hello!
until recently i've been letting my friends log onto one of my computers (box#1) using winSCP. they each have their own account and are chrooted into their home directory. now i've changed my setup so that i have an intermediate linux computer (box#2) redirecting my ssh logins to the appropriate machines like box#2..#3...etc..

i'd like for them to still be able to log in to box#1 using winscp but am not sure how to redirect that through box#2. how can i do this? or is this even possible?

oh - i have box#2 directing the logins because it's on 24x7 and i never take it out of the house

thank you for any advice,
disorderly

this can easily be done by doing port-forwarding using iptables commands on box #2...

basically you just assign specific ports to be forwarded to specific boxes... so, for example, if i would attempt to establish an ssh connection to port 3333 on box #2 i could be forwarded (DNATed) to box #3, and if i attempt to establish an ssh connection to port 4444 i could be forwarded (DNATed) to box #4, etc...

http://www.google.com/linux?&q=port+forward+iptables

thanks win32sux! i appreciate your taking the time to reply. i was starting to think this wasn't possible

do you mean that i need to open up other ports on my NAT router?

or do i set up the forwarding rules on box#2 after tunneling in on the ssh port 22 (the only port i have open at the moment) so that if i'm forwarding port 3333 in ssh, it is redirected to box#3?
thanks again ,
disorderly

what i would do is: do the port-forwarding on the NAT router... so basically, you have your NAT router with, let's say, an internal interface (LAN) and an external interface (WAN/Internet)... basically you just forward some ports from the external side to the machines on the LAN... so people would connect to the IP address on the external side, but depending on which port they connect to, they will be forwarded to either box 3, 4, 5 or whatever...

if your NAT router is a gnu/linux box then you could do something like this with iptables:

in this example there are three boxes on your LAN... each box is running an ssh daemon on port 22... the router is configured so that any connections that are attempted to port 3333 on the external interface will get forwarded to port 22 of host 192.168.0.103 on the LAN... connections to port 4444 would go to port 22 of 192.168.0.104, and so forth... so basically you are able to let the users log-into whichever box they want simply by connecting to a different port on the WAN/Internet side... even if you aren't using a gnu/linux box as the router, the same concept still applies...

awesome- thanks again. i'm going to be reading alot about iptables this weekend as i dissect your example (which fits my network pretty darn well!)

any advice on which ports to use i don't look too intesting to a port scan?

you're welcome. good luck with your reading... any questions you have don't hesitate to ask, i'll gladly do my best to help you out... BTW, here's a neat tutorial: http://iptables-tutorial.frozentux.net/

sorry, i'm not really sure... perhaps you could look and see which ports nmap scans using it's defaults and stuff, and then pick ports/ranges that are not in the list... also, if your remote clients have static IPs then you can simply add a couple rules so that anything not coming from that IP will be ignored, hence making port scans useless for unwelcome visitors...

even if your clients don't have static IPs, apparently one thing that does help somewhat with scans is to DROP any TCP packets that have a state of NEW but are not SYN... basically, by adding a rule like this to your FORWARD chain, before the --dport 22 ACCEPT rules:just my $0.02...