1 |
On 11/24/2010 04:35 PM, Alan McKinnon wrote: |
2 |
> I need to get to the work CVS server from home. It's not exposed to the |
3 |
> internet but never fear! we have ssh -L and a convenient sshd host that is on |
4 |
> the internets. So, locally |
5 |
> |
6 |
> ssh -Llocalhost:1111:cvs.example.com:22 alan@×××××××××××××××.com |
7 |
> |
8 |
> and tell cvs that the server is localhost:1111 |
9 |
> |
10 |
> I do this all the time for lots of other stuff. Doesn't work for CVS because |
11 |
> there's no way to tell cvs to tell ssh what port to use. |
12 |
> |
13 |
> Google gives lots of hits about using the host-specific Host directive in |
14 |
> ~/.ssh/config but that won't work for me - it assumes I can see the CVS server |
15 |
> directly and doesn't take into account that I have port forwarding in the way. |
16 |
> |
17 |
> Anyone know a way to get cvs to use any port other than 22? I'm receptive to |
18 |
> alternate cvs clients with this support, just not ones that tweak ssh to do |
19 |
> it. |
20 |
> |
21 |
> |
22 |
|
23 |
Use a full-blown tunnel instead of redirection magic. At home: |
24 |
|
25 |
|
26 |
#!/bin/bash |
27 |
|
28 |
modprobe tun |
29 |
|
30 |
ssh -w 0:0 -C -f \ |
31 |
root@××××××××××××.com \ |
32 |
/root/ssh_tunnel |
33 |
|
34 |
ifconfig tun0 10.0.2.2 netmask 255.255.255.252 |
35 |
|
36 |
# Replace 10.1.1.0/24 with your work subnet. |
37 |
ip route add 10.1.1.0/24 via 10.0.2.1 dev tun0 |
38 |
|
39 |
|
40 |
And on the workstation at work: |
41 |
|
42 |
#!/bin/bash |
43 |
# |
44 |
# /root/ssh_tunnel |
45 |
# |
46 |
|
47 |
# The internal IP of your workstation, on the work network. |
48 |
INTERNAL_IP="10.1.1.x" |
49 |
|
50 |
modprobe tun |
51 |
ifconfig tun0 10.0.2.1 netmask 255.255.255.252 |
52 |
echo 1 > /proc/sys/net/ipv4/ip_forward |
53 |
|
54 |
# You will probably not want to trash all of your iptables rules. |
55 |
# Adjust as necessary. |
56 |
iptables -F |
57 |
iptables -F -t nat |
58 |
iptables -P FORWARD DROP |
59 |
iptables -A FORWARD -d 10.0.2.0/29 -j ACCEPT |
60 |
iptables -A FORWARD -s 10.0.2.0/29 -j ACCEPT |
61 |
iptables -t nat -A POSTROUTING -s 10.0.2.2 -j SNAT \ |
62 |
--to-source $INTERNAL_IP |
63 |
|
64 |
|
65 |
This worked fine for me for about a year. Eventually, I gave in and set |
66 |
up a real-ass VPN with OpenVPN. If you need to access services remotely |
67 |
often, I would suggest skipping the intermediate step and going straight |
68 |
to OpenVPN. |