| 1 |
On 11/24/2010 04:35 PM, Alan McKinnon wrote: |
| 2 |
> I need to get to the work CVS server from home. It's not exposed to the |
| 3 |
> internet but never fear! we have ssh -L and a convenient sshd host that is on |
| 4 |
> the internets. So, locally |
| 5 |
> |
| 6 |
> ssh -Llocalhost:1111:cvs.example.com:22 alan@×××××××××××××××.com |
| 7 |
> |
| 8 |
> and tell cvs that the server is localhost:1111 |
| 9 |
> |
| 10 |
> I do this all the time for lots of other stuff. Doesn't work for CVS because |
| 11 |
> there's no way to tell cvs to tell ssh what port to use. |
| 12 |
> |
| 13 |
> Google gives lots of hits about using the host-specific Host directive in |
| 14 |
> ~/.ssh/config but that won't work for me - it assumes I can see the CVS server |
| 15 |
> directly and doesn't take into account that I have port forwarding in the way. |
| 16 |
> |
| 17 |
> Anyone know a way to get cvs to use any port other than 22? I'm receptive to |
| 18 |
> alternate cvs clients with this support, just not ones that tweak ssh to do |
| 19 |
> it. |
| 20 |
> |
| 21 |
> |
| 22 |
|
| 23 |
Use a full-blown tunnel instead of redirection magic. At home: |
| 24 |
|
| 25 |
|
| 26 |
#!/bin/bash |
| 27 |
|
| 28 |
modprobe tun |
| 29 |
|
| 30 |
ssh -w 0:0 -C -f \ |
| 31 |
root@××××××××××××.com \ |
| 32 |
/root/ssh_tunnel |
| 33 |
|
| 34 |
ifconfig tun0 10.0.2.2 netmask 255.255.255.252 |
| 35 |
|
| 36 |
# Replace 10.1.1.0/24 with your work subnet. |
| 37 |
ip route add 10.1.1.0/24 via 10.0.2.1 dev tun0 |
| 38 |
|
| 39 |
|
| 40 |
And on the workstation at work: |
| 41 |
|
| 42 |
#!/bin/bash |
| 43 |
# |
| 44 |
# /root/ssh_tunnel |
| 45 |
# |
| 46 |
|
| 47 |
# The internal IP of your workstation, on the work network. |
| 48 |
INTERNAL_IP="10.1.1.x" |
| 49 |
|
| 50 |
modprobe tun |
| 51 |
ifconfig tun0 10.0.2.1 netmask 255.255.255.252 |
| 52 |
echo 1 > /proc/sys/net/ipv4/ip_forward |
| 53 |
|
| 54 |
# You will probably not want to trash all of your iptables rules. |
| 55 |
# Adjust as necessary. |
| 56 |
iptables -F |
| 57 |
iptables -F -t nat |
| 58 |
iptables -P FORWARD DROP |
| 59 |
iptables -A FORWARD -d 10.0.2.0/29 -j ACCEPT |
| 60 |
iptables -A FORWARD -s 10.0.2.0/29 -j ACCEPT |
| 61 |
iptables -t nat -A POSTROUTING -s 10.0.2.2 -j SNAT \ |
| 62 |
--to-source $INTERNAL_IP |
| 63 |
|
| 64 |
|
| 65 |
This worked fine for me for about a year. Eventually, I gave in and set |
| 66 |
up a real-ass VPN with OpenVPN. If you need to access services remotely |
| 67 |
often, I would suggest skipping the intermediate step and going straight |
| 68 |
to OpenVPN. |
Archives