[PLUG] remote ssh and nat

Carla Schroder carla at bratgrrl.com
Sun Mar 12 06:54:55 UTC 2006 

All right NAT gurus, here's your chance to strut your stuff. I've always taken 
the lazy way to SSH into LANs. I make an iptables rule to allow SSH into the 
gateway box:

-A INPUT -p tcp --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT

I ssh into the gateway box, then ssh from there to whatever LAN host I 
need to get into. 

To illustrate: remotehost is a remote PC on a different network. windbag 
is my gateway/firewall, and stinkpad is a LAN host. Windbag and stinkpad are 
on 192.168.1.0/24. Windbag has two NICs, wan and lan.

carla at remotehost:~$ ssh windbag.foo.net
carla at windbag.foo.net's password:
Linux windbag 2.6.12-10-386 #1 Mon Feb 13 12:13:15 UTC 2006 i686 GNU/Linux
Last login: Sat Mar 11 17:07:24 2006 from foo-29.isp.net

carla at windbag:~$ ssh stinkpad
carla at stinkpad's password:
Last login: Sat Mar 11 17:07:50 2006 from windbag.foo.net

[carla at stinkpad ~]$

This works fine, and I don't have a pressing need to find a better way. But I 
was fiddling around and wondering, can I write rules that will let me log 
directly into stinkpad, or any other LAN host, without having to log into 
windbag first? Assume all LAN hosts have private, non-routable addresses.

I tried forwarding:

$ipt -t nat -A PREROUTING -i $WAN_IFACE -p tcp --dport 10000 -j DNAT 
--to-destination 192.168.1.12:22
$ipt -A FORWARD -p tcp -i $WAN_IFACE -o $LAN_IFACE -d 192.168.1.12 --dport 22  
-j ACCEPT

But this doesn't work, because all outgoing traffic is SNAT-ed, so the remote 
SSH client sees the same IP for all hosts, so when it sees a different host 
key it pitches a fit:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

I don't want to be continually replacing host keys, or disabling 
StrictHostKeyChecking. What other options are there? (besides putting 
everything on routable IPs)

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Carla Schroder
 check out my "Linux Cookbook", the ultimate Linux user's
 and sysadmin's guide! http://www.oreilly.com/catalog/linuxckbk/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More information about the PLUG mailing list