I've just reproduced your scenario (except my machine has ppp0 and eth0
instead of eth[01]).
On my "PC" I did:
First window: nc -l -p 6400
Second window: ssh FIRE -R 6400:localhost:6400 (this estabilished connection
along the eth0 interface)
On my "APP" I did:
telnet FIRE_ppp0_IP_ADDRESS 6400
This resulted in a connection being tunnelled as expected and any text I
typed in my telnet connection to FIRE actually appeared on the PC.
On the firewall PC:
# netstat -a | grep 6400
tcp 0 0 *:6400 *:* LISTEN
So it does work pretty much as advertised.
However up till now I've been using machines with ssh 1.2.27. Seeing that
I've been wanting to upgrade them to openssh for some time, I decided to do
so now. As soon as I've done so, the exact symptoms you're describing
struck. The reason for this is described in:
http://www.snailbook.com/faq/gatewayports.auto.html. This leaves with two
somewhat obvious answers:
1. Use commercial ssh. (Not so nice)
2. From the APP machine do "ssh FIRE -L 6400:localhost:6400". This will mean
that from the APP machine you do connect to localhost:6400 and actually be
connecting to PC:6400. This is also nice as it's encrypted end to end.
If neither of the above solutions is possible, you will have to find some
TCP level proxy. IP level redirection through portfw does not seem to work.
(Possibly due to checking of the source address somewhere along the lo
interface input chains or by ssh itself?).
Anyone care to supply a good TCP level proxy?
Cheers,
Dave.
--
David Zverina
Alt Key Pty. Ltd.
http://www.altkey.com
PO Box 3121, Parramatta, 2124, Australia
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> [EMAIL PROTECTED]
> Sent: Friday, 12 January 2001 16:08
> To: 'David Zverina'; [EMAIL PROTECTED]
> Subject: RE: [SLUG] Port redirecting
>
>
>
> I am using ssh -R 16400:localhost:6400 FIRE
> But whe it creates the tunnel, a netstat on FIRE says that FIRE
> is listening
> on localhost:16400. This presents a problem when APP want's to connect.
>
> It only does this on a machine with 2 Network cards. If I use a
> machine with
> 1 NIC the FIRE machine is listening on FIRE:16400.
>
> I can't find anything in the ssh/sshd to tell it different (I could be
> wrong,
> it's happened before)
>
> regards
>
> Grant Street
> Four J's Asia Pacific
> http://www.4js.com.au
> Ph: +61 2 8912 4170
> Fax: +61 2 8912 4179
> Disclaimer: http://www.4js.com.au/Std/eDisclaim.html
>
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of
> > David Zverina
> > Sent: Friday, 12 January 2001 14:43
> > To: Grant Street; [EMAIL PROTECTED]
> > Subject: RE: [SLUG] Port redirecting
> >
> >
> > OK haven't actually tried this but quick scan of ssh manual seems to
> > indicate a way to do it.
> > Assuming FIRE and PC machines are linux and APP is whatever
> > it should be as
> > easy as running on the PC machine:
> >
> > ssh FIRE -L 6400:APP:6400
> >
> > Once this connection is estabilished, connecting to port 6400
> > on the local
> > PC would be actually connecting to APP:6400 over encrypted tunnel.
> >
> > man ssh for more info. Especially the -L (or maybe -R) switches.
> >
> > Hope this helps,
> >
> > Dave.
> >
> > --
> > David Zverina
> > Alt Key Pty. Ltd.
> > http://www.altkey.com
> > PO Box 3121, Parramatta, 2124, Australia
> >
> > > -----Original Message-----
> > > From: Grant Street [mailto:[EMAIL PROTECTED]]
> > > Sent: Friday, 12 January 2001 14:28
> > > To: 'David Zverina'; [EMAIL PROTECTED]
> > > Subject: RE: [SLUG] Port redirecting
> > >
> > >
> > >
> > > we sell a product that is developed in FRANCE so we do not
> > have access to
> > > source.
> > >
> > > Essentialy it has a "display layer" (true 3 tier) process
> > that runs on the
> > > PC.
> > > It listens to PORT 6400 for display type commands. These commands
> > > are clear
> > > text.
> > > So eg "Display "Bloggs Fred" to name field" type commands(not
> > > actual syntax)
> > > are snoopable.
> > >
> > > Customers would like to run the app over the internet but would like
> > > encryption. We are using ssh's facilities to do this so that
> > > only a client
> > > ssh is needed on the PC.
> > >
> > > the big picture is
> > >
> > > ---------- ----------
> > > | | ssh | |
> > > | PC |6400 -----------localhost:16400| FIRE |
> > > | | | |
> > > ---------- ----------
> > > |IP:6400
> > > |
> > > |
> > > ----------
> > > | |
> > > | APP |
> > > | |
> > > ----------
> > >
> > > The application running on APP needs to communicate
> > > to the PC on port 6400 eventually.
> > >
> > > Grant Street
> > >
> > >
> > > > -----Original Message-----
> > > > From: David Zverina [mailto:[EMAIL PROTECTED]]
> > > > Sent: Friday, 12 January 2001 13:59
> > > > To: Grant Street; [EMAIL PROTECTED]
> > > > Subject: RE: [SLUG] Port redirecting
> > > >
> > > >
> > > > % insmod /lib/modules/2.2.5-15/ipv4/ip_masq_portfw.o
> > > > % /usr/sbin/ipmasqadm portfw -a -P tcp -L FIRE_IP_ADDRESS 16400 -R
> > > > FIRE_IP_ADDRESS 6400
> > > >
> > > > -L means local address
> > > > -R means remote address
> > > >
> > > > remote address does not have to be on the firewall PC and
> > > > could be another
> > > > PC behind the firewall if required. However I am bit puzzled
> > > > by the need for
> > > > that kind of configuration. May be if you post more info
> > about your
> > > > motivation, a better solution might appear.
> > > >
> > > > Cheers,
> > > >
> > > > Dave.
> > > >
> > > > --
> > > > David Zverina
> > > > Alt Key Pty. Ltd.
> > > > http://www.altkey.com
> > > > PO Box 3121, Parramatta, 2124, Australia
> > > >
> > > > > -----Original Message-----
> > > > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > > [EMAIL PROTECTED]
> > > > Sent: Friday, 12 January 2001 13:15
> > > > To: [EMAIL PROTECTED]
> > > > Subject: [SLUG] Port redirecting
> > > >
> > > >
> > > > Hello all
> > > >
> > > > I have the following configuration
> > > >
> > > > ---------- ----------
> > > > | | ssh | |
> > > > | PC |6400 -----------localhost:16400| FIRE |IP:6400
> > > > | | | |
> > > > ---------- ----------
> > > >
> > > > I am initiating a ssh connection from the PC and the
> > > > firewall. The firewall has 2 network cards so the
> > > > sshd is listening on localhost:16400. I want it to
> > > > listen on IP:16400 or IP:6400.
> > > >
> > > > What is the best/easiest/general way of doing this
> > > > I'm trying to work out IP chains but I am getting lost...
> > > >
> > > > Your speedy response is appreciated :-)
> > > >
> > > > Searching is bringing up seemingly irrelevant stuff
> > > >
> > > >
> > > > Grant Street
> > > >
> > > >
> > > >
> > > > --
> > > > SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
> > > > More Info: http://slug.org.au/lists/listinfo/slug
> > > >
> > >
> >
> >
> >
> > --
> > SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
> > More Info: http://slug.org.au/lists/listinfo/slug
> >
>
>
>
> --
> SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
> More Info: http://slug.org.au/lists/listinfo/slug
>
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
