Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
SSH tunneling over SSH ... ???
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ribo
n00b
n00b


Joined: 14 Aug 2002
Posts: 53

PostPosted: Mon Jan 05, 2004 12:49 am    Post subject: SSH tunneling over SSH ... ??? Reply with quote

ok, I have poked around and tried to modify some other posts' commands to try to do what i need and have failed so far. Here is my problem

Code:
Comp 1
   |
Firewall (that I cannot modify)
   |
Internet -- Comp 3
   |
My Firewall (that i can)
   |
Comp 2



Comp 1 can ssh to Comp 2, but Comp 2 can't ssh to Comp 1 because of the firewall. Is there any way to tunnel the connection 'backwards' from a ssh connection from Comp 1 to Comp 2? mabye two ssh servers? Comp 3 has no firewall and can be used if necissary.

Thanks.
Back to top
View user's profile Send private message
RAPUL
l33t
l33t


Joined: 29 Dec 2002
Posts: 664
Location: Valencia (SPAIN)

PostPosted: Mon Jan 05, 2004 12:57 am    Post subject: Hmmm... Reply with quote

Check this:

Code:

man sshd


Pay special attention in -L and -R options. I think they can help you.I think you need ssh forwarding because of firewall port blocking or nat.

You can try map sshd to port 80 which should be accessible even with firewalls.
_________________
Entropy rulz world.
Redundancy sux.
World is full of redundancy.
World sux.
Back to top
View user's profile Send private message
ribo
n00b
n00b


Joined: 14 Aug 2002
Posts: 53

PostPosted: Mon Jan 05, 2004 1:18 am    Post subject: Reply with quote

yes i have tried -L and -R options in several different ways with no sucess. And already tried the port 80 trick no luck, as a clarifying point it's probably more than a firewall on the other side, I am guessing a packet shaper, so tricks like that don't work :/

the -L and -R syntax for what i am doing is kinda hard to wrap my mind around, hoping someone can see it.
Back to top
View user's profile Send private message
RAPUL
l33t
l33t


Joined: 29 Dec 2002
Posts: 664
Location: Valencia (SPAIN)

PostPosted: Mon Jan 05, 2004 2:03 am    Post subject: Can you detail firewall configs? Reply with quote

Can you detail firewall configuration? If you don't it will be difficult to guess how to solve this...
_________________
Entropy rulz world.
Redundancy sux.
World is full of redundancy.
World sux.
Back to top
View user's profile Send private message
ribo
n00b
n00b


Joined: 14 Aug 2002
Posts: 53

PostPosted: Mon Jan 05, 2004 2:18 am    Post subject: Reply with quote

well, no not really, i can't. It's a school network. Comp 1 has a real internet IP, but i can't so much as nmap it. Since it can get a connection out to Comp 2, i was hoping i could tunnel back through that connection.
Back to top
View user's profile Send private message
RAPUL
l33t
l33t


Joined: 29 Dec 2002
Posts: 664
Location: Valencia (SPAIN)

PostPosted: Mon Jan 05, 2004 2:36 am    Post subject: Ah,... Reply with quote

Maybe your school firewall blocks incoming connections using SYN bit of tcp packets for example.

Then i don't know how to help you. :(
_________________
Entropy rulz world.
Redundancy sux.
World is full of redundancy.
World sux.
Back to top
View user's profile Send private message
fleed
l33t
l33t


Joined: 28 Aug 2002
Posts: 756
Location: London

PostPosted: Mon Jan 05, 2004 12:56 pm    Post subject: Reply with quote

If comp1 can ssh into comp2 then it should be trivial to set up a reverse connection from comp2 to comp1 through the one that's already setup. You just have to map things appropriately, and maybe change what port sshd listens on. If the connection from comp1 to comp2 is not up then there's not much you can do if you cannot change the firewall. You could setup something on comp1 that keeps it's connection to comp2 alive, and restarts it if needed, but that's beyond the topic.

So on comp1 you do:
ssh -R 8022:127.0.0.1:22 comp2

This connects comp1 to comp2 and forwards port 8022 on comp2 to port 22 on comp1 (where you have sshd listening on port 22).

Next, on comp2, you do:
ssh -p 8022 127.0.0.1
With this you tell ssh to connect to port 8022 on the localhost (comp2) which gets forwarded by your previous ssh to port 22 on comp1.

Is this what you've tried?
Back to top
View user's profile Send private message
RAPUL
l33t
l33t


Joined: 29 Dec 2002
Posts: 664
Location: Valencia (SPAIN)

PostPosted: Mon Jan 05, 2004 1:28 pm    Post subject: Sounds good! Reply with quote

fleed idea is what i thought you will try when i said you before to check man sshd specially -L or -R options.

Have you tried that?
_________________
Entropy rulz world.
Redundancy sux.
World is full of redundancy.
World sux.
Back to top
View user's profile Send private message
fleed
l33t
l33t


Joined: 28 Aug 2002
Posts: 756
Location: London

PostPosted: Mon Jan 05, 2004 3:45 pm    Post subject: Reply with quote

I tried it and it works fine (as expected). I was hoping that ribo has something incorrect on what s/he's using so my examples would help.

Also, I don't know how the firewall could know what kind of data is being passed through the ssh pipe unless it's able to dissect the ssh connection and obtain the raw data. I've never heard of any firewall that does that. If it's not doing so then how can the firewall know that the data going comp2->comp1 is a new connection and not just data from and interactive session for example?
Back to top
View user's profile Send private message
Koon
Retired Dev
Retired Dev


Joined: 10 Dec 2002
Posts: 518

PostPosted: Mon Jan 05, 2004 4:29 pm    Post subject: Re: Ah,... Reply with quote

RAPUL wrote:
Maybe your school firewall blocks incoming connections using SYN bit of tcp packets for example.

Then i don't know how to help you. :(

If he can ssh in and has control of the server machine, he can use the established SSH connection to tunnel anything he wants. It's just a matter of SSH client/server config and options.

Like you said, he should read the man page. This is also good tutorial :
http://www.hackinglinuxexposed.com/articles/20030228.html
http://www.hackinglinuxexposed.com/articles/20030309.html

-K
Back to top
View user's profile Send private message
ribo
n00b
n00b


Joined: 14 Aug 2002
Posts: 53

PostPosted: Tue Jan 06, 2004 3:21 am    Post subject: Reply with quote

fleed wrote:
If comp1 can ssh into comp2 then it should be trivial to set up a reverse connection from comp2 to comp1 through the one that's already setup. You just have to map things appropriately, and maybe change what port sshd listens on. If the connection from comp1 to comp2 is not up then there's not much you can do if you cannot change the firewall. You could setup something on comp1 that keeps it's connection to comp2 alive, and restarts it if needed, but that's beyond the topic.

So on comp1 you do:
ssh -R 8022:127.0.0.1:22 comp2

This connects comp1 to comp2 and forwards port 8022 on comp2 to port 22 on comp1 (where you have sshd listening on port 22).

Next, on comp2, you do:
ssh -p 8022 127.0.0.1
With this you tell ssh to connect to port 8022 on the localhost (comp2) which gets forwarded by your previous ssh to port 22 on comp1.

Is this what you've tried?


yep, that did it, thanks a lot for the help, i must have missed that combination when i was testing ;)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum