Re: Tunneling over ssh with termination by the FW

From: Brian Lund (brianlund_at_gmail.com)
Date: 07/07/04

  • Next message: Frank_Hamersley: "RE: Tunneling over ssh with termination by the FW" 
    Date: Tue, 6 Jul 2004 17:29:41 -0700
To: "Secureshell (E-mail)" <secureshell@securityfocus.com>

    Why not just set up an SSH tunnel to tunnel port 5900 on the remote
    VNC machine to the W2k machine? Assuming the firewall can in fact
    address the W2K machine, this should work alright.

    Here's an example:
    W2K's internal DMZ address assumed to be 192.168.1.100 as seen from the firewall

    On the client, set up local source port to be 5900 and the remote
    destination to be 192.168.1.100:5900.

    Maybe I'm missing something, but is there any reason you couldn't just
    do that? That way it looks to the W2K server like the firewall is
    attempting to VNC to it, which shouldn't be prohibited by any of your
    rules, correct?

    Hope this helps.

    On Tue, 6 Jul 2004 17:07:42 +1000, Frank Hamersley <terabite@bigpond.com> wrote:
    > I am wondering if the following tunneling arrangement is possible!
    >
    > I have a W2K server in a DMZ that I wish to administer remotely using VNC
    > Server on tcp port 5900. The FireWall is Linux/iptables with sshd running
    > and the client system is W2K also running ssh and the VNC client.
    >
    > I want to establish the ssh tunnel from the Client to the Firewall (for port
    > 5900) and then have the Firewall route the tcp 5900 packets into the DMZ
    > (using a DNAT rule) on being reconstituted when they emerge from the tunnel.
    >
    > On my first attempt I got "connection refused" when connecting VNC, but
    > inspecting the firewall log showed no dropped FORWARD or OUTPUT packets. I
    > suspect that the reconstituted packets were not reprocessed by the firewall
    > but were simply dropped when it did not find the port open on the firewall
    > (localhost) itself.
    >
    > Is there a way to get this arrangement to work (or am I up the proverbial
    > creek in a barbed wire canoe)?
    >
    > Cheers, Frank.
    >
    > 

    -- 
Brian Lund
Iowa State Cyber Corps
PGP Key ID: A18C0BA8 (1024/2048 | DSA/ELG)
PGP Fingerprint: F358 F84F 0219 5F2D 66BC C416 7BA8 7925 A18C 0BA8
  • Next message: Frank_Hamersley: "RE: Tunneling over ssh with termination by the FW"

    Relevant Pages

    • Re: Is someone watching my computer?
      ... I assume there are VNC type applications and keyboard ... and keyloggers don't even make a drop in the bucket. ... running an actual external firewall with logging functions that is not at ... port communicating out to a specified address at fairly ...
      (comp.security.firewalls)
    • RE: Tunneling over ssh with termination by the FW
      ... I would use something like Putty (ssh client software) to open a secure ... tunnel with the firewall. ... If the firewall has the sshd running on port ...
      (SSH)
    • Re: Reverse Shell?
      ... >> behind a firewall so I can't ssh into their computer. ... > follow the tunnel back to their machine and then help them. ... Connections to that port will be forwarded through the ...
      (Debian-User)
    • Re: PLINK and/or PuTTY -- Logon to Linux with no Privileges
      ... port 443 so it would look like HTTPS to a firewall (is that right ... We've tried just regular VNC, with no luck, then tried it on port 80, ... and would rather me run a tunnel than pay to have anything ...
      (comp.security.ssh)
    • Re: VNC Through WinSSHD
      ... But you NEED to know the port ... >> number for establishing the tunnel. ... When starting the local vnc viewer, you must enter the "remote" host ... For the remote end of the tunnel you specify either the real name or the ...
      (comp.security.ssh)
    • Quantcast