LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices



Reply
 
Search this Thread
Old 06-17-2013, 05:09 AM   #1
doruneda
LQ Newbie
 
Registered: Jun 2013
Posts: 3

Rep: Reputation: Disabled
SSH tunneling issue


Self answered(solution identified and not cause).
The text in grey has proved to be a bunch of wrong conclusions.
The corrections and details are to be found in the reply below.


Hi,

I've recently received a request to install and prepare a machine(virtual with vmware)for an application server in internet. This server should be accesible on port 8080 where a jboss application is listening and providing a web interface.
The server should also be accesible directly from the intranet(other servers) on the same port. However in our company the following policies are applied: internet-intranet(no connections allowed), intranet-internet ssh port allowed(through firewall with nat, although all our IP addresses are public addresses).

Having the following:
subnet A - lab internet network
subnet B - lab intranet network 1
subnet C - lab intranet network 2
subnet D - office intranet network
machine X - vm running redhat in A to hold the web application
machine Y - vm running centos in B to hold a tunnel to X
machine Z - another vm running redhat in C
mylaptop - me in the office
Policies
A->*, all reject
B,C,D->A 22 allow, all reject(firewall with NAT)
B,C<->D all allow(firewalled)
B<->C all allow(routed only)

So i did the following:
I created X and assigned it in A. I then created Y and assigned it in B. I then launched on Y the tunnel #ssh -fgNL 8080:127.0.0.1:8080 user@ipX

Now any browser connecting to http://ipY:8080 should automatically receive the responses from ipX:8080

What actually happens:
If i connect from mylaptop to http://ipY:8080, 6 http requests are launched. 3 of those are finished and 3 not. I experience a pretty high load time(for just a login page). The tunnel hangs in that status with those tcp connections and dies in a few minutes.
If i connect from Z to http://ipY:8080, same as above happens.
If i connect from Y(to itself) to http://127.0.0.1:8080, 6 http requests are launched. 6 of those are finished and everything works great.
If i connect from another VM in same subnet B to http://127.0.0.1:8080, 6 http requests are launched. 6 of those are finished and everything works great.
So from what i see everything outside the subnet of the tunnel head is going chaotic. I only have 1 network interface on all machines so it shouldn't be a routing problem i think.

More strange: if i launch the tunnel from mylaptop(running windows) to A, all other machines in intranet are tunneled perfectly.

Any ideas what is going and where should i investigate further?

Thank you,

Last edited by doruneda; 06-19-2013 at 10:41 AM.
 
Old 06-17-2013, 10:02 PM   #2
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 869
Blog Entries: 2

Rep: Reputation: 216Reputation: 216Reputation: 216
If you've started with 1 http connection and soon after got 6 that will be because a page served by X contains links. And probably they are not links relative to the page but contain ipX or 127.0.0.1 or something else that doesn't make sense from some of your client locations.
 
Old 06-19-2013, 10:56 AM   #3
doruneda
LQ Newbie
 
Registered: Jun 2013
Posts: 3

Original Poster
Rep: Reputation: Disabled
final conclusions and solution

I mentioned in my first post that if i connect from the same subnet as the tunnel server everything works fine. I was actually wrong, everything worked fine because of an old firefox loading each part of the page in a serial manner.

After many wiresahrk/telnet & other investigations i noticed that:
If i was having multiple page elements, modern browsers will load a bunch of them in concurrent connections. Problem is that if i was having more than 3 TCP connections sent through the tunnel, all of them hanged(nothing reaching the end of the tunnel) and after a few minutes the tunnel itself died.
Still wondering if this is a SSH issue or not(putty from my laptop was tunneling just fine in any condition) i have cloned the internet server VM and put the clone in intranet. I've modified the tunnel to point to this new machine and surprise, NO PROBLEMS!
After this i concluded it either has to do with the firewalls(though i doubt they can sense encrypted tcp connections in the tunnel) or with the combination of firewalls+ssh client.

The solution:
I though of many things: firewalls being able to distinguish tunneled conversations(from a numeric perspective), ssh failing due to overhead added to original frames and somehow messing up the data, etc.
I then had the ideea to try the -C option. This adds a compression to the tunnel. It should be used only where the connections are slow(not my case, but i gave it a try). Surprise is that after this i was able to tunnel perfectly. I tested with a page displaying 100 diferent images of 1,6 MB each. All went fine(except my browser which hated me for that ).
I worried about the CPU overhead that will be added by the compression. There was no noticeable increase in CPU consumption.
 
Old 06-19-2013, 11:18 AM   #4
doruneda
LQ Newbie
 
Registered: Jun 2013
Posts: 3

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by linosaurusroot View Post
If you've started with 1 http connection and soon after got 6 that will be because a page served by X contains links. And probably they are not links relative to the page but contain ipX or 127.0.0.1 or something else that doesn't make sense from some of your client locations.
Thank you for your time. My problem is not that i don't know why i have more than one connection, but why my SSH tunnel fails to tunnel those conversations.

To make it more clear. In the first moment of requesting a page, the browser requests that page(file) only. After receiveing and parsing it, it will start a number of concurent tcp connections for loading page elements(css files, image files, script files, etc). After this, also other TCP connections will be made requesting information if the page uses AJAX like parts. It has nothing to do with links(i'm not dumping the site content, but browsing it) nor has anything to do with path of the files. All the page elements in my case were relative path defined elements.

Last edited by doruneda; 06-19-2013 at 11:21 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH Tunneling ghstkhp Linux - General 4 02-15-2013 10:34 PM
SSH server and SSH tunneling Achical Linux - Security 5 05-20-2012 11:07 AM
issue tunneling X using ssh rhklinux Linux - Newbie 2 01-22-2011 10:17 AM
SSH tunneling entz Linux - Networking 3 04-04-2007 08:22 AM
SSH tunneling issue. buckwheat12 Linux - Networking 2 01-03-2007 09:34 AM


All times are GMT -5. The time now is 04:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration