Re: Problem with firewall and SSH port forwarding



Richard E. Silverman <res@xxxxxxxx> wrote:
"CG" == tinnews <tinnews@xxxxxxxxxx> writes:

CG> I'm trying to restrict access to my machine by restricting the IP
CG> addresses from which outside ssh connections can be made.

CG> I have successfully done this for normal ssh connections on port
CG> 22, I have set up rules on my Speedtouch router that allow ssh
CG> access for only a few specified IP addresses.

CG> However I just can't seem to get an ssh connection which does port
CG> forwarding to work.

CG> If I allow ssh connections from anywhere the port forwarding works
CG> but if I restrict connections (to what seem reasonable IP
CG> addresses) it doesn't work.

CG> The 'client' is trying to do the following:-

CG> ssh -l chris -R 50022:apollo:22 -N 84.45.228.40

CG> 84.45.228.40 is the address of the Speedtouch router (on the WAN
CG> side, i.e. the ADSL connection). There is a NAT mapping from WAN
CG> to LAN in the router to connect across to the Linux server where
CG> the ssh daemon is.

CG> As I said I have got ordinary ssh working with the firewall such
CG> that only connections from my 'preferred' IP addresses work. But
CG> I can't get that port forwarding to work unless I open up the
CG> router to ssh from any address.

CG> The client machine is behind its own firewall, the IP address of
CG> the machine itself is a private one, 10.10.10.2. Obviously there
CG> is some sort of NAT going on at the client end as well and the
CG> connection appears to come from a routed IP address. The
CG> environment on the client machine shows:-

CG> SSH_CLIENT=10.10.10.2 48910 22 SSH_CONNECTION=10.10.10.2 48910
CG> 10.10.10.2 22

CG> I have opened up my firewall to 10.10.10.2 (though I suspect this
CG> is pointless) and to the IP address that the client machine
CG> appears as on the internet but no joy.

CG> Has anyone any ideas what I need to do or whether it's even
CG> possible?

Please explain what you mean when you say that it "doesn't work" -- what
exactly happens?

Nothing, it just sits and waits and times out. Actually when I wrote
the above I was at the 'server' end of things so wasn't able to see
exactly what the client was doing. Now I'm at the client end and I'll
look a little harder.

It'll take a while though as I need to turn of the 'any ssh allowed'
at the server end and that may be a little involved. I'll be back.

--
Chris Green
.



Relevant Pages

  • Re: well, try here first...
    ... I assume your "HW firewall" protects you to the outside. ... course it should allow SSH connections from the outside to ... I could ssh out and then ssh back to tao. ... rt., and this is fedora, my least fav distro. ...
    (freebsd-questions)
  • Re: well, try here first...
    ... I assume your "HW firewall" protects you to the outside. ... course it should allow SSH connections from the outside to ... I could ssh out and then ssh back to tao. ... rt., and this is fedora, my least fav distro. ...
    (freebsd-questions)
  • Re: Establishing SSH connections are slow due to Kerberos and pulickey authentication
    ... and that was delaying ssh connection. ... Usually when I see this behavior, it is related to an DNS issue as you ... Establishing SSH connections are slow due to Kerberos and pulic ... A couple of weeks ago some of our servers started hanging for a while ...
    (RedHat)
  • Re: Fedora 9 and Suse 11.0 ssh do not work together
    ... Ssh does not work between F9 and Suse 11.0. ... Ssh from F9 to OpenBSD works. ... blocking incoming SSH connections, but you should be getting the same ...
    (Fedora)
  • Re: sshd "DId not receive identification string from"
    ... If the client addresses are ones you don't recognize, ... indicate scans to find out what version of SSH you're running. ... using libwrap or hosts (you didn't say what version of sshd ... you're using), or restrict the sources to authorized ones, if that's ...
    (comp.security.ssh)