With all this cool routing talk I thought I would share my experiance with
getting PPP to run over ssh to a network behind a firewall. Bit of a mini
howto of a mini howto. There were a few things which I stumbled on.
What I have is a machine on a network, lets call it 10.0.0.100 behind a
firewall which we will call 203.0.0.5. The firewall does port forwarding
of port 22 (ssh) from 203.0.0.5 to 10.0.0.100. So you ssh onto 203.0.0.5
and end up on 10.0.0.100. As a side note the firewall will only do this
port forward and therfore allow ssh for one source IP address, mine. Don't
want everyone hammering your sshd.
So I found the Firewall Piercing Howto at
http://mirror.aarnet.edu.au/LDP/HOWTO/mini/Firewall-Piercing.html
and started to follow its instructions (well there wern't any really).
I compiled the required cotty program that lets you connect to terminals
together, or in this case two ppp sessions.
There was an example command line of
cotty -d -- pppd silent 192.168.0.1:192.168.0.2 \
-- ssh -t [EMAIL PROTECTED] pppd
Of course I tried that and nothing worked, so what did I have to do?
First of all make sure that you can ssh into the remove machine without
having to enter the password. This means you will have to use RSA
authentication for ssh. On my machine I ran ssh-keygen and then copied the
line from .ssh/identity.pub into the file .ssh/authorized_keys on the
remote server.
Another thing that would not work was pppd, firstly you could only run it
as root, I added myself to the group but it still needed other things, so
I ended up using root at both ends. I had to set PermitRootLogin to yes in
the /etc/ssh/sshd_config at the remote end to get it to allow you to come
in as root.
The pppd on both machines also wanted to do authentication so I had to set
the noauth option to the pppd command line.
Now I was able to run the tunnel via
cotty -- pppd 10.0.0.101:10.0.0.102 noauth \
-- ssh -t -l root 203.0.0.5 pppd noauth
This uses 10.0.0.101 as the local end and 10.0.0.102 as the remote end, I
just picked two addresses that were not in use.
Last thing to do was add a static route on the local machine for the
remote network, telling it to use the new interface which was just
created.
/sbin/route add -net 10.0.0.100 netmask 255.255.255.0 ppp0
You then have to make sure that ip_forward is set to 1 on the remote
machine so it will forward packets onto the other machines as they come in
over the ppp session. The local machine now looks like 10.0.0.101 on the
remote network and 10.0.0.100 does a proxyarp for that address so all the
other machines on the network knows that where to send packets for it
(well sort of).
Once that was done I could ping any of the machines on the 10.0.0.x range,
the trafic would flow over the encrypted link and onto the internal
network. I can happly do anything remotely that I could internally
(telnet, web, ftp), as long as it uses TCP/IP. I have not been able to get
smbmount to work yet.
Enjoy.
Rodos
--
[EMAIL PROTECTED] | Ever notice how fast Windows runs ? -- Neither did I.
Camion Technology | [unknown]
+61 2 9873 5105 |
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
