Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
Re: [suse-security] ssh shells and ircd on a small lan
  • From: nagilum@xxxxxxxxxxxx
  • Date: Wed, 11 Jul 2001 11:23:17 +0200 (CEST)
  • Message-id: <994843397.3b4c1b05ebcd3@xxxxxxxxxxxxxxxxx>
Hi,
maybe you should try portforwarding a port from the gateway to your machine
192.168.0.2. I recently made a small script for a similar purpose. I just
extended my comments so you should know what to do with it. Put it
in /etc/rc.d/ and chmod +x it and read the comments (at least).
Good luck,
Alexander.

PS: Any comments appreciated.

Quoting Dimitris Kontogiannopoulos <jim@xxxxxxxxxxx>:

>
> i don't think that is a good idea to give someone access to your
> firewall
> box if you have configure your firewall and routing table correct you
> don't
> have to give a user account to your firewall its so simple don't make
> this
> to yourself
>
>
> Kontogiannopoulos Dimitris
> jim@xxxxxxxxxxx
> Junior Net Admin
>
> ----- Original Message -----
> From: "phil" <phil@xxxxxxxxxxx>
> To: <suse-security@xxxxxxxx>
> Sent: Wednesday, July 11, 2001 12:12 AM
> Subject: [suse-security] ssh shells and ircd on a small lan
>
>
> > Greetings all,
> > I been trying to give my friend a shell account
> > (ssh) And I have ran into some confusion.
> >
> > The firewall box has ssh already on it, but it also has
> portforwarding. So
> > I am confused as to where I should give my friend a shell at.
> >
> > I also talk irc with my friend on a ircd which is located on
> 192.168.0.2 ,
> > but I wondering if this is safe to let ircd be port forwarded through
> > firewall box
> >
> > |----------------------------------
> > | modem (dialup)-- firewall box
> > | |
> > | redhat eth0
> > |----------------------------------
> > |
> > |------------ |----------------
> > | hub | -- | (eth0) 192.168.0.1 (just a client mandrake)
> > |------------
> > \ |----------------
> > | (eth0) 192.168.0.2 (irc, shell accounts suse
> 7.2)
> >
> >
> > at the moment the only way I know to get through the external
> network is
> > to ssh to the firewall box as root, then ssh again into 192.168.0.2
> box.
> >
> > I don't want my friend to know the root password on the firewall.
> > I trust the guy, but he isn't very adept at linux and he might screw
> > something up by accident. I want to avoid the accident. I also want
> > to limit him to say 10MB and 10 process's (the cpu goes to 100% now
> with
> > no limits on the account)
> >
> > If I shut ssh off the firewall how can I turn on ssh through it to the
> > shell accounts. Or is this the wrong way to do this? I am thinking
> the
> > shell might be better off located on the firewall.
> >
> > Should ircd be relocated to the firewall instead of where it is
> > now (192.168.0.2)
> >
> > and finally... a bloob, I accidentally deleted my ircd startup from
> the
> > inetd.conf I tried YaST and manually editing it but the only way to
> > start irc is manually now. Can someone show the line or lines in the
> > inetd.conf that have the irc/ircd start up from inetd.conf There is
> > not anything in the manual about this.
> >
> > it used to start when I boot, but no more...;o(
> >
> > --
> > To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> > For additional commands, e-mail: suse-security-help@xxxxxxxx
>
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>

========================================================================
# _ __ _ __ http://home.htwm.de/akuehn/ \n icq://69646724 #
# / |/ /__ ____ _(_) /_ ____ _ nagilum@xxxxxxxxxxxx \n +01776461165 #
# / / _ `/ _ `/ / / // / ' \ Amiga (68k/PPC): AOS/NetBSD/Linux #
# /_/|_/\_,_/\_, /_/_/\_,_/_/_/_/ Mac (PPC): MacOS9 / Linux / MacOS-X #
# /___/ x86: Linux/FreeBSD/OpenBSD/QNX/Win98SE #
========================================================================



#!/bin/bash
# simple portforwarding script by Alexander Kuehn,
# BSD licence - use it, screw it, blame me
# requires SuSE firewall installed, configured and working
# the syntax is PORTFORWARD="[definition][ definition] ..."
# where definition is "external_port:LAN_machine:LAN_machine_port"
# for example put something like this in your /etc/rc.config
# PORTFORWARD="5080:mymachine:80 5022:mymachine:80"
# this would forward external port 5080 to mymachine port 80
# and external port 5022 to mymachine port 22
# be aware that you can not test this from your LAN, you have to check
# this from a host outside of your LAN, e.g. ssh to some other host and
# try a lynx http://<insertyourgateway>:5080/ or ssh -p 5022 <insertyourgateway>
# once you know it's working add a "/etc/rc.d/forward restart" to
# your /etc/ppp/ip-up.local (presuming you're using a dialup link), good luck!

. /etc/rc.config
. /etc/rc.config.d/firewall.rc.config

# get ip of world interface
LOCALIP=`ifconfig $FW_DEV_WORLD|grep "inet addr:"|cut -d ":" -f 2|cut -d " " -f 1`
while [ -z $LOCALIP ]
do
# if the script is called too early the inerface might not
# have an ip, therefore we will loop until it has one
# this sleep will help to keep the machine breathing just in the case..
sleep 5
LOCALIP=`ifconfig $FW_DEV_WORLD|grep "inet addr:"|cut -d ":" -f 2|cut -d " " -f 1`
done

# The echo return value for success (defined in /etc/rc.config).
return=$rc_done
case "$1" in
start)
echo -n "Starting port fowarding:"
for i in ${PORTFORWARD}; do
LCPORT=`echo $i|cut -d: -f1`
TOMACH=`echo $i|cut -d: -f2`
TOPORT=`echo $i|cut -d: -f3`
ipmasqadm portfw -a -P tcp -L $LOCALIP $LCPORT -R $TOMACH $TOPORT || return=$rc_failed
done
echo -e "$return"
;;
stop)
echo -n "Stopping port forwarding:"
ipmasqadm portfw -f || return=$rc_failed
;;
status)
echo "Listing forwarded ports: "
ipmasqadm portfw -l && echo OK || echo No process
;;
reload)
$0 stop && $0 start || return=$rc_failed
;;
restart)
$0 stop && $0 start || return=$rc_failed
;;
*)
echo "Usage: $0 {start|stop|status|restart|reload}"
exit 1
;;
esac

# Inform the caller not only verbosely and set an exit status.
test "$return" = "$rc_done" || exit 1
exit 0

< Previous Next >
This Thread
  • No further messages