DaemonForums  

Go Back   DaemonForums > Other Operating Systems > Other BSD and UNIX/UNIX-like

Other BSD and UNIX/UNIX-like Any other flavour of BSD or UNIX that does not have a section of its own.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th September 2008
starbuck's Avatar
starbuck starbuck is offline
Port Guard
 
Join Date: Apr 2008
Location: Eugene, OR
Posts: 31
Thanked 0 Times in 0 Posts
Default Forward SSH from some port to some other machine

I have a Mac OS X Server running as a gateway/proxy for several machines behind it. I would like to be able to do this:

Code:
ssh user@gateway -p 2205
...and get forwarded to some other machine (behind the gateway/proxy) at user@10.0.0.105:22 or whatever. How can I do this?

I did some digging on google and it looks like I need to use the -L flag with the ssh command on the gateway machine. Wasn't really working for me though. Any suggestions?

Essentially I want to give a user ssh access to a machine behind the gateway.
Reply With Quote
  #2   (View Single Post)  
Old 5th September 2008
vermaden's Avatar
vermaden vermaden is offline
Administrator
 
Join Date: Apr 2008
Location: pl_PL.lodz
Posts: 1,051
Thanked 118 Times in 93 Posts
Default

short:
# ssh -D 4567 -l user 10.0.0.105

long:
From gateway machine run that command to the box that you want to be visible outside at 4567 port. After that if you will ssh to gateway:4567 you will be really connecting to 10.0.0.105:22.
__________________
religions, worst damnation of mankind
"If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds

Linux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”.
vermaden's: links resources deviantart spreadbsd
Reply With Quote
  #3   (View Single Post)  
Old 6th September 2008
starbuck's Avatar
starbuck starbuck is offline
Port Guard
 
Join Date: Apr 2008
Location: Eugene, OR
Posts: 31
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by vermaden View Post
short:
# ssh -D 4567 -l user 10.0.0.105

long:
From gateway machine run that command to the box that you want to be visible outside at 4567 port. After that if you will ssh to gateway:4567 you will be really connecting to 10.0.0.105:22.
Thanks I'll give that a whirl!
Reply With Quote
  #4   (View Single Post)  
Old 8th September 2008
starbuck's Avatar
starbuck starbuck is offline
Port Guard
 
Join Date: Apr 2008
Location: Eugene, OR
Posts: 31
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by vermaden View Post
short:
# ssh -D 4567 -l user 10.0.0.105

long:
From gateway machine run that command to the box that you want to be visible outside at 4567 port. After that if you will ssh to gateway:4567 you will be really connecting to 10.0.0.105:22.
I did what you said and now when I try to ssh to the gateway machine on that port I get this error:

Code:
$ ssh gateway:2205
ssh: gateway:2205: Name or service not known
Reply With Quote
  #5   (View Single Post)  
Old 8th September 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

You'll want to use the same syntax you did in your first post.
__________________
Kill your t.v.
Reply With Quote
  #6   (View Single Post)  
Old 8th September 2008
vermaden's Avatar
vermaden vermaden is offline
Administrator
 
Join Date: Apr 2008
Location: pl_PL.lodz
Posts: 1,051
Thanked 118 Times in 93 Posts
Default

Quote:
Originally Posted by starbuck View Post
Code:
$ ssh gateway:2205
use that syntax:
Code:
$ ssh gateway -p 2205
__________________
religions, worst damnation of mankind
"If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds

Linux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”.
vermaden's: links resources deviantart spreadbsd
Reply With Quote
  #7   (View Single Post)  
Old 8th September 2008
starbuck's Avatar
starbuck starbuck is offline
Port Guard
 
Join Date: Apr 2008
Location: Eugene, OR
Posts: 31
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by anomie View Post
You'll want to use the same syntax you did in your first post.
Wow, I'm totally not with it today. Ok, so now I'm getting a "Connection refused" error. I have a feeling that the firewall is blocking port 2205. I spent some time fiddling with the Mac OS X Server firewall but had no luck. Any ideas?

Also, will this solution be persistent?
Reply With Quote
  #8   (View Single Post)  
Old 8th September 2008
vermaden's Avatar
vermaden vermaden is offline
Administrator
 
Join Date: Apr 2008
Location: pl_PL.lodz
Posts: 1,051
Thanked 118 Times in 93 Posts
Default

If you want to make this permanent and you are alread using a firewall then it would be better to just user firewall for that port forwarding.
__________________
religions, worst damnation of mankind
"If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds

Linux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”.
vermaden's: links resources deviantart spreadbsd
Reply With Quote
  #9   (View Single Post)  
Old 8th September 2008
starbuck's Avatar
starbuck starbuck is offline
Port Guard
 
Join Date: Apr 2008
Location: Eugene, OR
Posts: 31
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by vermaden View Post
If you want to make this permanent and you are alread using a firewall then it would be better to just user firewall for that port forwarding.
Hrm... Ok, I fiddled with that a bit already, but didn't have any luck. I guess I'll be diving into the documentation for the OS X firewall. Thanks for all your help everyone.
Reply With Quote
Old 9th September 2008
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Thanked 40 Times in 39 Posts
Default

$ ssh user@gateway -p 2205 -L 8080:10.0.0.61:80

That will open port 8080 on your local machine, and forward any packets that hit it to port 80 on machine 10.0.0.61 on the remote network. (My man page specifies a capital L). Specify localhost (127.0.0.1) if you want the remote server itself to receive the packets.

-R does the same thing in reverse: Opens the port on the remote end and forwards packets back to your network.
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
Old 18th September 2008
starbuck's Avatar
starbuck starbuck is offline
Port Guard
 
Join Date: Apr 2008
Location: Eugene, OR
Posts: 31
Thanked 0 Times in 0 Posts
Default

Finally found a solution, Apple doesn't make this easy...

In order to do this you'll need to edit the natd.plist file on your Mac OS X Server machine. It is located at:

Code:
/etc/nat/natd.plist
This is an XML file. You'll want to add the following code block just before the closing array and dict tags.

Code:
     <key>redirect_port</key>
        <array>
                <dict>
                        <key>aliasIP</key>
                        <string>INCOMING IP</string>
                        <key>aliasPortRange</key>
                        <string>INCOMING PORT</string>
                        <key>proto</key>
                        <string>tcp</string>
                        <key>targetIP</key>
                        <string>OUTGOING IP</string>
                        <key>targetPortRange</key>
                        <string>OUTGOING PORT</string>
                </dict>
                <dict>
                        <key>aliasIP</key>
                        <string>INCOMING IP</string>
                        <key>aliasPortRange</key>
                        <string>INCOMING PORT</string>
                        <key>proto</key>
                        <string>tcp</string>
                        <key>targetIP</key>
                        <string>OUTGOING IP</string>
                        <key>targetPortRange</key>
                        <string>OUTGOING PORT</string>
                </dict>
        </array>
You'll only want to change the string blocks, do not change anything within a key block.

Add as many dict blocks as you need to accommodate your redirect rules. After you have made the necessary changes simply restart NAT and voila, you're done!

Additional info:

Apple
CyBeRHQ.nl
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PF + SNORT on one machine WeakSauceIII OpenBSD Security 5 30th July 2009 09:02 AM
Networking on virtual machine satimis General software and network 4 29th November 2008 02:16 PM
USB support in virtual machine? Sunnz OpenBSD Packages and Ports 2 16th November 2008 04:00 AM
highly secure virtual machine uptonm OpenBSD Security 26 28th July 2008 10:10 PM
Extract ISO under OpenVZ virtual machine stukov Other BSD and UNIX/UNIX-like 1 14th May 2008 09:46 PM


All times are GMT. The time now is 08:06 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick