allowing ssh in campus

allowing ssh in campus

[vaida bogdan]

My campus connections look like this:

Dorm1 gateway ----\
Dorm2 gateway ----|=> Campus gateway |-> OUTSIDE
Dorm3 gateway ----/                                  \-> University Servers

Dorms' ips are private on different internal networks.

I want to allow ssh (and other ports) access on request to users from
one of the Dorms to OUTSIDE.

If I allow Student1 ssh on dorm1 gateway then what do I tell the
Campus gateway to allow ? (I can't allow full access from Dorm1's
gateway public ip.

I would also like to consider security matters: (allow by ip&mac, or
through proxy).

Thanks in advance,
   Bogdan

Re: allowing ssh in campus

[vaida bogdan]

I have NAT.
(
> If I allow Student1 ssh on dorm1 gateway then what do I tell the
> Campus gateway to allow ? (I can't allow full access from Dorm1's
> gateway public ip.
)

On 5/18/05, Пётр Волков  Александрович <torre_cremata@mail.ru> wrote:
> Hello, Bogdan.
>
> В сообщении от 18 Май 2005 04:42 vaida bogdan написал(a):
> > My campus connections look like this:
> >
> > Dorm1 gateway ----\
> > Dorm2 gateway ----|=> Campus gateway |-> OUTSIDE
> > Dorm3 gateway ----/                                  \-> University Servers
> >
> > Dorms' ips are private on different internal networks.
> >
> > I want to allow ssh (and other ports) access on request to users from
> > one of the Dorms to OUTSIDE.
> >
> > If I allow Student1 ssh on dorm1 gateway then what do I tell the
> > Campus gateway to allow ? (I can't allow full access from Dorm1's
> > gateway public ip.
>
> Do you have NAT on Dorm's gateways? If you have, then it's hard task to
> differentiate users on Campus gateway. So I suppose that you do not have NAT
> there and they are an ordinary routers. Then I think rules should be like
> this:
>
> iptables -P FORWARD DROP
> iptables -A FORWARD -s <users_IP> -p tcp --dport 22 -j ACCEPT
> iptables -A FORWARD -d <users_IP> -p tcp --sport 22 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> > I would also like to consider security matters: (allow by ip&mac, or
> > through proxy).
>
> you can use mac address only for local networks. But proxy is possible.
> Look for squid's access control lists.
>
> Have I missed you question?
>
> --
> ____________
> Peter.
>

Re: allowing ssh in campus

[Пётр Волков Александрович]

В сообщении от 18 Май 2005 12:49 vaida bogdan написал(a):
> I have NAT.
> (
> > If I allow Student1 ssh on dorm1 gateway then what do I tell the
> > Campus gateway to allow ? (I can't allow full access from Dorm1's
> > gateway public ip.
> )

> On 5/18/05, Пётр Волков  Александрович <torre_cremata@mail.ru> wrote:
> > В сообщении от 18 Май 2005 04:42 vaida bogdan написал(a):
> > > My campus connections look like this:

> > > Dorm1 gateway ----\
> > > Dorm2 gateway ----|=> Campus gateway |-> OUTSIDE
> > > Dorm3 gateway ----/                                  \-> University

Well. IIUYC, your task is to allow of drop connections from users that are 
behind NAT. Sorry. I don't think this is possible without access to  Dorm 
gateways. All packets from gateway are looking as coming from single IP, and 
infromation about source of packet is lost. The best you can do is to look at 
ttl field to find out if the packet is from dorm gateway or not. But users 
can simply get around this...

-- 
____________
Peter.