Re: [TCLUG:8252] Port forwarding: ssh/ipchains

To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:8252] Port forwarding: ssh/ipchains
From: "Clayton T. Fandre" <cfandre@maddog.mn-linux.org>
Date: Mon, 13 Sep 1999 15:49:29 -0500
References: <001201befe1c$0a6fefc0$0202a8c0@dsl.visi.com> <19990913150936.A24775@wizard.real-time.com>
Sender: linus@cfsmo.honeywell.com

I think Allie was talking about ssh tunneling, which allows you tunnel
anything through a ssh connection. Basically you start a ssh connection
with the -L (or -R) option on your masq machine. You assign a local
port, remote host and remote port. All traffic coming in on your
specified local port will be tunneled to the remote machine/remote port
and will be encrypted. It lets you encrypt anything you'd like. IMAP,
POP3, Web, you name it, it can encrypt it.

Check the ssh man page for more info. I use this to encrypt my intranet
web traffic without buying a SSL key.

I've never tried to use ssh tunneling like port forwarding, but I can
think of a few problems with it:
1. You need to have the ssh tunnel running at all time. This means you
need ssh to start up without a password if you want it to start
automatically. This is a security hole.
2. It's harder to add new ports. (You need to start new ssh tunnels)
3. There is more overhead since the data is being processed by ssh,
encrypted and then resent. You could reduce the level of encryption, but
it still would be slower than portforwarding.
4. Probably a few more reasons I don't know about.

Basically you wouldn't want to use ssh tunneling unless you absolutly
had to have your data encrypted.

Clay


Amy Tebbe wrote:
> 
> On Mon, Sep 13, 1999 at 02:13:19PM -0500, Allie Micka (allie@visi.com) wrote:
> > Ok, so I learned all about ipchains port forwarding at the tclug meeting
> > last weekend  (good job by the way, Amy) and I am also aware of a similar
> > functionality with secure shell.  What would be the advantages of using one
> > over the other?
> 
> ssh and portforwarding are two different things and are not similar
> in functionality.
> 
> ssh (secure shell) is basically like telnet but all traffic is
> encrypted.  With telnet, all passwords are sent clear-text, so
> they are susceptible to snooping.  That is why we recommended ssh in
> the tclug meeting.
> 
> portforwarding allows you to forward traffic of a particular type
> to another machine.  It is particularly useful in forwarding traffic
> from the Internet to a non-routeable machine.
> 
> ssh does not require portforwarding.  If there is a route to the machine
> you're trying to ssh to, then you can just ssh there.  If you're trying
> to ssh to a machine w/ a non-routable address, you'll need something
> like portforwarding to get the traffic to that machine.
> 
> > I have a small internal lan connecting to the internet w/ dsl over a static
> > ip address, and i want to be able to access services on my internal systems
> > by accessing the outside one with a given port number.  My guess is that
> > ipchains port forwarding would be fine to access the internal systems and
> > ssh would be better if i wanted to forward ports to/from machines located
> > somewhere else entirely.  I  was hoping that someone could confirm or deny
> > my educated guess with a guess having the benefit of better education.
> 
> I'm not entirely sure of your network design based on the above.
> Do you have a private (non-routable) internal network?  If so, you
> could use a combination of portforwarding and ssh.  Setup portforwarding
> to forward ssh traffic to a box on your internal network.
> 
> Example:
> internal box: 192.168.100.1
> firewall public ip: 206.55.55.254
> 
> To ssh to the 192.168.100.1 machine from outside the 192.168.100.0 network,
> you would setup portforwarding on your firewall to forward incoming
> ssh traffic to 192.168.100.1.  You would point your ssh client to
> 206.55.55.254
> 
> Send me more info on your network design (IPs, etc) and I can help
> more.
> --
> Amy Tanner                                      Voice: 612.943.8700
> Real Time Enterprises, Inc.                       Fax: 612.943.8500
> amy@real-time.com                          http://www.real-time.com
> PGP fingerprint =  67 6C 8F DB B1 7A 8D 41  DC 7B CA 0B 28 1E 67 AD
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> For additional commands, e-mail: tclug-list-help@mn-linux.org

-- 
Clay Fandre
cfandre@maddog.mn-linux.org
Twin Cities Linux Users Group
http://www.mn-linux.org

Follow-Ups:
- Re: [TCLUG:8252] Port forwarding: ssh/ipchains
  - From: "Daniel M. Debertin" <katdan@mninter.net>

References:
- Port forwarding: ssh/ipchains
  - From: "Allie Micka" <allie@visi.com>
- Re: [TCLUG:8252] Port forwarding: ssh/ipchains
  - From: Amy Tebbe <atebbe@real-time.com>

Prev by Date: Lorax?
Next by Date: RE: [TCLUG:8245] FidoNet
Prev by thread: Re: [TCLUG:8252] Port forwarding: ssh/ipchains
Next by thread: Re: [TCLUG:8252] Port forwarding: ssh/ipchains
Index(es):
- Date
- Thread