Tuesday, June 24, 2008
Dodging black ICE to do a job …
Yet anther data point for the NAT is eeeeeeeevil meme …
Smirk called up and asked if I could set up Cacti for one of our customers. They were having an issue with their local network (broadcast storms) and with Cacti monitoring the network, it would be easy to see the problem box. We already manage their firewall, which is a Linux system using
iptables, so it can be easily installed there.
Only in the process of setting up Cacti (not difficult, just tedious as there's several pieces of software that have to be compiled and installed manually) I realized that the firewall wasn't handing the NAT for the customer's network—that was another device behind the firewall. And that means Cacti, running on the firewall, had no way of contacting an individual system on the private network.
Sure, there's port forwarding, but that's one port per box that needs to be configured on the NAT device, and while possible, there's usually a limit to the number of port forwards allowed by such a device.
“Sorry, no can do,” I told Smirk.
About an hour later, he calls back. “They have a Linux server on their network. You can install Cacti there,” he said. “They're port forwarding
ssh to their Linux system.”
Okay, so to get to the internal Linux system of our customer, I first have to
ssh to my virtual workstation at The Data Center (since The Office no longer exists—we all telecommute), then
ssh to their firewall (since the firewall only allows connections from known hosts), then
ssh to the NAT system, which forwards the traffic to their Linux system.
So I'm in the process of installing Cacti on this system when I realize that to finish up the install, I have to access a webpage on said Linux server.
Which I can't do, because port 80 isn't being forwarded to said Linux server.
I bring this up to The Weekly Meeting, and the solution is to use
ssh to build a rather crazy SOCKS tunnel between my workstation and the Linux server on the customer site, using several intermediary systems to bounce the packets around.
I'm trying to configure a software package, not hack into NORAD or steal confidential corporate material. But, because of NATing, I have to employ some pretty heavy networking to do what should be a simple job.