From: vaida bogdan <vaida.bogdan@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Re: allowing ssh in campus
Date: Wed, 18 May 2005 08:49:46 +0000 [thread overview]
Message-ID: <12848a3b05051801491c31d816@mail.gmail.com> (raw)
In-Reply-To: <12848a3b05051801482ce06a21@mail.gmail.com>
I have NAT.
(
> If I allow Student1 ssh on dorm1 gateway then what do I tell the
> Campus gateway to allow ? (I can't allow full access from Dorm1's
> gateway public ip.
)
On 5/18/05, Пётр Волков Александрович <torre_cremata@mail.ru> wrote:
> Hello, Bogdan.
>
> В сообщении от 18 Май 2005 04:42 vaida bogdan написал(a):
> > My campus connections look like this:
> >
> > Dorm1 gateway ----\
> > Dorm2 gateway ----|=> Campus gateway |-> OUTSIDE
> > Dorm3 gateway ----/ \-> University Servers
> >
> > Dorms' ips are private on different internal networks.
> >
> > I want to allow ssh (and other ports) access on request to users from
> > one of the Dorms to OUTSIDE.
> >
> > If I allow Student1 ssh on dorm1 gateway then what do I tell the
> > Campus gateway to allow ? (I can't allow full access from Dorm1's
> > gateway public ip.
>
> Do you have NAT on Dorm's gateways? If you have, then it's hard task to
> differentiate users on Campus gateway. So I suppose that you do not have NAT
> there and they are an ordinary routers. Then I think rules should be like
> this:
>
> iptables -P FORWARD DROP
> iptables -A FORWARD -s <users_IP> -p tcp --dport 22 -j ACCEPT
> iptables -A FORWARD -d <users_IP> -p tcp --sport 22 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> > I would also like to consider security matters: (allow by ip&mac, or
> > through proxy).
>
> you can use mac address only for local networks. But proxy is possible.
> Look for squid's access control lists.
>
> Have I missed you question?
>
> --
> ____________
> Peter.
>
next prev parent reply other threads:[~2005-05-18 8:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-18 0:42 allowing ssh in campus vaida bogdan
[not found] ` <200505180959.37970.torre_cremata@mail.ru>
[not found] ` <12848a3b05051801482ce06a21@mail.gmail.com>
2005-05-18 8:49 ` vaida bogdan [this message]
2005-05-18 15:25 ` Пётр Волков Александрович
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=12848a3b05051801491c31d816@mail.gmail.com \
--to=vaida.bogdan@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.