Networking :: Using A Public-Facing SSH Server To Broker A Connection Between Two Clients?
Feb 22, 2010
I'm sure this is possible... I'm just not sure how. Yet! I have three machines. One is at home behind my firewall and has a dynamic IP. That's fine as I don't really want to open any ports on my home firewall. The second is at work sitting behind the firewall there- and I'm not even going to ask for approval to NAT an IP to my PC at work :-).
The third is in a data center far away. I only have a shell account on this server but other than that shell account not being root, I can do most anything I like with that account. What I would like to do is SSH to this server simultaneously from my home and work PCs and, via this third machine, make them talk.
This is pure geekery so it doesn't matter what they say to each other; I just want to make them talk. Maybe one uploads a file and the other just pulls down that file. Maybe one opens a FIFO on the remote server and starts writing to it while the other starts snarfing that data. In fact, I like this latter idea best, I think. How would you do it? What scripts (fired by cron if need be since I'm ostensibly away from at least one of the PCs at any given time) would you use?
I am just about to undergo a new peice of freelance work myself on Bind 9, but it has been ages since I have done this, this was on my own LAN with port 53? Blocked from outside, so mine is not public facing.
But this project is, what should I setup to make this truely secure, just to recap on my thoughts aswell, forward resolving is Domain -> IP is not it? Then Reverse is IP->Domain is not it?
I'm trying to give some windows users a permanent connection to a samba share behind a firewall over the public Internet. I know I can give them access with something like winscp (which they have done) but really I'd like to do it with a VPN so it seems seamless to the user. However I have no idea how to set up the server to support this and am finding the documentation a bit confusing. The samba share is on a Debian box and the firwewall is a Linksys WRT54GL.
I'd like to know if this is common security flaw or normal to open up FTP to the public which is of course protected with password for 3rd party access to maintain our public facing / production website ?
If yes, what sort of FTP application to install in Ubuntu ?
Within the documentation of example OpenVPN setups there is a setup that shows an OpenVPN Server with two network interfaces. One interfaces is plugged into the public internet network and the second interface is plugged into the private network.
Normally I assume that it would be best to place the OpenVPN system inside the network behind the router and firewall and open only the ports needed on the router to allow access to the OpenVPN system. All other router ports would be closed. This is the first example they show. To see what I am talking about see page(s) 6-7 here -> [URL]
If one were to use the two interface public facing setup, when would that setup best be justified? I guess if you didn't want to open any ports on the router/firewall then this could be justified but then you have to lock down this public system individually instead of having it protected by the network firewall.
I'd like to know if this is common security flaw or normal to open up FTP to the public which is of course protected with password for 3rd party access to maintain our public facing / production website ? If yes, what sort of FTP application to install in your Linux webserver?
I've been able to make my server connect to my clients but not able to share the internet connection. I've been searching around but haven't come across an answer yet. Hoping someone here will point me in the right directiong. I have the following setup running. I'm trying to make an internet connection go through my server but haven't been able to get it to work.
I have a very strange problem with my Linux Router/Firewall machine where i keep losing my connection on the ethernet card.
I have installed a Debian 4 distro on a PC with 2 nics to create a router/firewall machine. On nic-1 i have connected the ADSL modem and on nic-2 a laptop for testing.
What i want is to build a DMZ with public IP addresses assigned to the servers in DMZ.
Schematic example:
Code:
We have a total of 16 Public IP's assigned to the ADSL modem from our ISP configured in routering mode. Unfortunately our new ISP does not support Bridge mode, otherwise i would not have this problem. (we had modem in bridge mode working fine with our old ISP, but they have stopped so we were forced to switch to another ISP. eth1 and eth2 both have public IP addresses from the modem set hardcoded in the /etc/network/interfaces on Linux pc and on my testlaptop in the DMZ (server-1) i have set another public IP (they all fall in the same network range) I have enabled IP forwarding on Linux router/firewall and for testing the firewall is set to allow all traffic.
When i try to ping the testlaptop in my DMZ from a remote machine outside in our datacenter i get no reply.
However when i run the following command: ip addr add xx.xx.xx.xx dev eth1 to assign the public IP i have chosen for the laptop to the inner nic (eth2) and then try to ping the testlaptop again from the remote machine it still does not reply ... but (and here is the most bizar thing)...
When i then run the following command: ip addr del xx.xx.xx.xx dev eth1 (where xx.xx.xx.xx is the ip of the testlaptop) and try to ping again from the remote machine then it seems to be working fine ... however only for a short time because then connection is lost somehow.
I have a small network at my office (3 workstations, 1 ubuntu desktop that I'm using as a file server). I'm using a WRT54G2 router for networking and internet connectivity. Here's what I'm trying to accomplish: I want to be able to access my little file server from home, across town. I think ssh might be the best way to go now. What I don't know: How do I set up the ssh server on my machine/network without compromising my network security and the security of my server? Do I just set up port/ip forwarding on my router, install openssh, and that's it?
I'm trying to decide on how to host and serve files to multiple operating systems (Linux, Mac OS X, Windows XP and Windows 7) over the internet. I'd like this to be secure (obviously), but don't want to use SSH tunnelling.Ideally, this would be something which could be persistently mounted on the client machine (a network drive in Windows, likewise in Mac OS X and Linux) and wouldn't require the installation of extra software on the clients. I thought about samba, but I'm not sure if it's secure enough to be internet-facing. Would FTP fit?resumably it's possible to have encrypted connections only and limit connections to a specified number of client IPs.
I want to use my personal computer remotely. The problem is my computer is connected to a local network that I can't modify. I can connect from my computer to another one that has public IP via ssh. Is it possible to login to the "proxy" computer from somewhere and somehow use the connection established before to connect to my PC?
The Server in the above diagram can be accessed by Client3 and Client4 but not at all by Client1 or Client2. Router0 specifies the Server as a DMZ Host. I would be more specific but this is not my server. I don't use a DMZ, I forward ports when they are needed. In this case I represent ISP1 and the server belongs to a befuddled client. Client1 & Client2 can send packets to each other, no problem. Could the DMZ be breaking communication between the Server and Clients 1 & 2?
i have a commercial ISP connection with 5 IP addresses available and i want the following configuration note when i say domain group i am refering to a group of top level domains (not subdomains) owned by the same entity (company) with their A records pointed at the same public IP for a single server
I'm setting up a network for a school. The network has 11 client computers (windows xp) and a server (fedora 10) All I need to do is have a share for all the children to use. (this I did by adding each client to the workgroup specified on samba then I just map the drive). The issue turns out to be that I have over 300 users. The users don't always use the same computer therefore I need the users to be registered on all 11 clients. How can I do this? I have been searching and I've not gotten anywhere. How can I add the computers to a domain instead of a workgroup? What can I use?
I'm trying to get a pptp server up and running. The server starts just fine, but encounters errors when a client tries to connect.
Code:
CTRL: I wrote 32 bytes to the client. Dec 29 23:27:48 frankenstein pptpd[9402]: CTRL: Sent packet to client Dec 29 23:27:48 frankenstein pptpd[9403]: CTRL (PPPD Launcher): program binary = /usr/sbin/pppd
[code]....
I assume the failed read line is the culprit. I am currently running on a test machine. There is no firewall. I read on this error points to a firewall misconfiguration, but there isn't one.
My Ubuntu server is now providing routing duties to my network, but I'm having trouble opening ports to my network. I have a DynDNS account, so the IP is always current, but I can't ping even my IP directly.
My network map looks like
Internet > SpeedTouch DSL modem with DHCP > eth1 > Ubuntu > eth0 > LAN
With the modem providing a 192.168.1.xx IP to eth1, I can browse fine. The default gateway is my modem. I switched to the public IP of the modem so I could use iptables for firewall duties, but I was locked out of the internet. No gateway was set when I did that, but eth1 received the public IP of my modem.
I have two nagging problems on one network which I do not have on another elsewhere, both using uptodate Debian servers. The server is on the private subnet behind a router/adsl modem. The symptoms of the one which does not work
1) Users cannot access their web site from lan. If they try, they get to the router web interface, same as if they entered http:10.0.0.138 which is the router's lan address.
2) Users cannot access smtp or pop3 service using the domain name, they can access it only using the servers LAN address.
I fear that I might have not set up the router properly because appart from that the two servers are almost identical but I do not know where I might have made an error.
i have successfully setup PPTPD on my server and I can open a VPN tunnel but my clients can only ping the server's IP, they don't have access to the internet through the VPN.
i have searched different forums and understand that I have to create a route on the server to route packets between the VPN interface and my internet gateway, but I didn't manage to get this work.
here is what my setup looks like:
Code: root@r31495:~# ifconfig eth0 Link encap:Ethernet HWaddr 00:1c:c0:c7:13:35 inet addr:94.23.197.XX Bcast:94.23.197.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
On my server I've a OpenVPN gateway and a DNS bind9 serveur At the moment, OpenVPN send opendns address to the clients and it works fine. I would like to use my DNS server for my clients to work with any DNS address. Here is OpenVPN config :
I am having FC11 with an HP prineter attached my firewall is disabled I trying to print from my laptops after I have setup samba and shared the printer , It was working fine when I was installing FC4 and FC5 I am not sure what is missing when I tried to print from the XP box I got "Test pge failed to print" error what I have really noticed in the xp and vista box is that when I go to the printer settings inside control panel , pressing the ports tab and checking to what port I am printing I see that the port "\samba-serverprinter" is not created there this is the log
I can't seem to get the X server to allow access from clients on other hosts. (I know, not exactly a network problem, but. I made the change in /usr/share/gdm/defaults.conf to be : DisallowTCP=false
and this worked on another CentOS system, but it hasn't fixed it on this one. What other things could prevent other clients from connecting to the X server? From the local host, I get :
Warning: Tried to connect to session manager, Authentication Rejected, reason : None of the authentication protocols specified are supported and host-based authentication failed although the client DOES actually create the window and work! So, maybe this message is a clue.
From the remote host, I get : Error: Can't open display: 10.10.1.20:0.0 Which is not terribly informative. Is there a log somewhere which details why a connect request was denied? The files in /var/log/gdm are not very informative.
I've been the las 4 days setting up my first VPN (OpenVPN bridged). The server is up and running OK but when I try to connect I've got this message in the client log.
Quote:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) TLS Error: TLS handshake failed
My 32-bit Ubuntu 9.10 [Karmic Koala] LTSP server has two NICs, one with Dynamic IP set by a DSL modem and the other with static IP of 192.168.0.254. I also have 4 thin Clients that boot from this server without any problems and another computer with Ubuntu 9.04 running some PHP programs with dynamic IP given by the same DSL modem. When I send requests to these PHP programs from thin clients, they all give the LTSP server's dynamic IP as their IP so I cannot trace who has sent this request to response back.
I actually know this is logical. Because the requests are sent by a program that's actually running on the LTSP server rather than the thin client. But my question is How can I run a program on a thin client with it's own IP? I also should mention that the dhcp3-server service running on the LTSP server has no conflicts with the DSL dhcp on the network and I know that the 4 thin clients get the IPs ranging from 192.168.1.101 through 192.168.1.104 from the dhcp3-server service. Because I can ping them while they're on. but /sbin/ifconfig on them shows info about the LTSP server.
I used to play with gw6c ( a client for tunnel broker ) It works well with fedora9 , fedora 10, but not with leonidas. my rpm is gw6c-6.0-0.4.beta4.fc9.i386.rpm ( a little old!) when I tried to install i have got this: libcrypto.so.7 est ncessaire pou w6c-6.0-0.4.beta4.fc9.i386 I try to make a soft link to libcrypto.so.0.9.8k, but nothing; The question :-Is there a solution for that pb - did you know a better client for non native ipv6 connectivity?
I've searched through google, and all I can find are instructions on how to set up a L2TP/IPSec VPN that works with macs and iPhones. I'm NOT trying to set up an L2TP/IPSec VPN. I'm trying to set up a pure-ipsec vpn.
The iPhone IPSec client is a built-in cisco client, I believe. I'm staying away from L2TP and PPTP because I need multicast packets to go through. *edit: wow, i just noticed that the title says "8.10 LTS". Oops! I obviously mean "8.04 LTS". Gah, the lack of sleep got to me.
I'm having really weird and frustrating DNS issues with my clients unable to properly resolve the server's ip address. They can resolve each other's, and outside systems, but not the server - at least, not correctly, and not all the time.
I have one Ubuntu server set up that does both DHCP and DNS serving to the Windows systems. The server has DNS forwarding turned on to forward to OpenDNS's servers (I've tried using my ISP's dns servers but the problem remains). The server is *not* set up as a firewall; I am actually using a DLink router for that, and the Dlink is *not* set up to serve up DHCP nor DNS.
What I am getting is that my clients - and there are nothing but Windows clients - will not resolve the name of the server. For example, if I do: ping linuxserver
I get back a false IP address of 192.168.0.64 (and I've seen once a 192.168.2.49).
If, however, I put a dot in there: ping linuxserver.
I get back the *correct* IP address of 192.168.0.2, and thereafter, ping'ng linuxserver without the dot will work. Until the dns cache expires, either naturally or with ipconfig /flushdns on the windows clients.
The client *are* getting valid dhcp leases and can resolve everything happy-happy, they just will not get the proper address of the server 100% of the time.
I have an Edubuntu server with two nics joined to the primary windows domain and I can log on with domain credentials and everything is AOK. I used LikewiseOpen 6 to join the server to the primary domain. So, on my Edubuntu server eth1 is connected to the primary domain and has a static IP. eth2 also has a static IP and is the DHCP for the thin client subnet, connected to a switch. IP forwarding is enabled.
So far, so good: I can log on the thin clients with one of the local accounts specified on the Edubuntu server and with that account I can surf the net and, if I supply domain credentials, browse the primary domain. Problem I have is:
I can't work out how to log on to the primary domain with a Active Directory account directly from a thin client. If I try DOMAINuser to log on, after giving the password, the password screen refreshes and 'domainuser@11.*.21.*'s password' appears under the blank password box. The IP in that message is the IP for the subnet and not the primary domain. I feel like I'm miss-understanding some basic simple step but I just can't figure it out.
fedora (iptables) eth0 -private :192.168.1.1 eth1 -public : 186.117.50.6 squid proxy 192.168.1.10:3128 my clients range 192.168.2.0/24
how can i make my clients to browse internet only from proxy server my network is NAT 'ed. Please specify a iptable rule to allow internet access for my clients to browse ONLY if they come through proxy server.
