SSH remote port forwarding: is this even possible?

[sam1994]

Hello,

Don't want to use VPN if possible, but I'd like to be able to SSH to another machine, and through that, access a port over TCP. Catch is the port I want to access is not on the target machine.

e.g.

Client ------- SSH Server ------- Port Server

The server with the port I actually want to forward isn't running SSH. It's not possible to somehow use this SSH server to then connect to the Windows ports is it?

[tdsan]

Hello,

Don't want to use VPN if possible, but I'd like to be able to SSH to another machine, and through that, access a port over TCP. Catch is the port I want to access is not on the target machine.

e.g.

Client ------- SSH Server ------- Port Server

The server with the port I actually want to forward isn't running SSH. It's not possible to somehow use this SSH server to then connect to the Windows ports is it?

===========================

1st. Ensure the kernel is setup to forward ip packets on the ssh server:

net.ipv4.ip_forward = 0

change it:

sysctl -w net.ipv4.ip_forward=1

2nd. Make sure your firewall allows port 22 (ssh) traffic:

iptables -I INPUT 1 -p tcp -m state --state ESTABLISHED,NEW,RELATED -m multiport --dport 22 -j ACCEPT

3rd. Download or run Remmina VNC. This gives you the ability to run or setup ssh forwarding, pretty easy to follow - Remmina - The GTK+ Remote Desktop Client, be sure to select the tab that says SSH. There is a check box there that says "Enable SSH Tunnel", add the ip address for the "SSH Server", then go back and put in the internal address you are trying to access.

4th. Optional, make sure the ports on your switch or router allow port 22 traffic

I think that should do it.

or you could do it from the command line:

ssh -L externalip:ext-port:internalip:int-port -l username but I prefer the first method.

Tdsan

[abarclay]

Previous poster's solution probably works, but is overly complex for what you want.

I'm on my laptop sitting in a client location. I have a Unix box exposed to the Internet at home and then a windows XP box on my private net at home. I can access the XP via remote desktop after running the following ssh command from my laptop.

$ ssh -L33890:192.168.37.118:3389 andy@woody.mydomain.com

The IP address 192.168.37.118 is the internal IP of my XP machine. "woody.mydomain.com" is the DNS name of the Unix machine that is doing the port forwarding.

Now, from my laptop, I can access the XP box using:

$ rdesktop localhost:33890

[tdsan]

I think this is a wonderful forum to review comments and to provide any suggestions.

However, if you look at the last line of the suggestion, I am using the same command line item you are using to communicate with his server.

In addition, you have to take into consideration if a firewall exists and ip_forwarding is configured. I am basing it based on the assumptions that may have been left out, that has to be taken into consideration.

But point well taken and noted, I just wanted the other commenter to be sure that we are saying the same thing, just in different ways.

Tdsan

[sam1994]

Hi,

Thanks for clarification on this matter. Was trying abarclays method to no success, which is why I asked if this is feasibly possible. I am trying to indeed use your exact method of tunelling to a Linux box to RDP to a remote XP one.

Therefore, it must be a firewall issue, which I shall resolve

[abarclay]

ip_forwarding is not required in order to use ssh port forwarding.
ip_forwarding is only used when the kernel routes packets based on the routing table. In this case, the sshd on the intermediate system is acting as a proxy and "forwarding" the packet.

Yes, you are right that I did assume the client could communicate with the ssh daemon on the intermediate server which may not be the case if a firewall is in place.

Sam, if my method isn't working for you, make sure you can simply ssh into the Linux server from your client machine. If plain old ssh works, but the port forwarding does not, then you will have to turn on port forwarding in the linux machine's /etc/ssh/sshd_config file. The property is:
#AllowTcpForwarding yes

The default behaviour is to allow forwarding, so unless that property is set to "no" or "false", you should be fine.

[sam1994]

Hi,

I already had AllowTcpForwarding on. It was an iptables issue. Got it working though.

Obviously as I'm going to be running this solely for SSH access I am going to build a distro in Buildroot with just dropbear so I can run the entire system in initrd

[alf55]

Hello,

Don't want to use VPN if possible, but I'd like to be able to SSH to another machine, and through that, access a port over TCP. Catch is the port I want to access is not on the target machine.

e.g.

Client ------- SSH Server ------- Port Server

The server with the port I actually want to forward isn't running SSH. It's not possible to somehow use this SSH server to then connect to the Windows ports is it?

Code:

To do:

         +-------------+        +-----------+             +------------+ 
         |  localhost  |        |  server1  |             |  server2   |
         |             |        |  machine  |             |  machine   |
         |             |22--->22|           |             |            |
         |             |        |           |             |            |
    >3128---------------------------------------------->80|            |
         |             |        |           |             |            |
         +-------------+        +-----------+             +------------+ 


Use:

        ssh -L 3128:server2:80 user@server1  sleep 3600

Would make a reverences to port 3128 on your machine be connected to port 80 on the "server2" passing through "server1". This tunnel will
close in one hour.