On Mon, Oct 30, 2000 at 08:17:21PM -0800, Krzys Majewski wrote:
...
> > Just curious, what tricks do you use to create this port forwarding?
> > And is it created on the fly?
>
> I create the pipes in /etc/network/interfaces:
>
> up sleep 3 && /etc/init.d/tcp-pipes start && /usr/local/sbin/sync-date
> down /etc/init.d/eam tcp nowait carel /usr/bin/ssh
> /usr/bin/ssh iae bin/nc mail.iae.nl eam tcp nowait carel /usr/bin/ssh
> /usr/bin/ssh ire bin/nc uucp.iae.nl uucp-pipes stop
Ah neat, again a different approach.
...
> SSHARGS="${SSHFLAGS} -l ${USER} -L ${LOCALPORT}:${DEST}:${REMOTEPORT}
> ${HOST} ${PIPE}l"
what is this ${PIPE}l? some program you run on the other side?
I would have expected something like "sleep forever".
...snipped a lot of code to deal with pide's
The problem with your way for me I think is that my ISP is flacky, so
the connections would get brooken all to often, and I don't know whether
the up and down scripts would get run, I'm not even sure whether such
breakdowns would go unnoticed by the network layer on my firewall or
automagically repaired. An other problem seems to me that you expect
that at your school the ${PIPE}l magic program runs forever, whereas
even my more reliable second isp is not that reliable:(, more over
I don't feel comsy with those pipes open all the time (silly I know)
So I did it differently using tcp-wrappers/inetd, like this:
In /etc/services I added lines like "isp-smtp 100025/tcp". Numbers
above 100000 go beyond the specs, but they seam to work here and
no-one else is likely to use them, so no conflicts expected:)
In /etc/inetd.conf I added long-one-liners like:
isp-smtp stream tcp nowait carel\
/usr/bin/ssh /usr/bin/ssh isp bin/nc mail.isp.nl smtp
At my reliable ips I have compiled nc (netcat) and put it in ~/bin/nc.
I'm quit sure that rlogin instead of nc will work too, but I didn't try.
I've setup keys and ~/.ssh/config so that my local user carel can "ssh isp"
and wines-up being login-ed into my differently named account at my isp
without password hassels.
So whenever someone locally tries to connected to one of those isp-* ports
a secure connection to my isp is created using my local carel's ssh setup
and once he/she is done the connection is closed again.
I think this is reasonable secure, as I allow everbody locally to use news
and mail anyhow and my isp's imap/pop3 service is still password-protected.
--
groetjes, carel
