| View previous topic :: View next topic |
| Author |
Message |
Hamlet
Apprentice
Joined: 15 Apr 2005
Posts: 151
Location: Turin (Italy)
|
 Posted: Thu Aug 15, 2019 6:16 am Post subject: Masquerading in userspace [SOLVED - not via masquerading] |
 |
|
Edit: I clarified the details of the constraints. Changes are in italic.
I am facing the following need: I am administrator of my laptop (C) and I need to access services from some servers (S), let's say an IMAP server for example. While anybody can connect to the servers from anywhere (e.g. IMAP server is MicroSoft's), the servers serve only the connections which appear to come from selected network N (presumably by checking the source IP), and C is not in that network. But I can access a server G, which is in network N, as unprivileged user in some secure way (say, SSH).
How can I access the full services on S from C? that is, how can I set up C and run the proper userspace software on G so that I can access the IMAP server with my laptop e-mail client?
I have read a bit about VPN and IP masquerading, but I don't really know what to do with that yet.
Thank you!
Last edited by Hamlet on Mon Aug 19, 2019 4:54 pm; edited 2 times in total |
|
| Back to top |
|
 |
Phoenix591
Guru
Joined: 17 Sep 2007
Posts: 487
|
| Posted: Thu Aug 15, 2019 9:16 am Post subject: |
|
|
SSH port forwarding fits the bill pretty well. Heres a quick guide I found, looks like the part you'll be interested in is the "local" port forwarding.
TLDR:
| Code: | | ssh -L 4000:server001.securednetwork:3306 user@sshhost.com |
sends all traffic sent to port 3306 on the ssh client to port 4000 on the secured server by passing through the sshhost. |
|
| Back to top |
|
|
Hamlet
Apprentice
Joined: 15 Apr 2005
Posts: 151
Location: Turin (Italy)
|
| Posted: Thu Aug 15, 2019 8:24 pm Post subject: |
|
|
Thank you for the answer, and I apologise for wasting your kindness. I realise now that there was essential information missing in the original message.
In my understanding, the servers are networking-wise visible from everywhere, but they allow only log ins from the configured networks.
For example, if I say I am "Hamlet", it acknowledges my request only if I connect from Elsinor because that's how its administrator has set it up; but if I say I am Fortinbras, then will maybe start a two-step authentication or check that mine is a Norwegian IP.
My understanding of tunnelling via SSH is that my original IP is not changed, and the tunnelling only allows my packets to actually reach the server. So if I connect from Witttenberg, my packets will pass through Elsinor's tunnel to reach the server instead of going directly, but they will still say I am connecting from Wittenberg (therefore causing the denial of the requested service). I may be wrong though.
P.S. I updated the original post so that other readers can get the right information at once. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21634
|
| Posted: Fri Aug 16, 2019 1:22 am Post subject: |
|
|
| SSH has multiple tunneling modes. The simplest, port forwarding, causes the ultimate destination to believe the client address is that of the sshd intermediary, not the true client. Please try it and report back. |
|
| Back to top |
|
|
Hamlet
Apprentice
Joined: 15 Apr 2005
Posts: 151
Location: Turin (Italy)
|
| Posted: Mon Aug 19, 2019 4:54 pm Post subject: Masquerading in userspace [SOLVED - not via masquerading] |
|
|
And, guess what? you are right.
So for the IMAP access I used something along the line of
| Code: | | ssh -f -N -4 -L 10993:outlook.office365.com:993 ssh-server.org |
(here using one of the MicroSoft IMAP servers). I am using a non-interactive authentication method, like public key or GSSAPI, so I can afford putting the thing in scripts and in background with no issue.
Note the "-4" forcing IPv4 protocol, necessary because without it SSH attempted to use IPv6 and failed. It's not clear to me if the issue with IPv6 is because of the server SSH runs on, my local SSH client or the network itself.
Then I point my e-mail client to localhost port 10993 (any number above 1024 should do, as long as it's not used already). The rest of the settings (user name, password, encryption type) are all the regular ones I would use from the privileged servers.
I haven't tested it extensively, and it may be that more is needed for this particular IMAP server to work, since outlook.office365.com is a pool that may get different IP addresses.
Now I have to figure out a way to start this SSH connection on demand, i.e. when a process on the local computer asks to open a connection on the selected port (10993). |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21634
|
| Posted: Tue Aug 20, 2019 2:41 am Post subject: |
|
|
| Hamlet wrote: | | Now I have to figure out a way to start this SSH connection on demand, i.e. when a process on the local computer asks to open a connection on the selected port (10993). |
xinetd? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
