Find the answer to your Linux question:
Results 1 to 5 of 5
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Challenge: scripting ssh tunnels between Linux/Windows

    Edit: my scenario got a lot easier. Please read the third post.

    Who wants a challenge? I'm not entirely sure this is possible, so that's why I'm asking for help. This is my scenario, though.

    I have four servers, some Windows, some Linux. I have an apt-mirror running in the core of our network. However, due to firewalls, I have to use jump-boxes to access certain machines, and normal ports aren't open. During certain points of the day, one of the services on a jump box shuts down and opens one of the ports. I want to use SSH tunnels to allow apt to connect back to my internal mirror. Here's what things look like:

    LinuxVM --any:any-- WinVMHost1 --3802-> WinJump --any:any-- WinVMHost2 --any:any-- LinuxApt

    I need to do two SSH tunnels:
    -From WinVMHost1 to WinJump on port 3802
    -From WinJump to LinuxApt using any port

    (Note that I can't go straight from LinuxVM to WinJump - the firewall only permits WinVMHost1 to talk back to WinJump on 3802).

    Here's what I'd like to do. I'd like to ball up a pre-made OpenSSH/Cygwin bundle and push it out to each box along the chain, establishing connections along the way. Then, I want to tear it down. In more detail, WinVMHost2 has Cygwin on it already. I can SSH to that, transfer my bundle, and use Cygwin's UNC capabilities to push the bundle to WinJump and start OpenSSH. Then, I'd create the tunnel to WinJump. From the Cygwin bundle now on WinJump, I can push the bundle to WinVMHost1, start OpenSSH, and create the second tunnel. Then, I can connect to the Linux VM. Once the work is done, it can all be torn out and taken back to normal.

    Note that I have to use Cygwin because it's what is approved for use here at work. Is this feasible?
    Last edited by summersab; 03-27-2013 at 01:31 PM. Reason: Scope simplification

  2. #2
    Linux Engineer
    Join Date
    Jan 2005
    Saint Paul, MN
    What kind of tunnel chain are you intending to complete?

    For example:
             +-------------+        +------------+             +-----------+             +------------+             +----------+
             |   LinuxVM   |        | WinVMHost1 |             |  WinJump  |             | WinVMHost2 |             | LinuxApt |
             |             |        |            |             |           |             |            |             |          |
             |             |----->22|            |             |           |---------->22|            |             |          |
             |             |        |            |             |           |             |            |             |          |
        >1348--------------------------------------------->3802-------------------------------------------------->22|          |
        >2348--------------------------------------------->4348-------------------------------------------------->80|          |
        >3348--------------------------------------------->5348------------------------------------------------->443|          |
             |             |        |            |             |           |             |            |             |          |
             +-------------+        +------------+             +-----------+             +------------+             +----------+
    ssh -L 1348:WinJump:3802 -L 2348:WinJump:4348 -L 3348:WinJump:5348 -t USER1@WinVMHost1 ssh -L 3802:LinuxApt:22 -L 4348:LinuxApt:80 -L 5348:LinuxApt:443  USER2@WinVMHost2
    here you could do:
    ssh -p 1348 useronLinuxApt@LinuxVM
    And you would be connecting to "LinuxApt" as user "useronLinuxApt". Anyway this is showing something that can be done.

    To be browsing on "LinuxApt"
    Last edited by alf55; 03-27-2013 at 02:43 AM. Reason: Added example usage...

  3. #3
    Okay, as I've moved forward, this scenario has become much simpler, and one of the intermediary machines doesn't matter anymore. However, now I have a new roadblock: my own ignorance of how to set up ssh tunnels. So, here's what I've got:

    +---------+        +------------+          +-----------+        +----------+
    | LinuxVM |        | WinVMHost  |          |  WinJump  |        | LinuxApt |
    |         |----->22|            |----->3802|           |----->22|          |
    |         |        |            |          |           |        |          |
    +---------+        +------------+          +-----------+        +----------+
    Basically, I want to forward my web traffic (at least port 80) from LinuxVM to LinuxApt so I can run apt-get, etc. The one challenge is the fact that only port 3802 is available between WinVMHost and WinJump. I have Cygwin set up on all machines, now, and I have sshd listening on port 3802 on WinJump. From there . . . how do I chain these tunnels and forward port 80 across?

    Edit: I verified that the tunnel between WinJump and LinuxApt works fine by pointing a browser on WinJump to localhost:80. The command I ran to set up the tunnel was:
    ssh -L 80:LinuxApt:80 administrator@LinuxApt -p 22
    However, I then tried going to WinVMHost and running:
    ssh -L 80:WinJump:80 cyg_temp@WinJump -p 3802
    When I try using a browser from WinVMHost, the Cygwin terminal reports "channel 3: open failed: connect failed: Connection refused." So, I'm 1/3 of the way there, I suppose . . .

    Thank you SO much!!!
    Last edited by summersab; 03-27-2013 at 02:05 PM.

  4. $spacer_open
  5. #4
    I figured MOST of it out, but I can't figure out how to chain all of the commands together and execute them successfully on the client. So far:

    ssh -L 8888:localhost:8888 cyg_temp@WinVMHost
    (then from the ssh> prompt):
    ssh -L 8888:localhost:8888 cyg_temp@WinJump -p 3802
    (again from the new ssh> prompt):
    ssh -L 8888:localhost:80 administrator@LinuxApt

    So, I can do it that way, but I can't manage to make this work:
    ssh -t -L 8888:localhost:8888 cyg_temp@WinVMHost ssh -t -L 8888:WinVMHost:8888 cyg_temp@WinJump -p 3802 ssh -L 8888:WinJump:80 administrator@LinuxApt

    Not sure what I'm missing . . .

  6. #5
    Linux Engineer
    Join Date
    Jan 2005
    Saint Paul, MN
    So your goal is to ssh from LinuxVM to LinuxApt (with hops inbtween) and have a tunnel to give you a connection from LinuxVM that connects to port 80 on LinuxApt?

    And you prefer to reference port 80 on LinuxVM and really be seeing port 80 on LinuxApt?

    Also you must start the ssh access from LinuxVM because LinuxApt is hidden until you are on WinJump.

    Which machines can you allocate ports?

    From LinuxVM (single line commad):
         ssh -L 80:WinJump:8888 cyg_temp@WinVMHost -t ssh -p 3802 -L 8888:LinuxApt:80 cyg_temp@WinJump
    Which will ask for the password at WinVMHost and then the password for WinJump (assuming correctly entered on the first attempt at both machines. At this point there should be a tunnel between port 80 on LinuxVM and port 80 on LinuxApt.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts