
James Long wrote to Ryan Thompson: > Then I'd suggest creating a ppp-over-ssh tunnel ala Greg Bond's > > http://www.itga.com.au/~gnb/vpn/ > > Have (Server) initiate the tunnel, and let the other end of the > tunnel terminate at (Manager). You can then use the tunnel to > effectively bypass the NT NAT box. Now *that* is an excellent solution. Thanks! - Ryan -- Ryan Thompson <[EMAIL PROTECTED]> SaskNow Technologies - http://www.sasknow.com 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: SSH to a box behind NAT
On Mon, Mar 10, 2003 at 11:32:00PM -0600, Ryan Thompson wrote: > > (So, it is not possible, for instance, to set up port based NAT for > inbound SSH, which is one of two things I'd normally do). The server > can, however, initiate arbitrary outbound connections. Then I'd suggest creating a ppp-over-ssh tunnel ala Greg Bond's http://www.itga.com.au/~gnb/vpn/ Have (Server) initiate the tunnel, and let the other end of the tunnel terminate at (Manager). You can then use the tunnel to effectively bypass the NT NAT box. ><--- NAT ---> > [ Server ] --- [ NT Gateway ] --- { Internet } --- [ Manager ] > 192.168.0.2192.168.0.1 207.1.1.1 > 24.1.1.1 tun0 tun0 172.16.16.1 <> 172.16.16.2 Once the tunnel comes up, (Manager) should be able to ssh at will into 172.16.16.1 interactively. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: SSH to a box behind NAT
Nathan Kinkade wrote to Ryan Thompson: > > Unfortunately, that idea has, so far, been the *last* thing to > > come to mind. Any *other* ideas? :-) > > > > Thanks, - Ryan > > Could you have Server start an xterm, or similar, and have it send > the display to Manager - with something like 'xterm -display > Manager:0' from Server? This is assuming that you are running X on > Manager. That's a reasonable idea. Thanks. Neither Manager nor Server have X installed (and, typically, Manager itself is accessed remotely, too), but I suppose that isn't out of the question. Once it's deployed, Server will be a thousand kilometers away from here in a locked office, sans head, sans in-house IT. Remote managability is therefore somewhat of a necessity. :-) - Ryan -- Ryan Thompson <[EMAIL PROTECTED]> SaskNow Technologies - http://www.sasknow.com 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: SSH to a box behind NAT
On Mon, Mar 10, 2003 at 11:32:00PM -0600, Ryan Thompson wrote: > > Hi all, > > I have a FreeBSD server behind NAT (on an RFC1918 address). The NAT > machine is actually an NT box on a network we don't have access to. > (So, it is not possible, for instance, to set up port based NAT for > inbound SSH, which is one of two things I'd normally do). The server > can, however, initiate arbitrary outbound connections. > > So, I'm fishing for a tech workaround to this management problem. :-) > > I need to be able to have an interactive SSH session on the server > (Server) from another host (Manager) on the Internet (for remote > management). That is, I need to connect to Server to do remote > management. > ><--- NAT ---> > [ Server ] --- [ NT Gateway ] --- { Internet } --- [ Manager ] > 192.168.0.2192.168.0.1 207.1.1.1 > 24.1.1.1 > > Manager is a highly available FreeBSD server (i.e., static public IP). > > The first thing that comes to mind is some kind of "pull" technique to > have *Server* initiate the connection. Server already initiates cron'd > SSH connections to Manager to do automated backup/rsync tasks, but I > can't think of a way to actually start an interactive login in that > manner. > > So far the best I've come up with is to configure a secure known path > on Manager for batch scripts (so, not really interactive, but close > enough for 90% of tasks) and have Server simply attempt to scp (pull) > the file at regular intervals, and execute its contents. Server can > capture the output and scp (push) that back to Manager. Manager never > actually initiates anything. Obviously, this will be a leading cause > of ass pain in troubleshooting scenarios, and will be a *real* pain > for anything that actually requires an interactive session. > > Unfortunately, that idea has, so far, been the *last* thing to come to > mind. Any *other* ideas? :-) > > Thanks, > - Ryan Could you have Server start an xterm, or similar, and have it send the display to Manager - with something like 'xterm -display Manager:0' from Server? This is assuming that you are running X on Manager. Nathan -- GPG Public Key ID: 0x4250A04C gpg --keyserver pgp.mit.edu --recv-keys 4250A04C http://63.105.21.156/gpg_nkinkade_4250A04C.asc pgp0.pgp Description: PGP signature
SSH to a box behind NAT
Hi all, I have a FreeBSD server behind NAT (on an RFC1918 address). The NAT machine is actually an NT box on a network we don't have access to. (So, it is not possible, for instance, to set up port based NAT for inbound SSH, which is one of two things I'd normally do). The server can, however, initiate arbitrary outbound connections. So, I'm fishing for a tech workaround to this management problem. :-) I need to be able to have an interactive SSH session on the server (Server) from another host (Manager) on the Internet (for remote management). That is, I need to connect to Server to do remote management. <--- NAT ---> [ Server ] --- [ NT Gateway ] --- { Internet } --- [ Manager ] 192.168.0.2192.168.0.1 207.1.1.1 24.1.1.1 Manager is a highly available FreeBSD server (i.e., static public IP). The first thing that comes to mind is some kind of "pull" technique to have *Server* initiate the connection. Server already initiates cron'd SSH connections to Manager to do automated backup/rsync tasks, but I can't think of a way to actually start an interactive login in that manner. So far the best I've come up with is to configure a secure known path on Manager for batch scripts (so, not really interactive, but close enough for 90% of tasks) and have Server simply attempt to scp (pull) the file at regular intervals, and execute its contents. Server can capture the output and scp (push) that back to Manager. Manager never actually initiates anything. Obviously, this will be a leading cause of ass pain in troubleshooting scenarios, and will be a *real* pain for anything that actually requires an interactive session. Unfortunately, that idea has, so far, been the *last* thing to come to mind. Any *other* ideas? :-) Thanks, - Ryan -- Ryan Thompson <[EMAIL PROTECTED]> SaskNow Technologies - http://www.sasknow.com 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message