* Failure (firstname.lastname@example.org) [011002 10:23]: > I have some boxes behind a firewall that I need access to from the internet. > I don't control the firewall, so I thought I would try to use OpenSSH > port forwarding. I have placed "GatewayPorts yes" in the outside machine's > sshd_config. The boxes involved both use Debian with OpenSSH 2.9p2. > I connect like this (from the firewalled machine): > > ssh -g -C -R 3001:firewalled_machine:22 user@outside_machine > > I can now connect to 3001 on the outside machine, but the connection doesn't > do anything and is quickly closed. I've tried ports besides 22 with the same > results, but with ssh I get this familiar message: > > $ ssh -C -p 3001 firewall_user@outside_machine > ssh_exchange_identification: Connection closed by remote host > > Can anyone help? The first thing to try is to change firewalled_machine to localhost or another name that resolves to a local address that would be allowed by a firewall that blocks all but loopback traffic to sshd. Probably that's not the case; people generally allow sshd to accept connections. From here, I'd try a couple of different things: use telnet or netcat to connect and see what you see. You should get something like SSH-1.99-OpenSSH_2.9p2 (the sshd's version string). If it doesn't even get that far, try it locally -- instead of connecting through the tunnel, just try telnet localhost 22 on the firewalled machine. Is it really accepting connections? If so, maybe you should try your tunnel setup on different ports using netcat: firewalled_host$ nc -l -p 2222 firewalled_host$ ssh -g -R 3001:localhost:2222 outside_host outside_host$ nc -p 2222 localhost basically, my advice is to simplify and test incrementally until you can find out exactly how far it works. If the above tests work. try connecting from another outside host to outside_host instead of from localhost. IF that fails, you know it's a gatewayports problem. It seems like you're saying that part works, but you get the idea. The next test would be to see if it works to your listening netcat but not to sshd. Sorry, this advice is very general and is not the answer you may have been looking for, but I hope it helps you track down the problem and solve it. good times, -- Vineet http://www.anti-dmca.org Unauthorized use of this .sig may constitute violation of US law. echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M'
Description: PGP signature