Re: Problem with firewall and SSH port forwarding



Richard E. Silverman <res@xxxxxxxx> wrote:
"CG" == tinnews <tinnews@xxxxxxxxxx> writes:

CG> I'm trying to restrict access to my machine by restricting the IP
CG> addresses from which outside ssh connections can be made.

CG> I have successfully done this for normal ssh connections on port
CG> 22, I have set up rules on my Speedtouch router that allow ssh
CG> access for only a few specified IP addresses.

CG> However I just can't seem to get an ssh connection which does port
CG> forwarding to work.

CG> If I allow ssh connections from anywhere the port forwarding works
CG> but if I restrict connections (to what seem reasonable IP
CG> addresses) it doesn't work.

CG> The 'client' is trying to do the following:-

CG> ssh -l chris -R 50022:apollo:22 -N 84.45.228.40

CG> 84.45.228.40 is the address of the Speedtouch router (on the WAN
CG> side, i.e. the ADSL connection). There is a NAT mapping from WAN
CG> to LAN in the router to connect across to the Linux server where
CG> the ssh daemon is.

CG> As I said I have got ordinary ssh working with the firewall such
CG> that only connections from my 'preferred' IP addresses work. But
CG> I can't get that port forwarding to work unless I open up the
CG> router to ssh from any address.

CG> The client machine is behind its own firewall, the IP address of
CG> the machine itself is a private one, 10.10.10.2. Obviously there
CG> is some sort of NAT going on at the client end as well and the
CG> connection appears to come from a routed IP address. The
CG> environment on the client machine shows:-

CG> SSH_CLIENT=10.10.10.2 48910 22 SSH_CONNECTION=10.10.10.2 48910
CG> 10.10.10.2 22

CG> I have opened up my firewall to 10.10.10.2 (though I suspect this
CG> is pointless) and to the IP address that the client machine
CG> appears as on the internet but no joy.

CG> Has anyone any ideas what I need to do or whether it's even
CG> possible?

Please explain what you mean when you say that it "doesn't work" -- what
exactly happens?

Nothing, it just sits and waits and times out. Actually when I wrote
the above I was at the 'server' end of things so wasn't able to see
exactly what the client was doing. Now I'm at the client end and I'll
look a little harder.

It'll take a while though as I need to turn of the 'any ssh allowed'
at the server end and that may be a little involved. I'll be back.

--
Chris Green
.