We have many hosts with internal/LAN IPs like 10.0.3.* behind a gateway and the hosts with LAN IPs can connect to the Internet through the gateway. We used iptables to forward port from the gateway to internal IPs so that users from hosts with Internet connections can SSH to the gateway’s forwarded port to log on the internal hosts. However, there should be rules added for these hosts and the users need to connect to these non-standard (not 22) ports of the gateway that may be blocked by firewalls of their network.
Is there any other methods to support this? We do not want VPN yet since only SSH is needed most of the time and we do not like to be too open to the Internet yet.
My solution is to use a SSH tunnel as the proxy to SSH to the internal hosts. This is set by the users themselves on their own side.
Assumptions and requirements:
- You, the user, are using a Linux environment on your machine, say user.example.org .
- You can password-less login to the gateway, say gateway.example.org, with your username. You can use other usernames, non-standard port, or forward the 22 port of gateway to an internal host/VM for security reason. We use the most simple configuration for simplicity of the introduction.
- On the gateway or the host that you can ssh to as a proxy,
Now, add these 2 lines to your
~/.ssh/config (make its attributes 700) on user.example.org:
ProxyCommand ssh -q gateway.example.org nc %h %p
Then, on user.example.org, you can directly ssh to internal hosts, such as:
The SSH client will first run
ssh -q gateway.example.org nc 10.0.3.100 22 which log on gateway.example.org and runs
nc 10.0.3.100 22 on the gateway. The
nc on the gateway will redirect all input from the SSH client on user.example.org to 10.0.3.100:22 to which the sshd daemon on 10.0.3.100 listens. That is, gateway.example.org works as the proxy for the SSH connection and the users can connect to the internal IPs “directly”.