how do I target a specific machine - not ip address?

how do I target a specific machine - not ip address?

[sean]

I want to connect from travel to my server. Since I'm 
connecting through hot-spots or hotel connections, my ip 
address will be all over the place.

I thought about putting the laptop's MAC address in the 
packet, and using mac-source, but I've it seems to MAC 
address is stripped out over the internet.

So, how do I set it up so the server will know my laptop 
from whatever ip address I happen to have.

BTW, the laptop is linux, so I can mangle POSTROUTING if 
that helps.

I can ssh, but what I want to do is set up an NFS mount.

sean

Re: how do I target a specific machine - not ip address?

[Elvir Kuric]

Hi Sean, 

MAC address will not help you. But you can implenment
many other ways to connect to your server. 
First you can change ssh port to listen different than
22, no mater which, I am hoping you know do this. 
Second you can implement iptables rule to accept all 
ssh connections to that port ... something like 
iptables -A INPUT -p tcp --dport 32022 -s any/0 -d
your_server_ip -j ACCEPT
Then implement rules to accept only 2 or more ( it
depends on you ) ssh connection per minute, and you
can make some rule for port knocking in combination
with iptables ( I know port knocking is clear text,
but posible intruder will get only ssh prompt ). 

Of course there are many other security considerations
and I am hoping that other list member will take part
in this discussion.

I hope this helps 

Regards 
Elvir Kuric


--- sean <seandarcy2@gmail.com> wrote:

> I want to connect from travel to my server. Since
> I'm 
> connecting through hot-spots or hotel connections,
> my ip 
> address will be all over the place.
> 
> I thought about putting the laptop's MAC address in
> the 
> packet, and using mac-source, but I've it seems to
> MAC 
> address is stripped out over the internet.
> 
> So, how do I set it up so the server will know my
> laptop 
> from whatever ip address I happen to have.
> 
> BTW, the laptop is linux, so I can mangle
> POSTROUTING if 
> that helps.
> 
> I can ssh, but what I want to do is set up an NFS
> mount.
> 
> sean
> 
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: how do I target a specific machine - not ip address?

[sean]

Elvir Kuric wrote:
> Hi Sean, 
> 
> MAC address will not help you. But you can implenment
> many other ways to connect to your server. 
> First you can change ssh port to listen different than
> 22, no mater which, I am hoping you know do this. 
> Second you can implement iptables rule to accept all 
> ssh connections to that port ... something like 
> iptables -A INPUT -p tcp --dport 32022 -s any/0 -d
> your_server_ip -j ACCEPT
> Then implement rules to accept only 2 or more ( it
> depends on you ) ssh connection per minute, and you
> can make some rule for port knocking in combination
> with iptables ( I know port knocking is clear text,
> but posible intruder will get only ssh prompt ). 
> 
> Of course there are many other security considerations
> and I am hoping that other list member will take part
> in this discussion.
> 
> I hope this helps 
> 
> Regards 
> Elvir Kuric
> 
> 
> --- sean <seandarcy2@gmail.com> wrote:
> 
>> I want to connect from travel to my server. Since
>> I'm 
>> connecting through hot-spots or hotel connections,
>> my ip 
>> address will be all over the place.
>>
>> I thought about putting the laptop's MAC address in
>> the 
>> packet, and using mac-source, but I've it seems to
>> MAC 
>> address is stripped out over the internet.
>>
>> So, how do I set it up so the server will know my
>> laptop 
>> from whatever ip address I happen to have.
>>
>> BTW, the laptop is linux, so I can mangle
>> POSTROUTING if 
>> that helps.
>>
>> I can ssh, but what I want to do is set up an NFS
>> mount.
>>
>> sean
>>
>>


ssh is not the problem. I can ssh into the server using the 
techniques you describe.

My problem is mounting an NFS share. I want to set up 
iptables so that it will accept packets from my laptop, 
regardless of ip address.

Then I can open up NFS and not rely on the goofy hosts.allow 
hosts.deny stuff.

sean

RE: how do I target a specific machine - not ip address?

[Rob Sterenborg]

>> First you can change ssh port to listen different than
>> 22, no mater which, I am hoping you know do this.

You don't really need to do that, however I would do that if I'd be
using SSH password authentication. So, when you set up SSH public-key
authenticatation you'll be quite safe: not many people will be able to
guess what your keys look like..

After that, you can setup an SSH-tunnel so that you can use NFS over the
tunnel. There are docs about SSH-tunneling all over the internet.

Or, you can setup a VPN solution.


Grts,
Rob

RE: how do I target a specific machine - not ip address?

[Michael P. Brininstool]

>I thought about putting the laptop's MAC address in the packet, and 
>using mac-source, but I've it seems to MAC address is stripped out over 
>the internet.

I think you misunderstand how the mac address is used.

Your data is broken into chunks and wrapped with TCP headers containing port
numbers, these chunks are wrapped in IP headers containing IP addrs.  Those
chunks of data are wrapped in ethernet headers containing MAC addrs.  The
ethernet headers are only valid on the current LAN segment or collision
domain.  As soon as the ethernet wrapped "frame" is received at some device
that speaks ethernet (like a gateway router), the ethernet headers (wrapper)
are removed and discarded.  The IP wrapped data will be RE-WRAPPED in
ethernet headers valid for the segment on the other side of the router.
This continues until the data reaches the destination.  There is no way to
preserve the MAC address when the destination is not in the same collision
domain unless you want to invent your own tunneling protocol.