1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY YEAR "2014">
<!ENTITY HOLDER "| You need to change the HOLDER entity in the en-US/Fedora_Cookbook.ent file |">
<!ENTITY PRODUCT "Fedora Documentation">
<!ENTITY BOOKID "cookbook">
<!ENTITY BZURL "<ulink url='https://bugzilla.redhat.com/enter_bug.cgi?product=&PRODUCT;&component=&BOOKID;'>http://bugzilla.redhat.com/</ulink>">
]>
<section id="ssh-proxy" lang="en-US">
<!-- Do not edit above this line --><!--
Please provide some information so we can give you credit:
name: Pete Travis
fas_id: immanetize
email: immanetize@fedoraproject.org
--> <title>SSH access to hosts on an internal network</title>
<para>
On a private network, such as the NAT network used by most homes, a machine can be accessed using ssh by forwarding the incoming port 22 on the router to a single machine inside the network. To access more than one machine from outside the network, proxy requests through that host.
</para>
<para>
This approach is more straightforward than forwarding multiple ports, because it only requires one forwarding rule to be configured, one change in the ssh client configuration for the outside machine, and no additional configuration on the other hosts.
</para>
<section id="ssh-proxy-ingredients">
<title>Required Ingredients</title>
<!-- list packages, services, other recipes etc that are required --> <itemizedlist>
<listitem>
<para>
A port forwarding rule for one host on the internal network. Log in to your router to setup the rule. Because router interfaces vary, consult your router's manual for help.
</para>
</listitem>
<listitem>
<para>
A target for the above port forwarding rule configured to accept ssh connections (default on most systems).
</para>
</listitem>
<listitem>
<para>
An internal network with other ssh accessible hosts.
</para>
</listitem>
<listitem>
<para>
The outside address for your internal network. Home users with dynamically assigned IP addresses should read <xref linkend="no-ip" />
</para>
</listitem>
<listitem>
<para>
The address space for your internal network. On many home routers, this will be <systemitem class="ipaddress">192.168.1.*</systemitem> or <systemitem class="ipaddress">192.168.0.1</systemitem>
</para>
</listitem>
</itemizedlist>
<warning>
<title>Address Space Reuse</title>
<para>
Adddresses like <systemitem class="ipaddress">192.168.1.0/24</systemitem> are reserved for use in private networks. Because the proxy rule is applied based on the address space of the target, you should configure your router to use a less common set of addresses.
</para>
<para>
If your router can give addresses in the <systemitem class="ipaddress">192.168.42.0/24</systemitem> network, for example, your proxy rule won't get in the way when connecting to machines on a different network that uses <systemitem class="ipaddress">192.168.1.0/24</systemitem> addresses.
</para>
</warning>
</section>
<section id="ssh-proxy-directions">
<title>Directions</title>
<procedure>
<title>Configuring an ssh proxy</title>
<step>
<para>
Configure your router to forward incoming traffic on port 22 to one machine that will act as the proxy. If you choose, configure the router to use a less common subnet then reboot it.
</para>
</step>
<step>
<para>
Open the firewall on all machines to ssh traffic. This is the default on most systems. Use the graphical firewall application <application>firewall-config</application>, or issue the commands below as root.
<screen>
<command>firewall-cmd --permanent --add-service=ssh</command>
<command>firewall-cmd --reload</command>
</screen>
</para>
</step>
<step>
<para>
Ensure <systemitem class="daemon">sshd</systemitem> is enabled and running on all target systems by running the commands below as root.
<screen>
<command>systemctl enable sshd</command>
<command>systemctl start sshd</command>
</screen>
</para>
</step>
<step>
<para>
Edit ~/.ssh/config on the initiating system as below:
<screen>
Host 192.168.42.*
ProxyCommand ssh -W %h:%p <replaceable>external_address</replaceable>
#suggested optional ssh key declaratons:
IdentityFile ~/.ssh/internal_id_rsa
Host <replaceable>external_address</replaceable>
IdentityFile ~/.ssh/proxy_id_rsa
</screen>
</para>
</step>
<step>
<para>
Test the configuration from inside and outside the network. Using ssh verbosely will show how the ProxyCommand statement relays your connection.
<screen>
<command>ssh -vvv 192.168.42.7</command>
</screen>
</para>
</step>
</procedure>
</section>
<section>
<title>References</title>
<itemizedlist>
<listitem>
<para>
<citetitle>ssh-config(5)</citetitle> - ssh client configuration manual.
</para>
</listitem>
<listitem>
<para>
<citetitle>firewall-cmd(1)</citetitle> - manual for firewalld command line utility.
</para>
</listitem>
<listitem>
<para>
<xref linkend="ssh-keys" /> - recommended reading on ssh authentication.
</para>
</listitem>
<listitem>
<para>
<ulink url="https://tools.ietf.org/html/rfc1918">RFC1918</ulink> - defines private address spaces.
</para>
</listitem>
</itemizedlist>
</section>
</section>
|
