ssh tunnel problems

Mike mike at microdel.org
Mon Jun 23 21:10:53 UTC 2008


On Mon, 23 Jun 2008, Rick Bilonick wrote:

>
> On Mon, 2008-06-23 at 13:06 -0400, Rick Bilonick wrote:
>> How do you explain that this works fine when going from my home computer
>> to an account on my ISP's computer? I followed an example posted on the
>> web (which DID have one mistake in using "localhost" which I corrected -
>> but the other use of "localhost" is AFAIK correct). In order to do a
>> reverse tunnel, don't you have to point to localhost in order to use the
>> forwarded port?
>>
>> I don't see this as confusing:
>>
>> (on my.work.server which is behind a firewall that blocks incoming ssh
>> but not outgoing ssh)
>>
>>> ssh -R 2022:my.work.server:22 me at home.computer
>>
>> where "my.work.server" is the IP address for my.work.server and
>> "home.computer" is the IP address for my home.computer. This sets up the
>> port forwarding for a reverse tunnel (that's the -R option). If on
>> home.computer I do:
>>
>>> netstat -an | grep 2022
>>
>> it shows that home.computer is listening to port 2022.
>>
>> Then, to use the reverse tunnel (again on home.computer):
>>
>>> ssh -p 2022 accnt at localhost
>>
>> where "accnt" is the user account on my.work.server and I use the
>> password for accnt on my.work.server. This should allow me then to go
>> through the ssh tunnel in the reverse direction (getting through the
>> firewall that is blocking the use of incoming ssh from the home computer
>> to the my.work.server).
>>
>> Even after removing everything in hosts.allow on my.work.server, I still
>> can't connect.
>>
>> This SAME set up works fine if I set up the tunnel from my home computer
>> to my account on my ISP's server. And yes I'm using "localhost" similar
>> to what I show above. And I've tried it from my.work.server to my
>> account on my ISP but have the same problem so the problem is something
>> on my.work.server.
>>
>> Is it possible for the firewall to block a reverse tunnel (without
>> blocking outgoing ssh)?
>>
>> Rick B.
>>
>
> One more thing. I just tried this on another Fedora 8 computer hooked to
> a different network (at the same organization) that has a fire wall
> blocking incoming ssh. I followed the same strategy as outlined above
> and it works like a charm. So this procedure DOES work as I've outlined
> it above IN PRINCIPLE. For some reason, it doesn't work on the other
> server.
>
> Rick B.
>

I haven't followed this thread closely but...  On the server that does not 
work do you know if the line "AllowTcpForwarding yes" is present in 
/etc/ssh/sshd_config ?

--Mike




More information about the fedora-list mailing list