I need to access a Linux box via SSH & Samba that is hidden/connected behind another one.

Setup :-

 A        switch    B         C
|----|    |---|    |----|    |----|
|eth0|----|   |----|eth0|    |    |
|----|    |---|    |eth1|----|eth1|
                   |----|    |----|

Eg, SSH/Samba from A to C

How does one go about this?
I was thinking that it cannot be done via IP alone? Or can it?

Could B say "hi on eth0, if your looking for, its here on eth1"?
Is this NAT? This is a large private network, so what about if another PC has that IP?!

More likely it would be PAT?
A would say "hi"
B would say "hi on eth0, traffic for port 1234 goes on here eth1"
How could that be done?

And would the SSH/Samba demons see the correct packet header info and work??

IP info :-

A - eth0 -
B - eth0 -
  - eth1 -
C - eth1 -

A, B & C are RHEL (RedHat) But Windows computers can be connected to the switch. I configured the 192.168.0.* IPs, they are changeable.

Any help?

Your host B is known as a dual homed host. You need for B to route traffic between subnets 192.168.0 and 192.168.109 Configure C (and any other hosts on 192.168.0 subnet) to use as default gateway. Configure B to use the switch as default gateway (probably already is) Configure B to route subnet 192.168.0 traffic out Configure your switch to route subnet 192.168.0 traffic to That will make subnet 192.168.0 accessible to all routable traffic.

You can then use firewall features in the switch and/or in B to obtain the security restrictions you want.


PAT would work for SSH.

For Samba try this:

  1. setup A as the master browser for the network segment in the A side (assuming B is not a server and merely passing on packets)
  2. setup C to announce itself to A. See 'remote announce' and 'remote browse sync' of smb.conf
  3. setup a static route in C for the A network (and vice versa if needed)
  4. allow forwarding at B

when C announces its presence to A, stations in A's segment (those connected to the switch) will see it using A as the master browser.

smb broadcasts cannot normally traverse network subnets so 'remote announce' makes a server known to another server (and likewise stations) in another subnet.

B should be the default gateway for stations on both sides so packets gets properly routed. If not, static routes need to be setup in each station.

This works both ways: if there are stations in the C segment that need to access server A, A should 'announce' itself to C.

Hope this helps.


What you have termed PAT would work. You will need to have iptables running(or some customizable firewall). Then run the following commands:

iptables -t nat -A PREROUTING -p tcp --dport 22 -p DNAT --to-destination
iptables -t nat -A PREROUTING -p tcp --dport 135:139 -p DNAT --to-destination
iptables -t nat -A PREROUTING -p tcp --dport 445 -p DNAT --to-destination
service iptables save
echo 1 > /proc/sys/net/ipv4/ip_forward

In the file /etc/sysctl.conf, change the line:

net.ipv4.ip_forward = 0


net.ipv4.ip_forward = 1

Can you ssh into box B and then do another ssh into box C from there? Or does that not solve your specific problem?

EDIT (In response to the comment from Ian Vaughan): Have you looked at the route command to set up a default route, try route --help at the command line for more info (or possibly man route).


That is possible, but a pain!
And that that only works for SSH, I'd like to view the Samba shares via a Windows Explorer via the IP!

(29 Apr '10, 08:19) Ian Vaughan
