Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
SSH tunneling issues
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
aztech
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jul 2002
Posts: 130
Location: Stenungsund, Sweden

PostPosted: Wed Aug 25, 2010 9:33 am    Post subject: SSH tunneling issues Reply with quote

I want to setup a SSH-tunnel from my computer at work, to my server at home and be able to use it as a proxy for ex Firefox.

What I've done is ....

Put up an iptables rule that forwards port 8080 to 22 if the source ip is from my work.
In Putty I've added a source port of 2222 and put it to dynamic.
In firefox added http-proxy to 127.0.0.1:2222.

This _should_ work and does so for my friend, but not for my self.
For me, all that seam to work is the actual SSH-connection because I get to the shell,
but the tunnelling part of it all, isn't working.

Have I forgot something, or is it completely wrong ?

Also, I've set up putty to use my companys http-proxy, to even get out to internet.

Any idéas ?
// Andreas
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3450

PostPosted: Wed Aug 25, 2010 4:57 pm    Post subject: Reply with quote

I'm not quite sure what you're doing. I also have an ssh tunnel from work to home, but I'm doing both more and less than you. I have 2 layers of firewall, an appliance hooked directly to my ISP and a bastion host. (home server/firewall) Both firewalls will accept connections on port 22 from my employer's IPs - the appliance forwards them to the bastion host, and the latter lets ssh see them. At work I run ssh with appropriate port-forwarding options to get to my imap server and ssh for any/all of my home machines. I make up forwarding ports, so the first 2 digits are the 4th number of my internal IP and the next 2 or 3 digits are the native port numbers. In my .ssh/config I have aliases set up for all of my home machines so I can ssh to them by shortname. I also have forwards for my imap and smtp servers, so I can access my home mail from work.

I don't attempt anything like the "transparent proxy" for all web transactions that you're doing. Since you mentioned "putty" I also presume that you're doing this from a Windows machine. I've used putty to get from Windows to Linux, but never tried any port forwarding with it.

Yesterday over on Linuxtoday.com there was an article on ssh tricks. One specific trick is that ssh can act as a socks proxy, which is at least one kind of server that I know web browsers respect. I'm not sure how well web browsers will respect a simple forwarding proxy as you've set up. Now that I think a little more, I don't think what you're trying to do will work at all. Normally for ssh port forwarding you give a specific destination host and port, and in this case you don't really have the former. I really believe that you need to read the openssh documentation on its socks capability, and see if putty can do that, too. From "man ssh" :
Code:
     -D [bind_address:]port
             Specifies a local ``dynamic'' application-level port forwarding.  This works by allocating
             a socket to listen to port on the local side, optionally bound to the specified
             bind_address.  Whenever a connection is made to this port, the connection is forwarded over
             the secure channel, and the application protocol is then used to determine where to connect
             to from the remote machine.  Currently the SOCKS4 and SOCKS5 protocols are supported, and
             ssh will act as a SOCKS server.  Only root can forward privileged ports.  Dynamic port for-
             wardings can also be specified in the configuration file.

_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15999

PostPosted: Wed Aug 25, 2010 10:07 pm    Post subject: Reply with quote

If possible, please reproduce your setup using only OpenSSH components on both ends. This will help us separate configuration problems caused by mistranslation of OpenSSH options to/from PuTTY options versus configuration problems that are fundamentally wrong (i.e. requesting the wrong type of port forwarding).

If this is not possible, or if it works as intended, then please provide exact instructions on how one could configure PuTTY from a blank state to the configuration you are using. Specify which dialogs to visit, which fields to fill, which buttons to press, and so on.
Back to top
View user's profile Send private message
aztech
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jul 2002
Posts: 130
Location: Stenungsund, Sweden

PostPosted: Thu Aug 26, 2010 5:48 am    Post subject: Reply with quote

Well ... yes it's SOCKS-proxying I want to do, sorry for saying http-proxy.

It's not possible to test this with OpenSSH as client, since only Windows is avalible at work.
- sshd_config
Code:

Port 22
Protocol 2
SyslogFacility AUTH
PermitRootLogin no
PasswordAuthentication no
UsePAM yes
AllowTcpForwarding yes
PrintMotd no
PrintLastLog no
Subsystem   sftp   /usr/lib64/misc/sftp-server

This is the iptable rule that redirects the port
Code:

iptables -t nat -A PREROUTING -p TCP --dport 8080 -i ${UPLINK} -s XXX.XXX.XXX.XXX -j DNAT --to XXX.XXX.XXX.XXX:22

It's in swedish, but this is the settings my friends used, when connecting to my server, from his work.
http://i.imgur.com/ybArJ.jpg
I've done the same, but no go =(
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15999

PostPosted: Thu Aug 26, 2010 11:19 pm    Post subject: Reply with quote

Since you get a shell, we are past the iptables phase. The picture shown uses port 8888, but your first post says port 2222. Are you sure you used the same port consistently? After logging in with PuTTY, what is shown when you open a cmd window and run netstat -an?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum