Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

ssh tunnelling

  • 07-07-2007 10:37pm
    #1
    Registered Users, Registered Users 2 Posts: 5,238 ✭✭✭


    It's a pretty common thing but despite all the different instructions I've read I haven't succeeded and at this stage I'm frustrated and feeling rather stupid.

    What i want to be able to do is connect from my windows machine to a linux one running different services, ftp, mysql, etc.

    Most of the examples I've seen consider a third machine which confuses things.

    I'd really appreciate it if someone could tell me how to set up a port to listen for a ssh connection and forward it(unencrypted) to a different port on the same computer and secondly, though it's not really the right forum, how to set up a listening port(for a unencrypted connection) on a windows computer and forward it via ssh to the first machine(I have putty but if there's something better that's cool).


Comments

  • Technology & Internet Moderators Posts: 28,830 Mod ✭✭✭✭oscarBravo


    ssh tunnelling is pretty straightforward once you get your head around the basic concept.

    Basically, you're asking the machine running the ssh server (daemon) to act as client for another machine on your behalf.

    For example, the firewall machine at work has a public address, and an internal (10/8) address. If I want to access a machine on the 10/8 network, it's obviously not possible from the public Internet, so I need to use ssh tunnelling.

    I need to ssh to the firewall machine, and ask it to connect to the relevant 10/8 machine for me. So, I set up a port forward (tunnel):

    # ssh -L 8000:10.1.2.3:80 root@firewall

    The ssh root@firewall is vanilla, so the magic is in the -L option. The first part is the "L"ocal port to forward - in this case, port 8000. The second and third parameters are the host and port to which to forward.

    In my browser I can now type "localhost:8000", and ssh (or putty, if you're stuck in Windoze-land) will forward the request for me. As far as 10.2.1.3 is concerned, the request comes from a browser running on the firewall machine.


  • Registered Users, Registered Users 2 Posts: 5,238 ✭✭✭humbert


    on the linux machine running ssh(I'm connected to it via ssh if that makes a difference, though I'd doubt it would) I typed

    ssh -L 4444:localhost:21 root@localhost
    ->
    gentoo ~ # ssh -L 4444:localhost:21 root@localhost
    Password:
    Last login: Sun Jul 8 02:49:39 2007 from localhost

    I checked with netstat and there is a listening tcp socket on port 4444 but when i connect to it from putty it says connection refused. I've checked the firewall, I've altered localhost to the ip and the name on the local network and the result was the same. I also tried changing from the ftp server to the ssh, and even setting up netcat to listen for any connection but no difference.

    At this stage I'm either missing something very very obvious or there's something wrong with my setup i think.


  • Technology & Internet Moderators Posts: 28,830 Mod ✭✭✭✭oscarBravo


    It's hard to see what you're trying to do. Why would you ssh tunnel to localhost? In the example you've given you're forwarding port 4444 on localhost to port 21 on the same machine.


  • Registered Users, Registered Users 2 Posts: 5,238 ✭✭✭humbert


    yea I that could be the problem, I'm just not getting it!

    I want to forward a port on the windows machine to an arbitrary port on the linux machine via ssh, then forward that data locally on the linux machine to the correct service, say ftp.


  • Closed Accounts Posts: 1,467 ✭✭✭bushy...


    If want to do is send (eg) ftp traffic over the tunnell and your gentoo box is the ftp server , download putty and start it up on the windows pc.
    Put in the ip of the gentoo box in the first screen then go down the list on the left and click on SSH .
    Down near the bottom of that screen you just need to fill in 2 boxes , Local and remote/port
    Put in 4444 for local and 10.1.2.3:21 for remote. ( where 10.1.2.3 =gentoo box)
    Now click on connect ,log in and minimise that screen. Put in localhost:4444 in a browser and you should end up at the ftp


  • Advertisement
  • Technology & Internet Moderators Posts: 28,830 Mod ✭✭✭✭oscarBravo


    OK, gotcha. You need to use putty's interface to the port forwarding mechanism. When setting up the connection in putty, go to the "tunnelling" section of the configuration, and specify that you want to forward a local port (like 4444) to localhost:21. When you connect with putty, you'll be able to connect to port 4444 on your Windows machine and have it forwarded to port 21 on the Linux machine.

    In general terms: the ssh client has to request the tunnel. In your case, the ssh client is putty. I'm used to using Linux machines, where the client is the "ssh" command, hence the command-line example I gave.


  • Registered Users, Registered Users 2 Posts: 5,238 ✭✭✭humbert


    Thanks a lot, success at last. I really was on the verge of pulling my hair out!
    oscarBravo wrote:
    In general terms: the ssh client has to request the tunnel.

    That's what I wasn't getting. I couldn't understand why a login was necessary when running the command on the server. Really will have to start thinking a bit more broadly. When you rule out the impossible all that's left however improbable... and all that.

    Together with that and bushy's instructions for putty(now understanding why it was necessary to connect via the normal login procedure and fill in the forwarding options because I'm instructing the server to set up the link).

    Big sigh of relief :)


Advertisement