Re: SSH options re: NAT
From: Greyson M Fischer (gfischer_at_mrdoc.cc)
Date: 07/22/03
- Next message: Richard E. Silverman: "Re: Please help: Cannot ssh into Mandrake 9.1"
- Previous message: Vlad Frost: "Re: SSH for Win2k server"
- In reply to: Luke: "SSH options re: NAT"
- Next in thread: Luke StClair: "Re: SSH options re: NAT"
- Reply: Luke StClair: "Re: SSH options re: NAT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 22 Jul 2003 20:28:47 GMT
Luke <run_faster@hotmail.com> wrote:
> I hoped someone could explain the idea of tunneling a bit better to
> me...
I hope I can explain the idea of tunneling it a bit better to you...
> when ssh is invoked with the -R option, what happens exactly? Are
> packets sent out to the remote host constantly, waiting for a
> connection to be established?
No, SSH is two-fold, a call to it on the client side results in a call
to it on the server side. When you specify -L SSH binds to the local
port, meaning that any connections that come into that port are answered
by SSH on that side.
When you invoke SSH with -R, it invokes the remote SSH with the
coreesponding -L and binds to the port on the server side instead of
binding on the client side.
> In what way does the -f option put things in the background? I don't
> really understand what goes on here
-f stands for 'fork' which is the operation that SSH performs (standard
programming practice for daemons) Once the connection is established, it
spawns a new task to actually manage the connection, and the primary
task (the one that you're waiting on) closes because it doesn't need to
do anything anymore.
> Finally, the -N option? I don't get what this means...
Let's say you've got a machine X at work, and a machine Y at home. You
want to be able to browse the web-site "www.internal.work.com" from
home, and you can SSH to X from Y. You want to set up the port
forwarding from Y using 'ssh -L 8888:www.internal.work.com:80 me@X'
After this is done, you can browse to "http://localhost:8888" from home
and you'll get the work web page that you're looking for.
Okay, that's mostly port-forwarding, but now, let's say that you want to
forward the port but don't want to have the shell opened on the other
side (so you can close the SSH window when you're connected. Then you
don't want to execute a command on the remote (X) side and you use -N.
If you use both -N and -f together, you can forward the ports you want
in cone command, it will take a few seconds to connect, and then seem to
exit nicely -- but if you look at your process list, you notice that the
command is still running -- you still ahve the forwarded ports.
Perhaps the best explaination is by a real example. I have a machine
'gfischer' at work (as well as an IRC server 'malkuth') that I want to
get to from my home machine 'mau' -- but my work mahcine is behind a
firewall. I have a static IP at home though, so I can go home from work
(virtually, that is)
I want to forward the following ports home:
telnet (23) on my workstation
ftp (21) on my workstation
ssh (22) on my workstation [just in case I forget a port]
irc (6667) on malkuth
So I execute my SSH command from work with the following parameters:
[ssh] the program
[-R10021:localhost:21] Forward FTP to localhost
[-R10022:localhost:22] Forward SSH to localhost
[-R10023:localhost:23] Forward telnet to localhost
[-R16667:malkuth:6667] Forward IRC to malkuth
[-f] Fork into the background when connected
[-N] Do not open a shell or exec a command
[-n] Redirect stdin from /dev/null
[greyson@mau] The username/host of y home machine
Which ends up looking like this (cut and paste form the command line
that I actually used) :
ssh -R10021:localhost:21 -R10022:localhost:22 -R10023:localhost:23 \
-R16667:malkuth:6667 -f -N -n greyson@mau
Since I have my keys distributed properly, I don't have to enter a
password, the result from my perspective at work is that it waits for
about 5 seconds, then exits. A few seconds later my username from home
'Grey/Home' signs into the IRC server (since the client's been trying to
connect to port 16667 after I shut down the connection momentarily)
Either through a separate SSH session, or when i get home, I'm able to
do the following.
mau:~> telnet localhost 10023
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Debian GNU/Linux 3.0 gfischer
gfischer login:
> My main impetus behind my question here is how much the ssh -fNR
> option will tax my local network/host computer.
Not much. Since accept() is a blocking call, until a connection is
actually made to the forwarded port, it doesn't do anything.
> The reason I'm asking is trying to get around a NAT that I have no
> control over...
Funny, that's why I did it too *grin*
> And don't tell me to read the man page... I did, and don't understand
> what its trying to tell me.
I understand, I read the man pages for months and it was all greek to me
until I had managed to find somewhere that had a good example -- after
that I was flying.
Cheers! And Good luck -- if you still have questions, feel free to email
me directly (gfischer@mrdoc.cc) or post again.
--
Greyson M. Fischer
<pre>
|\ _.,,---,._
ZZzz. /,`.-'`' -. ;-;;,_
|,4- ) )-,_. ,\ ( `'-'
'---''(u/--' `-'\_)
</pre>
- Next message: Richard E. Silverman: "Re: Please help: Cannot ssh into Mandrake 9.1"
- Previous message: Vlad Frost: "Re: SSH for Win2k server"
- In reply to: Luke: "SSH options re: NAT"
- Next in thread: Luke StClair: "Re: SSH options re: NAT"
- Reply: Luke StClair: "Re: SSH options re: NAT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
