1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "../Fedora_Cookbook.ent">
%BOOK_ENTITIES;
]>
<!-- Do not edit above this line -->
<!--
Please provide some information so we can give you credit:
name: Pete Travis
fas_id: immanetize
email: immanetize@fedoraproject.org
-->
<section id="ssh-proxy">
<title>SSH access to hosts on an internal network</title>
<para>
On a private network, such as the NAT network used by most homes, a machine can be accessed using ssh by forwarding the incoming port 22 on the router to a single machine inside the network. To access more than one machine from outside the network, proxy requests through that host.
</para>
<para>
This approach is more straightforward than forwarding multiple ports, because it only requires one forwarding rule to be configured, one change in the ssh client configuration for the outside machine, and no additional configuration on the other hosts.
</para>
<section id="ssh-proxy-ingredients">
<title>Required Ingredients</title>
<!-- list packages, services, other recipes etc that are required -->
<itemizedlist>
<listitem><para>
A port forwarding rule for one host on the internal network. Log in to your router to setup the rule. Because router interfaces vary, consult your router's manual for help.
</para></listitem>
<listitem><para>
A target for the above port forwarding rule configured to accept ssh connections (default on most systems).
</para></listitem>
<listitem><para>
An internal network with other ssh accessible hosts.
</para></listitem>
<listitem><para>
The outside address for your internal network. Home users with dynamically assigned IP addresses should read <xref linkend="no-ip" />
</para></listitem>
<listitem><para>
The address space for your internal network. On many home routers, this will be <systemitem class="ipaddress">192.168.1.*</systemitem> or <systemitem class="ipaddress">192.168.0.1>
</para>
<warning>
<title>Address Space Reuse</title>
<para>
Adddresses like <systemitem class="ipaddress">192.168.1.0/24</systemitem> are reserved for use in private networks. Because the proxy rule is applied based on the address space of the target, you should configure your router to use a less common set of addresses.
</para>
<para>
If your router can give addresses in the <systemitem class="ipaddress">192.168.42.0/24</systemitem> network, for example, your proxy rule won't get in the way when connecting to machines on a different network that uses <systemitem class="ipaddress">192.168.1.0/24</systemitem> addresses.
</para>
</warning>
</itemizedlist>
</section>
<section id="ssh-proxy-directions">
<title>Directions</title>
<procedure>
<title>Configuring an ssh proxy</title>
<step><para>
Configure your router to forward incoming traffic on port 22 to one machine that will act as the proxy. If you choose, configure the router to use a less common subnet then reboot it.
</para></step>
<step><para>
Open the firewall on all machines to ssh traffic. This is the default on most systems. Use the graphical firewall application <application>firewall-config</application>, or issue the commands below as root.
<screen>
<command>firewall-cmd --permanent --add-service=ssh</command>
<command>firewall-cmd --reload
</screen>
</para></step>
<step><para>
Ensure <systemitem class="daemon">sshd</systemitem> is enabled and running on all target systems by running the commands below as root.
<screen>
<command>systemctl enable sshd</command>
<command>systemctl start sshd</command>
</screen>
</para></step>
<step><para>
Edit ~/.ssh/config on the initiating system as below:
<screen>
Host 192.168.42.*
ProxyCommand ssh -W %h:%p <replaceable>external_address</replaceable>
#suggested optional ssh key declaratons:
IdentityFile ~/.ssh/internal_id_rsa
Host <replaceable>external_address</replaceable>
IdentityFile ~/.ssh/proxy_id_rsa
</screen>
</para></step>
<step>
<para>
Test the configuration from inside and outside the network. Using ssh verbosely will show how the ProxyCommand statement relays your connection.
<screen>
<command>ssh -vvv 192.168.42.7</command>
</screen>
</para>
</step>
</procedure>
</section>
<section>
<title>References</title>
<itemizedlist>
<listitem>
<para><citetitle>ssh-config(5)</citetitle> - ssh client configuration manual.</para>
</listitem>
<listitem>
<para><citetitle>firewall-cmd(1)</citetitle> - manual for firewalld command line utility.</para>
</listitem>
<listitem>
<para><xref linkend="ssh-keys" /> - recommended reading on ssh authentication.</para>
</listitem>
<listitem>
<para><ulink url="https://tools.ietf.org/html/rfc1918">RFC1918</ulink> - defines private address spaces.</para>
</listitem>
</itemizedlist>
</section>
</section>
|
