Re: Two-hops SSH tunnelling

Loris Serena wrote:
Guys,

I managed to get the following working:

----------------------------------------------------------------------------------------------------

A firewall between SERVER and CLIENT only allows TCP port 22 from
SERVER to CLIENT (but not viceversa!)

SERVER -------22------> CLIENT

What I would like to achieve via ssh tunnelling is to send TCP port
1984 traffic from CLIENT to SERVER:

SERVER <-----1984------ CLIENT
------------------------------------------------------------------------------------------------------


by running (on SERVER):
$ ssh -f -N -R 1984:SERVER:1984 CLIENT


Now I'd like to add the next (and last) bit of the configuration to the
picture:

There is another firewall between CLIENT and GOOFY, again only allowing
TCP port 22 from CLIENT to GOOFY (and NOT viceversa!):

SERVER -------22------> CLIENT -------22-------> GOOFY

What I would like to achieve via ssh tunnelling is to send TCP port
1984 traffic from GOOFY to SERVER (through CLIENT):

SERVER <-----1984----- CLIENT
SERVER <----------------(CLIENT)----------1984------ GOOFY

Please note that:
a. the remote forwarding of 1984 from CLIENT to SERVER is already working;
b. there is no native process on CLIENT listening on port 1984.

I ran `ssh -f -N -R 1984:127.0.0.1:1984 GOOFY` on CLIENT,

but testing that with telnet from GOOFY, it failed as follows:

[GOOFY]$ telnet localhost 1984
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused


So, how do I do that?
Any security issues I shold be aware of?


Thanks in advance

Ciccio

I've already had this problem when using putty and on some linux ssh
clients. The first tunnel works, but the tunnel inside the tunnel don't.
I solved it ensuring that the tunnel is an ipv4 one. So, instead of the
-R, -L or -D switches, you put the -4R, -4L and -4D switches. This way
you ensure that the tunnel will work. The problem i had was that ssh
tries to auto detect the ip version, and had problems detecting the ip
version when creating the tunnel inside other.

My regards,

--
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Informática
4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85

Attachment: signature.asc
Description: OpenPGP digital signature

Relevant Pages

  • Re: ssh -R
    ... The client can demand longer timeouts, and it can ask for a periodic 'check' to see if its still connected. ... One thing that can be easily managed with autossh is a tunnel to a port on localhost of the server, thus avoiding port scanners and other unauthorized intrusions. ...
    (Fedora)
  • Re: Tunneling in Ubuntu
    ... I tried the openvpn idea. ... The output of route -n on server: ... client or server. ... Can you suggest way of getting a multicast tunnel work. ...
    (Ubuntu)
  • Slightly off topic | Two-hops SSH tunnelling.
    ... A firewall between SERVER and CLIENT only allows TCP port 22 from ... What I would like to achieve via ssh tunnelling is to send TCP port ... There is another firewall between CLIENT and GOOFY, ...
    (SunManagers)
  • Re: Tunneling in Ubuntu
    ... I tried the openvpn idea. ... The output of route -n on server: ... client or server. ... Can you suggest way of getting a multicast tunnel work. ...
    (Ubuntu)
  • Re: Re (7): OpenVPN server mode usage.
    ... My tunnel now works with remote specified ... But the tunnel will start when the client connects. ... restart the server then the client will detect this and connect. ... all of four different ping parameters. ...
    (Debian-User)