Very Computer

I've configured the gnat box to allow my IP access to the ssh machine
on the work subnet, but I'm not sure how to tell my home linux box to
route all data for that subnet through the gnatbox.

So lets say my home IP is 212.212.212.212, the gnatbox is 194.1.1.1
and the work machine I'm trying to access is 10.10.10.10

I need to ssh to 10.10.10.10 from my home linux box, and obviously
I'll need to add a route to say where data for the 10.10.10.0/24
subnet should go.  I've tried:

route add -host 194.1.1.1 eth1   ;add route to gnatbox or next cmd
doesnt work
route add -net 10.10.10.0/24 gw 194.1.1.1 eth1  ;add route to net via
gnatbox

I've then tried with and without next route cmd:

route del -host 194.1.1.1 eth1

It doesn't work.  I'm ignoring the possibility of a gnatbox config
error for now - ans have tried to verify data for 10.10.10.x is at
least being sent to 194.1.1.1 fo it to pass on.  traceroute 194.1.1.1
is OK, but traceroute 10.10.10.x gets no where near 194.1.1.1 - but
rather only as far as my ISP.

I'm sure to many it's obvious what I'm doing wrong - and I assume what
I'm trying to do is not possible is this way.  I just thought I'd at
least try before asking for help :)

Any help appreciated - don't fancy the 40 mile drive to come into the
office to change someones password.

Tim

What you should do is use port forwarding on the gnatbox so that
connecting to port 22 on 194.1.1.1 will connect to 10.10.10.10 on the
inside.

- Activate ssh on the nat box, ssh to it, and then ssh from there to the
internal network.
- VPN

Quote:> I'm trying to allow my home linux box ssh access to an internal work
> machine for remote support.  The work machine is on a private IP on a
> subnet protected by a gnat firewall box, which has two NICs, one with
> a public IP I can ping etc.

> I've configured the gnat box to allow my IP access to the ssh machine
> on the work subnet, but I'm not sure how to tell my home linux box to
> route all data for that subnet through the gnatbox.

> So lets say my home IP is 212.212.212.212, the gnatbox is 194.1.1.1
> and the work machine I'm trying to access is 10.10.10.10

> I need to ssh to 10.10.10.10 from my home linux box, and obviously
> I'll need to add a route to say where data for the 10.10.10.0/24
> subnet should go.  I've tried:

> route add -host 194.1.1.1 eth1   ;add route to gnatbox or next cmd
> doesnt work
> route add -net 10.10.10.0/24 gw 194.1.1.1 eth1  ;add route to net via
> gnatbox

- Have the gnatbox forward specific port(s) to specific local IP(s).  
Each port can only be directed to 1 IP.

- Tunnel necessary port(s) through an ssh connection to the gnatbox.  To
connect to the remote private ip:port you would simply connect to that
port on localhost (or local eth ip:port from other boxes on your LAN if
you enabled GatewayPorts yes).  You can set up ~/.ssh/config for different
connections to access various remote private IPs.  This only requires
normal user access on the gnatbox.

- Tunnel the whole private subnet through a VPN like FreeS/WAN (ipsec).  
This would require root access on gnatbox to set up, including allowing
incoming udp port 500 and protocols 50, 51 (not ports) and script to punch
a hole for the VPN through the firewall.  Depending upon your iptables
rules, you might have trouble accessing the firewall itself through the
tunnel (outside IP from LAN considered spoofing), but you can run a
separate connection right to the firewall, or simply use ssh to access it.
SSHSentinal also works as a Windows client.

I have not tried forwarding the port and protocol to an internal freeswan.

--
David Efflandt - All spam ignored  http://www.de-srv.com/
http://www.autox.chicago.il.us/  http://www.berniesfloral.net/
http://cgi-help.virtualave.net/  http://hammer.prohosting.com/~cgi-wiz/

The gateway of the machines on each side of the VPN should be set up to
route the other network's data across the VPN.

http://www.tldp.org/HOWTO/mini/ppp-ssh/

/dev/null

I accept the way I tried to do it won't work, and I'll probably go for
the port forward idea.  If I want proper access to the subnet as a
whole, I'll have to look into VPNs.

Just in order for my to understand, can anyone tell me why the gateway
to the 10.x.x.x subnet idea didn't work?  Why the packets never got
near the 194.1.1.1 gnatbox?  Does a gateway have to be available via
ethernet?

Thanks again.

Tim

To be able to access a subnet, all the routers along the path have to
know where to send the packet. 10. addresses are non-routable on the
public Internet so it won't get past your ISP's router. Even if you had
assigned a public subnet to the inside of the remote end, there is no
entry in the other side's ISP to say: to get to the inner subnet, go
through 194.1.1.1. (And of course the side effect of using a public
address on a private subnet is that you will not be able to reach the
real assignees of the public addresses you have appropriated for private
use. Bad if it happens to be a useful web site or something.)

Which is why it only works if it all happens within your network and you
control all the routers, or you effectively make the remote end part of
your network by using a VPN.

Quote:> To be able to access a subnet, all the routers along the path have to
> know where to send the packet. 10. addresses are non-routable on the
> public Internet so it won't get past your ISP's router. Even if you had
> assigned a public subnet to the inside of the remote end, there is no
> entry in the other side's ISP to say: to get to the inner subnet, go
> through 194.1.1.1. (And of course the side effect of using a public
> address on a private subnet is that you will not be able to reach the
> real assignees of the public addresses you have appropriated for private
> use. Bad if it happens to be a useful web site or something.)

> Which is why it only works if it all happens within your network and you
> control all the routers, or you effectively make the remote end part of
> your network by using a VPN.

Thanks again to all those who replied - my knowledge has increased
slightly.  Will implemented the port forwarding suggestion instead.

Tim