Hi, not new to linux, but self-taught, so I sometimes need to ask as well
I need to ssh from wherever onto a laptop to be serviced,
say laptop is living at 172.16..x.y, which is behind a gateway/firewall, say 82.x.x.x
What is the syntax for that? Can anybody please point me to relevant readings?

There is something I do not understand in the ssh syntax and or routing.

ssh myusername@gateway82.x.x.x
That would not work because gateway82.x.x.x would not know that I want to
connect to 172.16..x.1 and not 172.16..x.2?
So is this a case of having to rely on the gateway admin to add a NAT rule?
Is that what it is called? See below what I had in mind

The gateway/firewall is probably going to have two nics,
internet ----> eth0 gateway82.x.x.x --> eth1 172.16..x.1, 172.16..x.2, 172.16..x.3

So I imagine the admin needs to include something like that, correct?
(I understand iptables well as a home user, but less in the wider context)
iptables -t nat -A PREROUTING -p tcp -i eth0 -d gateway82.x.x.x
--dport 22 -j DNAT --to 172.16..x.1:22
iptables -A FORWARD -p tcp -i eth0 -d 172.16..x.1:22 --dport 22 -j ACCEPT

So lets assume I have understood this ok, or it get explains,
if now I have 2 laptops to service, and say I am lazy and they both have the same admin_username and password (lets make this an academic case),
does this means that "the only solution" (except chain ssh to 172.16..x.1
then from there ssh 172.16..x.2) is to have the admin to add one rule
for say port 23 dnated to 172.16..x.2
(one exclusive port dnated per host on the LAN)

In all that I assume I can convince the admin of the LAN to get the dhcp
setup to give the same IP address to each laptop based on their nic MAC address.
How do we cope if these laptops get random IPs on the LAN?

Many thanks

Ok, so basically you have 2 laptops behind a firewall, which reside on different subnets, which the firewall has access 2, and you want to be able to connect to them? But problem is that the laptops are on DHCP and could change IP so putting a DNAT entry into iptables might not necessarily solve the prob because the IPs could change rendering the entry useless?

You know that from PuTTY or most SSH clients you can tunnel ports down to your localhost as long as the system your opening the connection to (firewall in this case) can access the subnet?

This of course unfortunately requires you to know the IPs If you can't get the DHCP addresses reserved by MAC, then there is potentially a way of DNATing a connection based on MAC, but that is above my iptables knowledge

What firewall are you running, a Linux box running iptables? Do you have access SSH access to this system?

Possibly you could use ARP and the known MACs to do something funky with updating the DNAT entries, but that would be a chore. In an ideal world you would tell the Admin to reserve the IPs based on MAC as you already mentioned, or just set a static and get him to exclude those addresses from the DHCP pool. Sorry if I havent been much help mate with a direct solution!

This is what I am trying to ascertain/understand
Have I correctly understood it from my iptable example

Ok, lets rewind, lets make it simpler.
I will be sure that the IPs are reserved by MAC

Do not know yet, helping a charity. The firewall very likely to be zinblows (I know very little about zinblows nowadays).
But lets assumed it has iptables or that I can add a 2d machine dedicated firewall

If you are tunneling ports, you do not need any root priviledges or any entries into the firewall, just a legitimate SSH shell login (can be standard non-root user with shell)

If you have this and are using PuTTY, you can connect to the laptops by doing the following:

Under +Session, put in the firewall IP addr and SSH port (which you have access to)

Under +SSH, open this tree and go to the "Tunnels" section.

Under Source Port, type in a port (this is the port that you want to have the service open on localhost, 22 is fine for a win box because 22 is not open, but any port will do)

Under Destination, type the laptop IP and port you want to access, so 172.16..x.1:22 or 172.16..x.1:3389 etc.

Hit the add button and you should see the forward appear in the listbox above.

Open the connection and authenticate with your credentials

You can now access the laptops by opening a connection to localhost on the source port you just specified. So if its SSH and your source port is 22, just SSH localhost 22. For RDP just open RDP client, localhost:Port. You get the idea.

You can do the same using Linux by using:

ssh -L <source port>:<dest IP>:<dest port> <username>@<SSH Host>

So something like ssh -L 15000:172.16..x.1:3389 emmanuel@82.x.x.x should do what you want. Let me know if i'm making any sense haha.

I think you nailed it many thanks

Lets see if I understood ok, So in summary:
I asked the remote gateway admin to punch a hole in say port 3389
I must setup sshd on remote laptop to listen to port 3389
I choose a random high port on an internet cafe machine (with live distro!), say 1500
the syntax -L 15000:172.16..x.1:3389
encapsulate/means I actually want to talk to a lan address (using port forwarding technics)
on username@82.x.x.x
username is actually here a username on remote lan machine 172.16.x.1
not a username on 82.x.x.x

Seen your other post about being new to the board
I think you are doing great, I hope you stick around.
As you said it is difficult to guess people level of knowledge.
I sometimes have to ask people what sort of level of info they need.
Each of us have a different teaching style (I have learned a lot about that).
I tend to give links and instructions and good keywords to help
people finding the solution rather than the direct solution, but sometimes
this is not really possible or would cause frustration.

I am looking in retrospect to what I learned here
for some reason for
<source port>:<dest IP>:<dest port> <username>@<SSH Host>
I thought <dest IP> and <SSH Host> needed to be the same PC.
I think the confusion stemed from the fact that I understood "port forwarding"
just being about ports, when in fact the whole tcp session is forwarded

I will now have a think, try it, and come back
much later to the academic case where the IPs are allocated
randomly (must be a simple way with arp and mac addresses to deal
with that)

Thanks, that is most appreciated! I am quite young, a Net Admin with a keen interest in Linux, cryptography (to some extent I am not a dev or a mathematician lol), and networks. Since I was so impressed with the help I received from uselpa about LVM, I am more than willing to try and help out where I can. I am still learning though as i'm sure most of us are!

Your understanding is accurate. Tunneling the ports via SSH encapsulates the traffic using whatever transmission cipher you are using (usually AES-128 or AES-256). When you use this method, you open a normal shell as you would to your destination, and then SSH opens a socket and connects to the port you request to any IP that you have routes to (as defined in the routing table naturally), tunneling the port down the SSH session to a port on your localhost for your use. If you use the -g flag you can even allow remote hosts on your LAN to access the service using your machine.

When you connect, the entire stream is encrypted, as the traffic is going via the SSH tunnel.

In a lot of cases this is more secure than a VPN, as TLS with AES-256 as the transmission cipher is stronger than the majority of IPsec or TLS VPN implementations, but obviously does not give you direct access to the subnet as a VPN does.

Since you have SSH access to the 172.16..x.1 address and not the firewall's public IP, you will need the admin to do a DNAT and forward a port on that firewall and direct it at the laptops port 22. Naturally once this is in place, you can use the SSH tunnels as you wish to access the other laptop or any other machines for that matter.

Its not quite as sexy as UDP hole punching for getting through firewalls, but certainly makes a skilled admins job a load easier!

To summarise quickly, port forwarding opens a public port, usually on a router/firewall say 15000, and directs it to an IP & private port specific PC, and once in place is usually permanent. Tunneling allows you to use an SSH session to encapsulate as many IPs/ports as you want on the private subnets providing you have SSH shell access to either a firewall with routes, or straight into that subnet itself.

Hell with OpenSSH 4.3 or above, you can open a TUN based VPN with just SSH sessions, but i'm not going to spam you with the details when i'm sure your more than capable of finding out matey!

Well am just a home user/ hobbyist

Thanks for mentionning that, because I would not have thought of it.

I thought this was enough just with the hole at 3389 in the firewall.
But in fact the firewall still does not know where to send
traffic arriving on port 3389
So the admin (me testing this on my home system
will ssh from laptop to desktop via the router and the internet
back to the lan, just like the lan did not exist. Oh deary me!)
will have to do

iptables -t nat -A PREROUTING -p tcp -i eth0 -d gateway82.x.x.x
--dport 3389 -j DNAT --to 172.16..x.1:22

iptables -A FORWARD -p tcp -i eth0 -d 172.16..x.1:3389 -o eth1 --dport 22 -j ACCEPT

Is the the last line correct:
accept incoming on eth0 something that was encapsulated to be
172.16..x.1:3389 adn that is going on the LAN eth1 at port 22 now

I am sorry to bother with the question, but it is a bit
above my head

You said you dont have SSH access to 82.x.x.x? In which case doing the ssh -L command will not work because you cannot authenticate with the firewall?

You don't need any forward, you just need the DNAT prerouting entry on the firewall:

-A PREROUTING -i eth0 -p tcp --dport 22222 -j DNAT --to-destination 172.16..x.1:22

You also need:

-A POSTROUTING -o <ethX> -j MASQUERADE

If you are NATing to a different subnet.

This will allow you to ssh 82.x.x.x:22222 and will give you your shell to 172.16..x.1. Naturally this will allow the SSH -L command now, ssh -L 15000:172.16..x.2:22 emmanuel@82.x.x.x:22222 will connect to laptop 172.16..x.1 but tunnel port 15000 down to localhost, which in this case is the second laptops port 22.

If you are making changes to a firewall with a public static, come at it from another public IP not internally. Because coming internally will be the wrong <eth>

Sorted?