RE: Tunneling over ssh with termination by the FW

• Previous message: Frank Hamersley: "Tunneling over ssh with termination by the FW"
• Maybe in reply to: Frank Hamersley: "Tunneling over ssh with termination by the FW"
• Next in thread: Brian Lund: "Re: Tunneling over ssh with termination by the FW"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 6 Jul 2004 19:03:16 -0400
To: "Frank Hamersley" <terabite@bigpond.com>, "Secureshell (E-mail)" <secureshell@securityfocus.com>

I would use something like Putty (ssh client software) to open a secure
tunnel with the firewall. If the firewall has the sshd running on port
22, you will have to make sure this port is open to computers (or just
your computer) on the WAN side of the FW, assuming you are coming in
from the Internet. Use something like the following to create the
secure tunnel:

> ssh -C -2 -L5900:127.0.0.1:5900 UserName@FireWallIPAddress

-C for data compression, -2 for ssh version 2, -L creates a local link

I may have the syntax off a little but Googling should get the results
you need.

Note: if you are using Putty as an ssh client, the replace the "ssh"
command with "Putty.exe" in a command shell (CMD) from the directory
where Putty.exe is.

Now you have an ssh shell open on the firewall AND a link from port 5900
on localhost to port 22 on the localhost that tunnels to port 22 on the
FW which is linked to the port 5900 on the FW. This allows VNC to
communicate through the encrypted tunnel to the FW and up to Port 5900
(or whatever port you would like to use). I'm not sure about your
forwarding but I imagine you will only have to forward LocalHost traffic
on Port 5900 to the remote VNC server inside the LAN. To get the VNC to
talk through the tunnel, just use the localhost address (127.0.0.1) and
everything will pass through the Port 22 tunnel.

Alternatively, what I like to do is setup an sshd (server) on the second
computer (like your w2k server). You can easily setup CYGWIN as an ssh
server (a little Googling here as well). Now you can forget the FW
forwarding rules and just use the FW ssh server as a relay/gateway. You
can try something like the following:

> ssh -C -2 -g L5900:127.0.0.1:5900 UserName@FireWallIPAddress

-C for data compression, -2 for ssh version 2, -L creates a local link
and
-g creates the relay/gateway

And then from the open ssh shell:

> ssh -C -2 L5900:127.0.0.1:5900 2ndUserName@W2KServerIPAddress

Now run the VNC client and connect to localhost. You should be
connected to the remote computer :)

I think this can be called firewall busting and may not be appreciated
by network admins that don't know you ;)
(This can get you into your LAN as well as out of one, or leave a door
open for you to connect to from the outside at a later time, while
completely encrypted.

One last thing, you can run Putty from outside the command window.
Double clicking on it will open up the configuration pane where you can
setup and save all kinds of tunnel configurations including
relay/gateways, running remote commands and using RSA or DSA
Public/Private Keys instead of Username/PassWord authentication (just
one click open's up any LAN under your control).

Have a look at: http://www.chiark.greenend.org.uk/~sgtatham/putty/

I hope this is along the lines of what you need. Let me know if you
need any more information about these techniques.

Cheers!

John Wheeler

My Disclaimer: I do not have any association with the Putty people
other then the fact that I have been using it for a while and have grown
used to it.

-----Original Message-----
From: Frank Hamersley [mailto:terabite@bigpond.com]
Sent: Tuesday, July 06, 2004 3:08 AM
To: Secureshell (E-mail)
Subject: Tunneling over ssh with termination by the FW

I am wondering if the following tunneling arrangement is possible!

I have a W2K server in a DMZ that I wish to administer remotely using
VNC
Server on tcp port 5900. The FireWall is Linux/iptables with sshd
running
and the client system is W2K also running ssh and the VNC client.

I want to establish the ssh tunnel from the Client to the Firewall (for
port
5900) and then have the Firewall route the tcp 5900 packets into the DMZ
(using a DNAT rule) on being reconstituted when they emerge from the
tunnel.

On my first attempt I got "connection refused" when connecting VNC, but
inspecting the firewall log showed no dropped FORWARD or OUTPUT packets.
I
suspect that the reconstituted packets were not reprocessed by the
firewall
but were simply dropped when it did not find the port open on the
firewall
(localhost) itself.

Is there a way to get this arrangement to work (or am I up the
proverbial
creek in a barbed wire canoe)?

Cheers, Frank.

• Previous message: Frank Hamersley: "Tunneling over ssh with termination by the FW"
• Maybe in reply to: Frank Hamersley: "Tunneling over ssh with termination by the FW"
• Next in thread: Brian Lund: "Re: Tunneling over ssh with termination by the FW"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]