[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH port forwarding



* Failure (failure@nanbara.failsure.net) [011002 10:23]:
> I have some boxes behind a firewall that I need access to from the internet.
> I don't control the firewall, so I thought I would try to use OpenSSH 
> port forwarding.  I have placed "GatewayPorts yes" in the outside machine's
> sshd_config.  The boxes involved both use Debian with OpenSSH 2.9p2.
> I connect like this (from the firewalled machine):
> 
> ssh -g -C -R 3001:firewalled_machine:22 user@outside_machine
> 
> I can now connect to 3001 on the outside machine, but the connection doesn't
> do anything and is quickly closed.  I've tried ports besides 22 with the same
> results, but with ssh I get this familiar message:
> 
> $ ssh -C -p 3001 firewall_user@outside_machine
> ssh_exchange_identification: Connection closed by remote host
> 
> Can anyone help?

The first thing to try is to change firewalled_machine to localhost or
another name that resolves to a local address that would be allowed by a
firewall that blocks all but loopback traffic to sshd.

Probably that's not the case; people generally allow sshd to accept
connections.  From here, I'd try a couple of different things: use
telnet or netcat to connect and see what you see. You should get
something like
SSH-1.99-OpenSSH_2.9p2

(the sshd's version string). If it doesn't even get that far, try it
locally -- instead of connecting through the tunnel, just try telnet
localhost 22 on the firewalled machine. Is it really accepting
connections? If so, maybe you should try your tunnel setup on different
ports using netcat:

firewalled_host$ nc -l -p 2222
firewalled_host$ ssh -g -R 3001:localhost:2222 outside_host
outside_host$ nc -p 2222 localhost

basically, my advice is to simplify and test incrementally until you
can find out exactly how far it works. If the above tests work. try
connecting from another outside host to outside_host instead of from
localhost. IF that fails, you know it's a gatewayports problem. It seems
like you're saying that part works, but you get the idea. The next test
would be to see if it works to your listening netcat but not to sshd.

Sorry, this advice is very general and is not the answer you may have
been looking for, but I hope it helps you track down the problem and
solve it.

good times,

-- 
Vineet                                   http://www.anti-dmca.org
Unauthorized use of this .sig may constitute violation of US law.
echo Qba\'g gernq ba zr\!             |tr 'a-zA-Z' 'n-za-mN-ZA-M'

Attachment: pgptX3DYvPa8K.pgp
Description: PGP signature


Reply to: