LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-28-2007, 04:18 AM   #1
ghostwriter78
LQ Newbie
 
Registered: Oct 2007
Posts: 6

Rep: Reputation: 0
access ssh tunnel (on server) from network


Hello,

We use a SSH tunnel to allow access to a intranet webserver on the remote network.

Until now i established the connection from my local (WINDOWS) pc by putty/plink, and it works well for me.

Now my colleagues also need to use this tunnel.

1. How to make the ssh tunnel permanent on our local linux server (local net)?
2. How to let it establish connection automatically after failure or on server start?
3. How can colleagues in local network access the tunneled (remote) webserver?

The idea is that my colleagues and me just access the local linux server by eg. (http :// lanserver) which would forward all port 80 traffic to the remote tunneled webserver.

Imagined Path of this connection:
Local PCs <-> Local Linux Server <- tunnel over internet -> Remote linux SSH server <-> remote Web Server

The networks have different subnet and are separated by firewalls.
local lan 192.168.0.0/255
local linux server: 192.168.0.10

remote LAN 192.168.10.0/255
remote linux SSH server: 192.168.10.10
remote web server: 192.168.10.20 (port 80)

Remote network has fixed external IP adress . eg. x.x.x.x

hope someone can help me with that.

thanks
Tibor
 
Old 10-28-2007, 07:12 AM   #2
vadiml
Member
 
Registered: Oct 2003
Posts: 42

Rep: Reputation: 19
I'd suuggest you take a look at www.openvpn.net
 
Old 10-28-2007, 09:22 AM   #3
ghostwriter78
LQ Newbie
 
Registered: Oct 2007
Posts: 6

Original Poster
Rep: Reputation: 0
well thanks,.. but as i said i want to use SSH. VPN is not a solution in terms of exposing the whole network.... so we want to tunnel only the port 80 to a certain machine.
 
Old 10-28-2007, 11:28 AM   #4
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi ghost,

answers for your questions :
1. AFAIK - as long as the SSH server doesnt terminate the process - you wont loose the connection (you can configure the option on the daemon). But, that is not a good pratice.
2. which side has failed/restart? the client or the server side?
on windows client you can put putty.bat on start-up group to start the connection -> see the manual.
on server side - mostly it will always be started.
3. if your server-side router performed NAT - then you should forward tcp 22 and all needed port that you want to tunnel.

HTH.
 
Old 10-28-2007, 12:13 PM   #5
vadiml
Member
 
Registered: Oct 2003
Posts: 42

Rep: Reputation: 19
Quote:
Originally Posted by ghostwriter78 View Post
well thanks,.. but as i said i want to use SSH. VPN is not a solution in terms of exposing the whole network.... so we want to tunnel only the port 80 to a certain machine.
I've had a client with the same requirements,
i've installed openvpn and used iptables to filter out undesired traffic...
Worked like a charm.
 
Old 10-28-2007, 09:36 PM   #6
ghostwriter78
LQ Newbie
 
Registered: Oct 2007
Posts: 6

Original Poster
Rep: Reputation: 0
hi again,

vadiml:
SSH is the only option which i have since the remote server only supports SSH and is out of my control in terms of installing software.

rossonieri#1:
Neither side has terminated the connection, in fact its working well with the putty.bat solution on my win pc. The point is we don't want to use the putty.bat anymore. My colleagues and me shall be able to access the remote server through our local lan linux server as SSH client.

That means we type in the address of our local server in browser (eg. http://lanserver). The local "lanserver" tunnels the request through the remote side ssh server and to the remote intranet web server.

Another point...
I took a look how to setup a ssh connection, but its not clear to me how to let it recover itself after disconnect.

perhaps somebody has a clue how to solve this
thanks

Tibor
 
Old 10-28-2007, 10:12 PM   #7
yongitz
Member
 
Registered: Nov 2005
Location: Davao City, Philippines
Distribution: RHEL, CentOS, Ubuntu, Mint
Posts: 139

Rep: Reputation: 20
Hi! If I were you I would add a cron job(say for every 15 mins, really depends on you) that would check if the ssh tunnel is alive or not. If not then run the ssh tunnel command.
 
Old 10-28-2007, 10:24 PM   #8
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Why not simply use shtml? Forward port 8080 on the remote sites router to the web server for requests originating from your local site.
 
Old 10-28-2007, 11:10 PM   #9
ghostwriter78
LQ Newbie
 
Registered: Oct 2007
Posts: 6

Original Poster
Rep: Reputation: 0
Hi jischiwal,
hmm shtml? you mean https? or something else?
the connection isnt the problem here... SSH works fine.

The issue is more if the access from multiple windows PCs will work like i posted.

Hi yongitz,
yes i thought also that way, .. just how to check if there is the ssh tunnel alive?
 
Old 10-29-2007, 01:56 AM   #10
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Yes, I meant htmls. Having an SSL connection between your browser and the server would provide security and the security is built into the browser and web server.
 
Old 10-29-2007, 04:50 AM   #11
ghostwriter78
LQ Newbie
 
Registered: Oct 2007
Posts: 6

Original Poster
Rep: Reputation: 0
i still need SSH to connect to the remote network. and thats my question,.. how to do it properly
 
Old 11-01-2007, 03:59 AM   #12
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
When you use the putty.bat program, are you tunneling the traffic back and forth or are you running an app remotely? I'm not sure how you set up the return packets because they would come back on random high ports.

If the web protocol used only port 80, you could use something like:
ssh -f -L2001:localhost:80 remote.server.com sleep 100000

The ssh info manual has a tunneling example but it uses the tun device on both ends. Your constraints don't allow that.

If the gateway is running ssh, I think that binding the Lan side interface instead of localhost would allow forwarding to the remote server.
ssh -f -L 8080:10.1.0.1:80 remote.server.com sleep 10000
where the gateway server has an IP address of 10.1.0.1.

I used the auxillary html port (on the local side) in this example in case other users would want to use their web browsers to the internet normally. This would need testing, and you may also want to add some kind of access control, like ip_tables rule on your gateway if you want to limit who on the lan can use the gateway forwarding.

Last edited by jschiwal; 11-01-2007 at 04:04 AM.
 
Old 11-02-2007, 11:04 AM   #13
yongitz
Member
 
Registered: Nov 2005
Location: Davao City, Philippines
Distribution: RHEL, CentOS, Ubuntu, Mint
Posts: 139

Rep: Reputation: 20
Just in case you haven't figured out yet how to have your local LAN access the forwarded ports in your local linux server:

Code:
ssh -L 80:192.168.10.20:80 -g user@192.168.10.10
But then again your another problem remains,(that is how to check if this connection dies)
A simple telnet command like will check if it's up or not but I just can't get how to script this one, that if it dies then call the ssh command again.

Last edited by yongitz; 11-02-2007 at 11:06 AM.
 
Old 11-02-2007, 03:33 PM   #14
complich8
Member
 
Registered: Oct 2007
Distribution: rhel, fedora, gentoo, ubuntu, freebsd
Posts: 104

Rep: Reputation: 15
Quote:
Originally Posted by yongitz View Post
But then again your another problem remains,(that is how to check if this connection dies)
Borrowing your code snippet:

user's crontab entry:
Code:
#start at boot time
@reboot runtunnel.sh
runtunnel.sh (put wherever the cron job points to)
Code:
#!/bin/bash

while /bin/true
do
  # make the tunnel connection
  ssh -L 80:192.168.10.20:80 -g user@192.168.10.10
  # if the system's down, don't spin the local system too much...
  # sleep a second or so between retries 
  sleep 1
done
Make sure to set a useful ServerAliveInterval, ServerAliveCountMax, and TCPKeepAlive to sane values in /etc/ssh/ssh_config, or ~/.ssh/ssh_config in order to promptly detect failures/disconnects of the tunnel.

Incidentally, I use a very similar setup at home, albeit to a slightly different end and inside of screen sessions so I can reconnect and manually kick it...

Also, if you want to use port 80, the user opening the tunnel is going to have to be root. You might consider looking into an iptables "REDIRECT" rule and running a different local port and a non-root user... just sayin'
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how can i tunnel all network with ssh connection ? jabka Linux - Security 2 07-06-2007 03:08 PM
setting up an ssh soxy or local ssh tunnel from within an ssh soxy Mangenius Linux - Networking 0 03-05-2007 03:15 PM
SSH access problem on different Network ryancoolest Linux - Networking 2 07-30-2006 05:08 AM
How to Tunnel through a ssh server muneebs Linux - Networking 2 02-12-2005 06:26 AM
Unable to access my ssh server and ftp server from the Internet, but smtp works foxone Linux - Networking 1 05-28-2004 05:17 PM


All times are GMT -5. The time now is 09:49 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration