Please note that LinuxExchange will be shutting down on December 31st, 2016. Visit this thread for additional information and to provide feedback.

Connect via SSH/Samba from 1 box to a hidden box (NAT/PAT?) setup?

4

I need to access a Linux box via SSH & Samba that is hidden/connected behind another one.

Setup :-

  
 A        switch    B         C
|----|    |---|    |----|    |----|
|eth0|----|   |----|eth0|    |    |
|----|    |---|    |eth1|----|eth1|
                   |----|    |----|

Eg, SSH/Samba from A to C

How does one go about this?
I was thinking that it cannot be done via IP alone? Or can it?

Could B say "hi on eth0, if your looking for 192.168.0.2, its here on eth1"?
Is this NAT? This is a large private network, so what about if another PC has that IP?!

More likely it would be PAT?
A would say "hi 192.168.109.15:1234"
B would say "hi on eth0, traffic for port 1234 goes on here eth1"
How could that be done?

And would the SSH/Samba demons see the correct packet header info and work??

IP info :-

A - eth0 - 192.168.109.2
B - eth0 - 192.168.109.15
  - eth1 - 192.168.0.1
C - eth1 - 192.168.0.2

A, B & C are RHEL (RedHat) But Windows computers can be connected to the switch. I configured the 192.168.0.* IPs, they are changeable.

Any help?

asked 28 Apr '10, 17:02

Ian%20Vaughan's gravatar image

Ian Vaughan
4112
accept rate: 0%



4 Answers:
oldestnewestmost voted
3

What you have termed PAT would work. You will need to have iptables running(or some customizable firewall). Then run the following commands:

iptables -t nat -A PREROUTING -p tcp --dport 22 -p DNAT --to-destination 192.168.0.2
iptables -t nat -A PREROUTING -p tcp --dport 135:139 -p DNAT --to-destination 192.168.0.2
iptables -t nat -A PREROUTING -p tcp --dport 445 -p DNAT --to-destination 192.168.0.2
service iptables save
echo 1 > /proc/sys/net/ipv4/ip_forward

In the file /etc/sysctl.conf, change the line:

net.ipv4.ip_forward = 0

to

net.ipv4.ip_forward = 1
link

answered 29 Apr '10, 17:22

Kevin%20M's gravatar image

Kevin M
11215
accept rate: 25%

0

Can you ssh into box B and then do another ssh into box C from there? Or does that not solve your specific problem?

EDIT (In response to the comment from Ian Vaughan): Have you looked at the route command to set up a default route, try route --help at the command line for more info (or possibly man route).

link

answered 28 Apr '10, 22:00

Amos's gravatar image

Amos
1321312
accept rate: 0%

edited 29 Apr '10, 09:44

That is possible, but a pain!
And that that only works for SSH, I'd like to view the Samba shares via a Windows Explorer via the IP!

(29 Apr '10, 08:19) Ian Vaughan
0

PAT would work for SSH.

For Samba try this:

  1. setup A as the master browser for the network segment in the A side (assuming B is not a server and merely passing on packets)
  2. setup C to announce itself to A. See 'remote announce' and 'remote browse sync' of smb.conf
  3. setup a static route in C for the A network (and vice versa if needed)
  4. allow forwarding at B

when C announces its presence to A, stations in A's segment (those connected to the switch) will see it using A as the master browser.

smb broadcasts cannot normally traverse network subnets so 'remote announce' makes a server known to another server (and likewise stations) in another subnet.

B should be the default gateway for stations on both sides so packets gets properly routed. If not, static routes need to be setup in each station.

This works both ways: if there are stations in the C segment that need to access server A, A should 'announce' itself to C.

Hope this helps.

link

answered 11 May '10, 20:12

wim's gravatar image

wim
561
accept rate: 50%

0

Your host B is known as a dual homed host. You need for B to route traffic between subnets 192.168.0 and 192.168.109 Configure C (and any other hosts on 192.168.0 subnet) to use 192.168.0.1 as default gateway. Configure B to use the switch as default gateway (probably already is) Configure B to route subnet 192.168.0 traffic out 192.168.0.1 Configure your switch to route subnet 192.168.0 traffic to 192.168.109.15 That will make subnet 192.168.0 accessible to all routable traffic.

You can then use firewall features in the switch and/or in B to obtain the security restrictions you want.

link

answered 13 Apr '11, 09:11

pbz's gravatar image

pbz
111
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×23
×6
×5
×3
×1

Asked: 28 Apr '10, 17:02

Seen: 3,422 times

Last updated: 13 Apr '11, 09:11

Related questions

network connectivity

To connect to internet

I can ping google/yahoo and others, but not msn?

chroot FTP vs SFTP

Strange problems accessing smb share from Ubuntu machine

random wireless disconnections (lucid lynx)

avahi .local hostname with -2

linux Samba user how to login to windows machine

usb video storage

Intel 4965 WiFi refuses to connect to open, unauth AP

about | faq | privacy | contact

powered by OSQA