RE: work ip address at home

RE: work ip address at home

[Daniel Chemko]

Well, I'd say that VPN is the most obvious solution for this problem,
but since you haven't done that already, I assume you aren't doing this
above the radar, or without network competent administrators.

An SSH tunnel is feasible as long as the client side doesn't need to use
the work IP for the protocol to function. Maybe if you gave some details
on this 'license server' we could get a better idea on what we're
working on. Is this plugging into something like LM Server?


-----Original Message-----
From: Brent Gregersen [mailto:gregerse@chemsun.chem.umn.edu] 
Sent: Wednesday, October 22, 2003 10:08 AM
To: netfilter@lists.netfilter.org
Subject: work ip address at home

I need help with the following setup.

I have one machine at home that gets an IP address (say 1.2.3.4) by DHCP
from an ISP. However, I would like applications on my home machine to
think it has the ip address of my machine at work (say 4.3.2.1).
I would then like to forward a specific port of my home machine to my
work
machine, and then forward that to a license server at work. Thus,
application thinks I'm at work, license server thinks Im at work, but Im
really sitting comfortably in my own home.

Is this possible? Should this be done with netfilter/iptables or should
I
be looking at another option?

If it is possible, I could get some extra work done at home, without
having to use certain graphics intensive programs over a tunneled X
connection to my work machine(which is extreamly slow).

A diagram:

        LinuxA                 LinuxB            LinuxC
|---------HOME---------|     |---Work--|     |-Work Server-|
|'4.3.2.1' <--> 1.2.3.4|<--->| 4.3.2.1 |<--->|   4.3.2.2   |
|----------------------|     |---------|     |-------------|


Thanks for any help/suggestions

RE: work ip address at home

[Brent Gregersen]

On Wed, 22 Oct 2003, Daniel Chemko wrote:

> Well, I'd say that VPN is the most obvious solution for this problem,
> but since you haven't done that already, I assume you aren't doing this
> above the radar, or without network competent administrators.
>
> An SSH tunnel is feasible as long as the client side doesn't need to use
> the work IP for the protocol to function. Maybe if you gave some details
> on this 'license server' we could get a better idea on what we're
> working on. Is this plugging into something like LM Server?

The license server is a machine I do not have access to. It is running
Elan License Manager software for Tecplot (application I want to use at
home to prepare graphs/plots for journal articles). I believe tecplot
compares the ip address of application machine to a 'valid' ip domain
contained in license obtained from the license server.  This was the reasoning
behind the 'trick application into thinking I am at work' approch. I
could be wrong on this however. If thats the case, I'll look into
implementing a VPN solution between my home machine and work machine.
(wrong forum, but any pointers/urls on useful VPN software?)



>
>
> -----Original Message-----
> From: Brent Gregersen [mailto:gregerse@chemsun.chem.umn.edu]
> Sent: Wednesday, October 22, 2003 10:08 AM
> To: netfilter@lists.netfilter.org
> Subject: work ip address at home
>
> I need help with the following setup.
>
> I have one machine at home that gets an IP address (say 1.2.3.4) by DHCP
> from an ISP. However, I would like applications on my home machine to
> think it has the ip address of my machine at work (say 4.3.2.1).
> I would then like to forward a specific port of my home machine to my
> work
> machine, and then forward that to a license server at work. Thus,
> application thinks I'm at work, license server thinks Im at work, but Im
> really sitting comfortably in my own home.
>
> Is this possible? Should this be done with netfilter/iptables or should
> I
> be looking at another option?
>
> If it is possible, I could get some extra work done at home, without
> having to use certain graphics intensive programs over a tunneled X
> connection to my work machine(which is extreamly slow).
>
> A diagram:
>
>         LinuxA                 LinuxB            LinuxC
> |---------HOME---------|     |---Work--|     |-Work Server-|
> |'4.3.2.1' <--> 1.2.3.4|<--->| 4.3.2.1 |<--->|   4.3.2.2   |
> |----------------------|     |---------|     |-------------|
>
>
> Thanks for any help/suggestions
>
>

Re: work ip address at home

[Antony Stone]

On Wednesday 22 October 2003 7:15 pm, Brent Gregersen wrote:

> On Wed, 22 Oct 2003, Daniel Chemko wrote:
> > Well, I'd say that VPN is the most obvious solution for this problem,
> > but since you haven't done that already, I assume you aren't doing this
> > above the radar, or without network competent administrators.

> The license server is a machine I do not have access to. It is running
> Elan License Manager software for Tecplot (application I want to use at
> home to prepare graphs/plots for journal articles). I believe tecplot
> compares the ip address of application machine to a 'valid' ip domain
> contained in license obtained from the license server.  This was the
> reasoning behind the 'trick application into thinking I am at work'
> approch. I could be wrong on this however. If thats the case, I'll look
> into implementing a VPN solution between my home machine and work machine.
> (wrong forum, but any pointers/urls on useful VPN software?)

http://www.freeswan.org will allow you to "extrude" an IP address from your 
work network to your home machine across an IPsec VPN so you can fool the 
software the way you describe.

Antony.

-- 

If books were designed by Microsoft, the Anarchist's Cookbook would explode 
when you read it.

 - Mark W Schumann

RE: work ip address at home

[Jim Carter]

On Wed, 22 Oct 2003, Brent Gregersen wrote:
> The license server is a machine I do not have access to. It is running
> Elan License Manager software for Tecplot (application I want to use at
> home to prepare graphs/plots for journal articles). I believe tecplot
> compares the ip address of application machine to a 'valid' ip domain
> contained in license obtained from the license server.  This was the reasoning
> behind the 'trick application into thinking I am at work' approch. I
> could be wrong on this however. If thats the case, I'll look into
> implementing a VPN solution between my home machine and work machine.
> (wrong forum, but any pointers/urls on useful VPN software?)

If it's anything like flexlm, there's a license file on the local machine
which tells it the host name and port number of the server.  Flexlm
actually doesn't care which of our various subnets the client is on, only
how many licenses it's passed out, though our firewall rules DO care :-)
In any case, it would be worth the effort to try to fake it out using ssh.
Here's a sample command line for forwarding SMTP (port 25) that I (used to)
use for sending mail as if local, to bypass our anti-relaying rules (look
at the headers of this message, for the current solution :-)

/usr/bin/ssh -q -x -f -N -L 20025:julia.math.ucla.edu:25 julia.math.ucla.edu

(-q - quiet, -x = omit X-windows, -f = drop into background, -N = omit
shell command, -L = port forwarding.)  I test by doing...

telnet localhost 20025

To my HELO, it responds:

250 julia.math.ucla.edu Hello julia.math.ucla.edu [128.97.4.254], pleased
to meet you

The packets appear to come from Julia, the host listed in the -L parameter.
It might be a good idea to turn on keepalives, so a forgotten connection
automatically exits when the net connection goes down.

James F. Carter          Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
Email: jimc@math.ucla.edu  http://www.math.ucla.edu/~jimc (q.v. for PGP key)

RE: work ip address at home

[Brent Gregersen]

> If it's anything like flexlm, there's a license file on the local machine
> which tells it the host name and port number of the server.  Flexlm
> actually doesn't care which of our various subnets the client is on, only
> how many licenses it's passed out, though our firewall rules DO care :-)
> In any case, it would be worth the effort to try to fake it out using ssh.
> Here's a sample command line for forwarding SMTP (port 25) that I (used to)
> use for sending mail as if local, to bypass our anti-relaying rules (look
> at the headers of this message, for the current solution :-)
>
> /usr/bin/ssh -q -x -f -N -L 20025:julia.math.ucla.edu:25 julia.math.ucla.edu
>
> (-q - quiet, -x = omit X-windows, -f = drop into background, -N = omit
> shell command, -L = port forwarding.)  I test by doing...
>
> telnet localhost 20025
>
> To my HELO, it responds:
>
> 250 julia.math.ucla.edu Hello julia.math.ucla.edu [128.97.4.254], pleased
> to meet you
>
> The packets appear to come from Julia, the host listed in the -L parameter.
> It might be a good idea to turn on keepalives, so a forgotten connection
> automatically exits when the net connection goes down.
> >

Yes, like flexlm there is an enviroment variable TLMHOST that is set to
the name of the license server.

I had actually just tried the ssh tunnel, only to find out the the license
request goes out over udp, and dosent get forwarded.

I now however have pptp(d) set up on my home and work machines.
Communication between home and work over point-to-point link is verified
and I added a route on the home machine 'route add -host $TLMHOST ppp0' so
that requests to the license server will be carried over the ptp
connection.

however, when I ping $TLMHOST, the packets are getting swallowed by my
machine at work. (ifconfig at work shows arriving packets on ppp0 and the
pptp-php-gtk.php status window at home shows outgoing packets on ptp
connection.)

Im sure I just dont have the firewall/routing rules configured on my work
machine to properly route the ppp0 connection (to/from home) onto eth0 (public ip
subnet at work). Im fairly certain that if the routing/forwarding/nat is
set up correctly, I could obtain a key over the point-to-point link.

Any suggestions on a 'proper' iptables configuration to do the above?
(pass ppp0 packets from home onto eth0 at work so that replies will come
back through ppp0 to my home machine)


Thanks again for all the suggestions...

RE: work ip address at home

[Daniel Chemko]

Ok, to get this up you will need NAT/Filtering changes. You have to
implement SNAT on the work-pc since the return path for the lm-server is
probably not your work computer itself. Plus, it gives the server the
impression that it is talking to an IP address on your work network.

Enable forwarding at your work computer
Then add something like the following:

# Include a rule for each maximum number of VPN interfaces you allow in,
though I assume that you would just need one. <VPN Interface> == ppp0,
or ppp1, etc..
iptables -t nat -A POSTROUTING -o <VPN Interface> -j MASQUERADE

iptables -P FORWARD DROP
iptables -A FORWARD -i <VPN Interface> -o <LAN interface> -m state
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i <VPN Interface> -o <LAN interface> --destination
<lm server> -p udp --dport <lm_port> -j ACCEPT
# If the state filter doesn't conntrack your UDP connection for some
bazaar reason, use the following rule as well.
iptables -A FORWARD -i <LAN Interface> -o <VPN interface> --destination
<lm server> -p udp --sport <lm_port> -j ACCEPT

# This is assuming that your lm's protocol is a straight single
port->port path. The protocol may introduce some ugliness through other
methods. You may have to open more to accommodate for that.

RE: work ip address at home

[Daniel Chemko]

Linux DOES have VPN support. Most notably are IPSEC and PPTP. I am not
familiar with other VPN solutions. I think PPTP is probably easier to
setup, though it requires kernel mods.

PPTP:

pptpclient.sourceforge.net
www.poptop.org

IPSEC:

www.freeswan.org

Re: work ip address at home

[Michael Garriss]

On Wed, Oct 22, 2003 at 12:08:26PM -0500, Brent Gregersen wrote:
> I need help with the following setup.
> 
> I have one machine at home that gets an IP address (say 1.2.3.4) by DHCP
> from an ISP. However, I would like applications on my home machine to
> think it has the ip address of my machine at work (say 4.3.2.1).
> I would then like to forward a specific port of my home machine to my work
> machine, and then forward that to a license server at work. Thus,
> application thinks I'm at work, license server thinks Im at work, but Im
> really sitting comfortably in my own home.
> 
> Is this possible? Should this be done with netfilter/iptables or should I
> be looking at another option?
> 
> If it is possible, I could get some extra work done at home, without
> having to use certain graphics intensive programs over a tunneled X
> connection to my work machine(which is extreamly slow).
> 
> A diagram:
> 
>         LinuxA                 LinuxB            LinuxC
> |---------HOME---------|     |---Work--|     |-Work Server-|
> |'4.3.2.1' <--> 1.2.3.4|<--->| 4.3.2.1 |<--->|   4.3.2.2   |
> |----------------------|     |---------|     |-------------|
> 
> 
> Thanks for any help/suggestions
> 

Some ideas:

You can assign multiple ip to one interface like this:
ifconfig eth0 $IP1 netmask $NETMASK broadcast $BROADCAST
ifconfig eth0:1 $IP2 netmask $NETMASK broadcast $BROADCAST
etc...

Then you can use SNAT and DNAT to fool with the IP addresses that or
coming in and going out

Michael Garriss

work ip address at home

[Brent Gregersen]

I need help with the following setup.

I have one machine at home that gets an IP address (say 1.2.3.4) by DHCP
from an ISP. However, I would like applications on my home machine to
think it has the ip address of my machine at work (say 4.3.2.1).
I would then like to forward a specific port of my home machine to my work
machine, and then forward that to a license server at work. Thus,
application thinks I'm at work, license server thinks Im at work, but Im
really sitting comfortably in my own home.

Is this possible? Should this be done with netfilter/iptables or should I
be looking at another option?

If it is possible, I could get some extra work done at home, without
having to use certain graphics intensive programs over a tunneled X
connection to my work machine(which is extreamly slow).

A diagram:

        LinuxA                 LinuxB            LinuxC
|---------HOME---------|     |---Work--|     |-Work Server-|
|'4.3.2.1' <--> 1.2.3.4|<--->| 4.3.2.1 |<--->|   4.3.2.2   |
|----------------------|     |---------|     |-------------|


Thanks for any help/suggestions