SSH Tunnel

Printable View

09-30-2005
Nisse99

SSH Tunnel

Set up:
[Machine at work (A)]---[Firewall]---[internet]----[OpenBSD (B)]

I can log in on B from A just perfectly. It is also setup to use keys instead of password. I cannot log in on A from B however because of the firewall over which I have no control. Question: How can I set up a tunnel from A to B so I can later use it to login on A from B? I tried experimenting with the -R flag but I couldn't make it work. Any hints anybody?
09-30-2005
Roxoff

What I used to do was run VNC server on (A), and open SSH from (A) to (B) with reverse port forwarding, so I could log onto local port on (B) from home and see the VNC desktop on (A).
09-30-2005
Nisse99

Ok, but how did you set up the tunnel then? I won't be using vnc, just ssh and a shell.
09-30-2005
deek

If you don't have control of that firewall, I don't think you are going to be able to do it. I mean, take the company I work for, which has hundreds of PCs behind the firewall...in order for me to ssh to my box (at work), the firewall would need to know to forward the appropriate port to my single box...no IT department is going to do that...

Theoretically, you would have to initiate the contact from inside the firewall...but again, I know that most IT areas are going to automatically log you out after X hours...

Hate to be the bearer of bad news, but I don't think you will be able to ssh into this box without having some sort of control over the firewall...
09-30-2005
davebardsley

I googled the following search string "linux ssh tunnel through firewall" and was rewarded with this little gem at the top of the list:
http://souptonuts.sourceforge.net/sshtips.htm
I expect this is what you're looking for.
09-30-2005
Nisse99

Yes, I tried that... It doesn't work. I guess I have to try again using more -v flags to see exactly what's happening but maybe my ssh is misconfigured. I can set a tunnel locally on machine B to itself but not from A. So the sshd on A is probably the problem, right?
09-30-2005
davebardsley

Have you tried anything like what is descripbed here:
http://proxytunnel.sourceforge.net/p...et-200204.html

Quote:

(c) Copyright 2001-2002 the Muppet
...
ssh -R 2323:some-sys.bigacme.com:23 casa
...
With only a limited amount of effort it is possible to convert the remote tunnel example into a fully functional system for connecting to a system on the inside of the network using ssh. In order to implement this solution, you need:
User access (root access not necessary!) to a system on the inside of the network that can act as a gateway into the network.
A computer system in the Internet that runs the SSH daemon on a port that is allowed by the corporate firewall that we want to penetrate (e.g. port 443). A cable modem or ADSL connected Linux system will do just fine.
ProxyTunnel :-)
Some smart shell scripts
On the internal system, you install SSH, ProxyTunnel and a small shell script (tunnel) that is run regularly (say every 5 minutes) through the Unix cron scheduler. This script uses scp to retrieve a small instruction file from the external system in the Internet (in this example, this file is called tr (for tunnelrequest). The tr file contains a flag that indicates whether a tunnel into the protected network is requested or not.

After retrieving the tunnel request file the script does the following:

If a tunnel is requested, and there is currently a reverse tunnel in operation, the script does nothing.
If a tunnel is requested, and there is currently no tunnel operating, the script uses an SSH command (like the one in the previous example) to set up a reverse tunnel. Access into the protected network is now possible!
If no tunnel is requested, but there is one running, the running tunnel is terminated.
If no tunnel is requested, and none is running, the script does nothing.
For good measure, the script's action is summarised in a one-line status message that is put back (again using scp) to the external system in the Internet.

Meanwhile, on the external system we install a small script (maketun) that opens up a tunnel into the protected network through the following procedure:

First it checks whether a tunnel already exists. If that is the case, it connects to the existing tunnel.
If no tunnel exists, it writes out a tr file that requests a tunnel and starts waiting...
While this script waits, the (time scheduled) tunnel script on the internal system retrieves the tr file and creates the tunnel.
The script on the local system regularly checks whether the tunnel has been created already. When it is, it emits three beeps and connects to the tunnel. The user now has access to the internal system!
...

I've only included a small portion of the complete text. You stated that SSH's reverse port forwarding feature didn't assist you, perhaps you should try a more commonly accessable port, say 443?
10-03-2005
Nisse99

Problem solved!

I finally managed to make it work. Thank you all who helped! I had accidentally misconfigured the configfile. Anyway, I also swithced on KeepAlive to prevent the tunnel from closing on me.

So, again, thanks all!