Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Remote Administration From 150km
Robert83
post Aug 26 2004, 07:38 AM
Post #1


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

I would like to allow a remote user to administer one of the computers in my lan (a server) from Belgrade.

I have a firewall computer (eth0 : 192.168.10.1 ; eth1 : public ip adress)
And have a NAT server behind it ( eth0 : 192.168.0.250 ; eth1 : 192.168.1.250 ;
eth2 : 192.168.1.250 ; eth3 : 192.168.10.2 [this is connected with the firewall 192.168.10.1])
The computer that which would need to be administered from the internet a yyy.yyy.yyy.yyy ip adress would be 192.168.2.1.

(I've tried building my own iptables configuration , by modifying the one I've got from Hughesjr , but I think it would be really great it someone would take a look at it and correct the errors I made.

It would be Remote Desktop (winxp pro) or some other remote desktop software, I was thinking about forwarding the corresponding port to my internal computer, if this is not a wise idea and if there is a easier and safer way to make my internal computer visible to that one and only ip adress on the internet then please do help me.


yyy.yyy.yyy.yyy is the ip adress from Belgrade Office
xxx.xxx.xxx.xxx is my ip adress
port is a port that will be used by that remote desktop tool (any ideas which one to use ? )


FIREWALL :
BOLD are the lines I've added to that the above thing would be possible in theory

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
iptables -A drop-and-log-it -j DROP
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s yyy.yyy.yyy.yyy/32 -d xxx.xxx.xxx.xxx/32 --dport port -j ACCEPT

iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -j drop-and-log-it
iptables -A PREROUTING -t nat -p tcp -d xxx.xxx.xxx.xxx/32 --dport port -j DNAT --to 192.168.10.2:port
iptables -A POSTROUTING -t nat -s 192.168.10.0/255.255.255.0 -o eth1 -j SNAT --to-source 10.0.35.168
iptables -A FORWARD -s -0/0 -d 0/0 -j drop-and-log-it

NAT SERVER :

iptables -A FORWARD -i eth0 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j DROP
iptables -A FORWARD -i eth0 -o eth2 -j DROP
iptables -A FORWARD -i eth1 -o eth0 -j DROP
iptables -A FORWARD -i eth1 -o eth2 -j DROP
iptables -A FORWARD -i eth2 -o eth0 -j DROP
iptables -A FORWARD -i eth2 -o eth1 -j DROP
iptables -A INPUT -i eth2 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth3 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s yyy.yyy.yyy.yyy/32 -d 192.168.10.2 --dport port -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3228
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3228
iptables -A PREROUTING -t nat -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3228
iptables -A PREROUTING -t nat -p tcp -d $192.168.10.2 --dport port -j DNAT --to 192.168.2.1:port
iptables -A POSTROUTING -t nat -s 192.168.0.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
iptables -A POSTROUTING -t nat -s 192.168.1.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
iptables -A POSTROUTING -t nat -s 192.168.2.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2

what do you think ?

would this allow the following
administrator at yyy.yyy.yyy.yyy could connect to my internal computer (with a remode desktop tool) 192.168.2.1 ?

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Aug 26 2004, 09:48 PM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



Looks like that should work to me ... what you might try is this on the NAT server ... just in case the IP source address is the firewall and not the remote machine (after the PREROUTING rule on the firewall) ... but it looks like it should work as is to me:

iptables -A INPUT -i eth3 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s xxx.xxx.xxx.xxx/32 -d 192.168.10.2 --dport port -j ACCEPT


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Robert83
post Aug 29 2004, 05:03 AM
Post #3


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

thank you for the response, I've been thinking...and I've came to the thing that this might not be secure enough, I mean just letting any crazy remote program come in from that ip (passwords might be intercepted)... so um, what changes would I need in order to do this :

connect with ssh from the client ip adress (only from there) , for example putty is fine for this (protocol 2).

and after that use remote destop or something (it doesn't matter after the secure shell is there right?) to connect to the computer, please tell me.

[ Since I cannot ping 192.168.2.1 from the Firewall computer I think somehow I must forward ssh to the 192.168.10.2 computer, hmmmm.... or something like this, can you give me some advice on this ? maybe a solution , pretty please ]

Sincerelely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 24th October 2017 - 04:41 AM