Routing over Internet to private 10.x.x.x subnet

Routing over Internet to private 10.x.x.x subnet

Post by T » Sun, 25 Aug 2002 18:50:35



I'm trying to allow my home linux box ssh access to an internal work
machine for remote support.  The work machine is on a private IP on a
subnet protected by a gnat firewall box, which has two NICs, one with
a public IP I can ping etc.

I've configured the gnat box to allow my IP access to the ssh machine
on the work subnet, but I'm not sure how to tell my home linux box to
route all data for that subnet through the gnatbox.

So lets say my home IP is 212.212.212.212, the gnatbox is 194.1.1.1
and the work machine I'm trying to access is 10.10.10.10

I need to ssh to 10.10.10.10 from my home linux box, and obviously
I'll need to add a route to say where data for the 10.10.10.0/24
subnet should go.  I've tried:

route add -host 194.1.1.1 eth1   ;add route to gnatbox or next cmd
doesnt work
route add -net 10.10.10.0/24 gw 194.1.1.1 eth1  ;add route to net via
gnatbox

I've then tried with and without next route cmd:

route del -host 194.1.1.1 eth1

It doesn't work.  I'm ignoring the possibility of a gnatbox config
error for now - ans have tried to verify data for 10.10.10.x is at
least being sent to 194.1.1.1 fo it to pass on.  traceroute 194.1.1.1
is OK, but traceroute 10.10.10.x gets no where near 194.1.1.1 - but
rather only as far as my ISP.

I'm sure to many it's obvious what I'm doing wrong - and I assume what
I'm trying to do is not possible is this way.  I just thought I'd at
least try before asking for help :)

Any help appreciated - don't fancy the 40 mile drive to come into the
office to change someones password.

Tim

 
 
 

Routing over Internet to private 10.x.x.x subnet

Post by 3ab.. » Sun, 25 Aug 2002 19:00:52


|So lets say my home IP is 212.212.212.212, the gnatbox is 194.1.1.1
|and the work machine I'm trying to access is 10.10.10.10
|
|I need to ssh to 10.10.10.10 from my home linux box, and obviously
|I'll need to add a route to say where data for the 10.10.10.0/24
|subnet should go.  I've tried:

What you should do is use port forwarding on the gnatbox so that
connecting to port 22 on 194.1.1.1 will connect to 10.10.10.10 on the
inside.

 
 
 

Routing over Internet to private 10.x.x.x subnet

Post by Edward Ned Harve » Sun, 25 Aug 2002 22:23:56



> |So lets say my home IP is 212.212.212.212, the gnatbox is 194.1.1.1
> |and the work machine I'm trying to access is 10.10.10.10
> |
> |I need to ssh to 10.10.10.10 from my home linux box, and obviously
> |I'll need to add a route to say where data for the 10.10.10.0/24
> |subnet should go.  I've tried:

> What you should do is use port forwarding on the gnatbox so that
> connecting to port 22 on 194.1.1.1 will connect to 10.10.10.10 on the
> inside.

Yep, there are only 3 solutions, the one listed above is probably the best
one.  Here are the other two other solutions:

- Activate ssh on the nat box, ssh to it, and then ssh from there to the
internal network.
- VPN

 
 
 

Routing over Internet to private 10.x.x.x subnet

Post by David Efflan » Mon, 26 Aug 2002 01:26:45



Quote:> I'm trying to allow my home linux box ssh access to an internal work
> machine for remote support.  The work machine is on a private IP on a
> subnet protected by a gnat firewall box, which has two NICs, one with
> a public IP I can ping etc.

> I've configured the gnat box to allow my IP access to the ssh machine
> on the work subnet, but I'm not sure how to tell my home linux box to
> route all data for that subnet through the gnatbox.

> So lets say my home IP is 212.212.212.212, the gnatbox is 194.1.1.1
> and the work machine I'm trying to access is 10.10.10.10

> I need to ssh to 10.10.10.10 from my home linux box, and obviously
> I'll need to add a route to say where data for the 10.10.10.0/24
> subnet should go.  I've tried:

> route add -host 194.1.1.1 eth1   ;add route to gnatbox or next cmd
> doesnt work
> route add -net 10.10.10.0/24 gw 194.1.1.1 eth1  ;add route to net via
> gnatbox

If you just need to access specific port(s) on the private subnet you
either need to:

- Have the gnatbox forward specific port(s) to specific local IP(s).  
Each port can only be directed to 1 IP.

- Tunnel necessary port(s) through an ssh connection to the gnatbox.  To
connect to the remote private ip:port you would simply connect to that
port on localhost (or local eth ip:port from other boxes on your LAN if
you enabled GatewayPorts yes).  You can set up ~/.ssh/config for different
connections to access various remote private IPs.  This only requires
normal user access on the gnatbox.

- Tunnel the whole private subnet through a VPN like FreeS/WAN (ipsec).  
This would require root access on gnatbox to set up, including allowing
incoming udp port 500 and protocols 50, 51 (not ports) and script to punch
a hole for the VPN through the firewall.  Depending upon your iptables
rules, you might have trouble accessing the firewall itself through the
tunnel (outside IP from LAN considered spoofing), but you can run a
separate connection right to the firewall, or simply use ssh to access it.
SSHSentinal also works as a Windows client.

I have not tried forwarding the port and protocol to an internal freeswan.

--
David Efflandt - All spam ignored  http://www.de-srv.com/
http://www.autox.chicago.il.us/  http://www.berniesfloral.net/
http://cgi-help.virtualave.net/  http://hammer.prohosting.com/~cgi-wiz/

 
 
 

Routing over Internet to private 10.x.x.x subnet

Post by /dev/nul » Mon, 26 Aug 2002 15:14:41


Use PPP over SSH to make a VPN.

The gateway of the machines on each side of the VPN should be set up to
route the other network's data across the VPN.

http://www.tldp.org/HOWTO/mini/ppp-ssh/

/dev/null

 
 
 

Routing over Internet to private 10.x.x.x subnet

Post by T » Mon, 26 Aug 2002 19:44:19


Thanks very much for the replies - much appreciated.

I accept the way I tried to do it won't work, and I'll probably go for
the port forward idea.  If I want proper access to the subnet as a
whole, I'll have to look into VPNs.

Just in order for my to understand, can anyone tell me why the gateway
to the 10.x.x.x subnet idea didn't work?  Why the packets never got
near the 194.1.1.1 gnatbox?  Does a gateway have to be available via
ethernet?

Thanks again.

Tim

 
 
 

Routing over Internet to private 10.x.x.x subnet

Post by 4809f5.. » Mon, 26 Aug 2002 21:36:23


|Just in order for my to understand, can anyone tell me why the gateway
|to the 10.x.x.x subnet idea didn't work?  Why the packets never got
|near the 194.1.1.1 gnatbox?  Does a gateway have to be available via
|ethernet?

To be able to access a subnet, all the routers along the path have to
know where to send the packet. 10. addresses are non-routable on the
public Internet so it won't get past your ISP's router. Even if you had
assigned a public subnet to the inside of the remote end, there is no
entry in the other side's ISP to say: to get to the inner subnet, go
through 194.1.1.1. (And of course the side effect of using a public
address on a private subnet is that you will not be able to reach the
real assignees of the public addresses you have appropriated for private
use. Bad if it happens to be a useful web site or something.)

Which is why it only works if it all happens within your network and you
control all the routers, or you effectively make the remote end part of
your network by using a VPN.

 
 
 

Routing over Internet to private 10.x.x.x subnet

Post by T » Tue, 27 Aug 2002 23:25:13


Quote:> To be able to access a subnet, all the routers along the path have to
> know where to send the packet. 10. addresses are non-routable on the
> public Internet so it won't get past your ISP's router. Even if you had
> assigned a public subnet to the inside of the remote end, there is no
> entry in the other side's ISP to say: to get to the inner subnet, go
> through 194.1.1.1. (And of course the side effect of using a public
> address on a private subnet is that you will not be able to reach the
> real assignees of the public addresses you have appropriated for private
> use. Bad if it happens to be a useful web site or something.)

> Which is why it only works if it all happens within your network and you
> control all the routers, or you effectively make the remote end part of
> your network by using a VPN.

Thanks for that - knew 10. wasn't routeable on the internet but
thought (or gussed) that setting the gnatbox IP as the gateway for
10.x.x.x IPs would facilitate the routing from my nix box to the
gnatbox.  The gnatbox would then be able to route the 10. address to
it's protected network.  Obviously doesn't work that way as the
packets doesn't get passed my ISP.

Thanks again to all those who replied - my knowledge has increased
slightly.  Will implemented the port forwarding suggestion instead.

Tim

 
 
 

1. Connect two Hosts on private Subnets via the Internet

I want to connect two PCs with private addresses via the Internet so I can
export my X Window Display to my Home PC. The problem is that i am not able
to configure static NAT on the router.

On my Home PC I run Windows with a Cygwin X Server. My firm PC is a Debian
Linux with Gnome.

Does anyone know a solution for it? What can I dou?

Regards
Berndt

2. Sun disk writes are very slow, looking for explanation

3. routed ( gated ) and subnet 10.x.x.0 netmask 255.255.255.0

4. linux routing with multiply isp

5. ppp routing to multiple private subnets?

6. Dual-boot with Windows 98 dangers?

7. routed ( gated ) and subnet 10.x.x.0 netmask 255.255.255.0

8. Any hope of getting linux running at Security Level B

9. routing two private subnets?

10. linux routing internet/dmz/private nets

11. Routing private network to internet

12. Q: Connection private Net with private Net to Internet

13. private network -VPN-private network routing