Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm getting ready to add 2 computers to my network (will be a total of 4). I can ssh to the firewall and then to another computer (or any one of them first if I forward port 22 in iptables), but I was just curious if there was a way to forward the ssh connection to a specific computer by what username you use, for example firewall@myip.com connects you to the firewall, www@myip.com connects you to the webserver, and so on. What do you think?
So, I have all subdomains going to the firewall/dns server, set up the host names for all the machines (isn't that /etc/resolve.conf?), and then all connections to that subdomain should go to that computer? For example:
I assumed the firewall was not forwarding port 22, so DNS would be of no use if you can't access the internal boxes (the OP said he could access each box if he forwarded port 22, so I assumed he wasn't forwarding it normally). If you can access the boxes externally, then what's the problem anyway? Just ssh to each box. I thought OP said he could already do that anyway...
Interesting, I've never seen /etc/resov.conf used like that. However, in the DNS addressing scheme in the your-domain.zone file you can appropriately make those entries. I'm thinking something like this:
Code:
localhost A 127.0.0.1
mainserv A 97.158.253.26
linbox1 A 192.168.0.101
linbox2 A 192.168.0.102
mail CNAME mainserv
www CNAME mainserv
This way you can query the DNS for the internal IP and then have the ssh transmission forwarded.
For example:
Code:
%user%@linbox1.example.com would be go through this translation:
97.158.253.26:22 to 192.168.0.101:22
I said I can forward 22 to any particular box, but normally it just goes to the firewall. I just wanted a way to ssh to a box inside without having to ssh first to the firewall. Too lazy to ssh twice. So sue me. Plus, it helps me learn more about DNS.
In terms of learning DNS I think that's great but from a security standpoint I think that it's a big no-no. Allowing access to all boxes on the network can comprimise it big time. I think that this is good for emperimentation but not for true implemntation.
Something that's more secure would be setting up a VPN and then doing an SSH connection to the computers. But as the saying goes, "There's more than one way to skin a cat."
I don't see why it would be such a bad idea. All boxes only have 1 user with ssh permission and new connections would only be allowed on port 22 and whatever service the box is hosting (mail, web, ftp, etc).
Allowing SSH in terms of the service to be hosted is fine yes, but that also exposes all of the machines in the DNS to SSH exploits. Be aware of DoS attacks and dictionary hacks. Also disable root SSH logins because anyone can guess that there's a root account but not a jdoe account on that particular server.
Your security is just as important as the service.
I'm very much aware of ssh attacks. My internet was cut off (campus) because of reports of brute force ssh attacks coming from my system. Found out I had used uname ftp password ftp for people to log into my ftp server, but since ftp is a system user by default, I had deleted the user and readded it which gave it a login shell. Now, only 1 user that I created can log in. No root or system users, and the password is a secure password (10 char with upper, lower, number, and symbol).
Dnat will let you say "if someone hits port 7000 on my external machine then forward it to port 22 on machine A" and your aliases would have the -p flag for ssh already set.
this isnt very secure at all but it works and you dont need special dns for it
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.