1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
|
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2014-05-18 12:18-0600\n"
"PO-Revision-Date: 2014-05-18 12:18-0600\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "SSH access to hosts on an internal network"
msgstr ""
#. Tag: para
#, no-c-format
msgid "On a private network, such as the NAT network used by most homes, a machine can be accessed using ssh by forwarding the incoming port 22 on the router to a single machine inside the network. To access more than one machine from outside the network, proxy requests through that host."
msgstr ""
#. Tag: para
#, no-c-format
msgid "This approach is more straightforward than forwarding multiple ports, because it only requires one forwarding rule to be configured, one change in the ssh client configuration for the outside machine, and no additional configuration on the other hosts."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Required Ingredients"
msgstr ""
#. Tag: para
#, no-c-format
msgid "A port forwarding rule for one host on the internal network. Log in to your router to setup the rule. Because router interfaces vary, consult your router's manual for help."
msgstr ""
#. Tag: para
#, no-c-format
msgid "A target for the above port forwarding rule configured to accept ssh connections (default on most systems)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "An internal network with other ssh accessible hosts."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The outside address for your internal network. Home users with dynamically assigned IP addresses should read <xref linkend=\"no-ip\" />"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The address space for your internal network. On many home routers, this will be <systemitem class=\"ipaddress\">192.168.1.*</systemitem> or <systemitem class=\"ipaddress\">192.168.0.1</systemitem>"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Address Space Reuse"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Adddresses like <systemitem class=\"ipaddress\">192.168.1.0/24</systemitem> are reserved for use in private networks. Because the proxy rule is applied based on the address space of the target, you should configure your router to use a less common set of addresses."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If your router can give addresses in the <systemitem class=\"ipaddress\">192.168.42.0/24</systemitem> network, for example, your proxy rule won't get in the way when connecting to machines on a different network that uses <systemitem class=\"ipaddress\">192.168.1.0/24</systemitem> addresses."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Directions"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Configuring an ssh proxy"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Configure your router to forward incoming traffic on port 22 to one machine that will act as the proxy. If you choose, configure the router to use a less common subnet then reboot it."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Open the firewall on all machines to ssh traffic. This is the default on most systems. Use the graphical firewall application <application>firewall-config</application>, or issue the commands below as root."
msgstr ""
#. Tag: screen
#, no-c-format
msgid "\n"
" <command>firewall-cmd --permanent --add-service=ssh</command>\n"
" <command>firewall-cmd --reload</command>\n"
" "
msgstr ""
#. Tag: para
#, no-c-format
msgid "Ensure <systemitem class=\"daemon\">sshd</systemitem> is enabled and running on all target systems by running the commands below as root."
msgstr ""
#. Tag: screen
#, no-c-format
msgid "\n"
" <command>systemctl enable sshd</command>\n"
" <command>systemctl start sshd</command>\n"
" "
msgstr ""
#. Tag: para
#, no-c-format
msgid "Edit ~/.ssh/config on the initiating system as below:"
msgstr ""
#. Tag: screen
#, no-c-format
msgid "\n"
" Host 192.168.42.*\n"
" ProxyCommand ssh -W %h:%p <replaceable>external_address</replaceable>\n"
" #suggested optional ssh key declaratons:\n"
" IdentityFile ~/.ssh/internal_id_rsa\n"
" Host <replaceable>external_address</replaceable>\n"
" IdentityFile ~/.ssh/proxy_id_rsa\n"
" \n"
" "
msgstr ""
#. Tag: para
#, no-c-format
msgid "Test the configuration from inside and outside the network. Using ssh verbosely will show how the ProxyCommand statement relays your connection."
msgstr ""
#. Tag: screen
#, no-c-format
msgid "\n"
" <command>ssh -vvv 192.168.42.7</command>\n"
" "
msgstr ""
#. Tag: title
#, no-c-format
msgid "References"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<citetitle>ssh-config(5)</citetitle> - ssh client configuration manual."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<citetitle>firewall-cmd(1)</citetitle> - manual for firewalld command line utility."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"ssh-keys\" /> - recommended reading on ssh authentication."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<ulink url=\"https://tools.ietf.org/html/rfc1918\">RFC1918</ulink> - defines private address spaces."
msgstr ""
|
