LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 09-18-2012, 09:51 AM   #16
\/4A
Member
 
Registered: Aug 2012
Posts: 112

Original Poster
Rep: Reputation: Disabled

Quote:
Originally Posted by suicidaleggroll View Post
2) ISP provides a modem/router combination device, which steals the external IP and only provides LAN IPs to the connected devices, but they give you the login information for the modem/router allowing you to set up things like NAT, port forwarding, firewall rules, subnet, DHCP range, etc.
correct, it looks like this is the option the remote server I want to access (client site) is stuck to, with no access to ISP's router settings - and this is standard with all ISP's here. If we want public IP's or such extra's like setting things on their router, it's extra (and expensive).

I personally am on a 3G connection, but again am under their NAT.
Both client and me are on different ISP's. I've attached a little diagram to show things (the "Ubuntu server" is what I want to access using SSH from "my PC").

Taking a look at the option Chris suggested, I had a look at the "Reverse SSH Tunnelling". In such a case where would the "middle" PC be? On my LAN?, on the client's LAN?, can it be a virtual machine (with VirtualBox) on "my PC"?
Attached Images
File Type: png Accessing_remote_server_that_is_under_NAT.png (56.5 KB, 14 views)
 
Old 09-18-2012, 10:04 AM   #17
suicidaleggroll
Senior Member
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 2,834

Rep: Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001
Quote:
Originally Posted by \/4A View Post
correct, it looks like this is the option the remote server I want to access (client site) is stuck to, with no access to ISP's router settings - and this is standard with all ISP's here. If we want public IP's or such extra's like setting things on their router, it's extra (and expensive).

I personally am on a 3G connection, but again am under their NAT.
Both client and me are on different ISP's. I've attached a little diagram to show things (the "Ubuntu server" is what I want to access using SSH from "my PC").

Taking a look at the option Chris suggested, I had a look at the "Reverse SSH Tunnelling". In such a case where would the "middle" PC be? On my LAN?, on the client's LAN?, can it be a virtual machine (with VirtualBox) on "my PC"?
That's rough, glad the ISPs that I've used haven't tried to pull that crap. Anyway, the key here is which computer INITIATES the connection. You cannot initiate the connection from your location because you have no way of making it to the destination server. Instead you need to do it in reverse: initiate the connection from the destination server to your local computer (yes, this means having somebody physically access the server, or at least SSH into it from inside that LAN). Once you set up a permanent SSH tunnel (initiated from the server), you'll be able to open SSH connections from your local computer through that tunnel to access the server.
 
1 members found this post helpful.
Old 09-18-2012, 10:22 AM   #18
\/4A
Member
 
Registered: Aug 2012
Posts: 112

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by suicidaleggroll View Post
(yes, this means having somebody physically access the server, or at least SSH into it from inside that LAN). Once you set up a permanent SSH tunnel (initiated from the server), you'll be able to open SSH connections from your local computer through that tunnel to access the server.
but what about the fact that I too am behind a NAT?

Secondly on the same point, does it mean that EVERYTIME I need to access the Ubuntu server, somebody will physically have to access the server, or at least SSH into it from inside that LAN?
 
Old 09-18-2012, 10:29 AM   #19
suicidaleggroll
Senior Member
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 2,834

Rep: Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001
You'll have to set up port forwarding on your end then. If you can't do that either, that's when the "middle man" in the diagram comes in. You would set up an SSH tunnel from the server to some middle computer that doesn't have this port forwarding problem, then from your network you could SSH into the middle computer, then SSH through the tunnel into the server.

Once the permanent SSH tunnel is set up, you're fine. It will only need to be re-created if you reboot your machine, the server reboots, or possibly if there's an internet outage. You should be able to write a cron job or a daemon script on the server to check if the tunnel is up, and reestablish it automatically if it goes down.

Last edited by suicidaleggroll; 09-18-2012 at 10:30 AM.
 
1 members found this post helpful.
Old 09-18-2012, 10:47 AM   #20
\/4A
Member
 
Registered: Aug 2012
Posts: 112

Original Poster
Rep: Reputation: Disabled
gosh, looks like reverse tunnelling is not an option for me - where would I get a "middle man", knowing all ISP's in our area follow the same priciples.
 
Old 09-18-2012, 11:21 AM   #21
\/4A
Member
 
Registered: Aug 2012
Posts: 112

Original Poster
Rep: Reputation: Disabled
I wonder if setting up a VPN or using a service like dyndns could be the solution?
 
Old 09-18-2012, 12:45 PM   #22
fkasmani
Member
 
Registered: Dec 2007
Posts: 176

Rep: Reputation: 17
Quote:
Originally Posted by \/4A View Post
where would I get a "middle man"
You could consider taking up a VPS service. You wouldn't need any high specs but it's important you know how much bandwidth you'll be consuming. Stick to an Ubuntu based VPS as your "middle man".
 
1 members found this post helpful.
Old 09-18-2012, 03:12 PM   #23
jefro
Guru
 
Registered: Mar 2008
Posts: 11,533

Rep: Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404Reputation: 1404
V4A, you are kind of throwing in stuff that doesn't matter.

It is very common to be on a private ip and access the web to any isp to another user that is also on a private ip.

Dynamic dns helps find the other computer on leased public ip addresses. You only need that if you can't discover the change. Ddns servers allow you to run a program that offers the change back up to the ddns service. I have used it before and it works good. Some or maybe many of the new modem/routers allow you to configure it in the modem. Also you should have a setting that maps the public ip to the local computer. You may have to reserve or put a static ip in for this server. Same goes for your nat connection.

Then you create a stunnel or ssh tunnel.
 
Old 09-19-2012, 02:06 AM   #24
\/4A
Member
 
Registered: Aug 2012
Posts: 112

Original Poster
Rep: Reputation: Disabled
I'm moving in the direction of what Chris suggested along with the VPS as the middleman. I did however ask a couple of VPS providers and they cannot guarantee it would work. No harm, I'll give it a try.

My concern is (in the event it works) - lets say sometime down the line I get another (or additional) remote server(s) in different locations (again in the same "behind a NAT" scenario) that I need to have reverse SSH tunneling with. Can I use the same middleman VPS I'm taking up today, or would I need additional VPS (middleman) for each reverse SSH tunneling I want to setup?
 
Old 09-19-2012, 03:31 AM   #25
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
They couldn't guarentee?? I find that position very strange. If a provider doesn't know absolutely if it would work or not, i'd run a mile. oh no you can make as many as you want. Just a case of using a different port number in the middle box.
 
1 members found this post helpful.
Old 09-19-2012, 03:38 AM   #26
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
I just googled a bit, and whilst I can't get to the sites to check, google previews (searching for "ssh proxy service") for sh3lls.net and guardster.com look useful amongst others.
 
Old 11-21-2012, 03:43 AM   #27
\/4A
Member
 
Registered: Aug 2012
Posts: 112

Original Poster
Rep: Reputation: Disabled
OK, I signed up for a Linux CentOS 6.2 based VPS service and followed the instructions at http://wiki.fabelier.org/index.php?t..._SSH_Tunneling

However, when I reach the last step and actually try to log in, I get the error (to prevent anyone hacking in, I've changed certain parts of the IP to xxx)
Code:
ssh: connect to host xxx.175.xx.251 port 19999: Connection refused
Just to summarize, this is how the structure is:
  • IP Number of Middle: xxx.175.xx.251
  • Username of Middle: root
  • Username of Inside: openemr
  • Command to initiate connection: ssh openemr@xxx.175.xx.251 -p 19999
  • Location of script in Inside: ~/home/openemr/launch-reverse-ssh-tunneling.sh
  • Location of crontab in Inside: ~/var/spool/cron/crontabs/openemr
  • OS of Inside: Ubuntu Server 12.04 minimal

I have installed Webmin on both: Middle and Inside and the Webmin on the Inside shows the '~/home/openemr/launch-reverse-ssh-tunneling.sh' command as an active scheduled cronjob for the 'openemr' user.

When I run
Code:
./launch-reverse-ssh-tunneling.sh
from ssh shell (cygwin), it like does nothing, and brings the command prompt again. However, in Webmin (for Inside) when I click on 'Run Now' for this cronjob, it gives me the error
Code:
Output from command ~/home/openemr/launch-reverse-ssh-tunneling.sh ..

/bin/sh: 1: /home/openemr/home/openemr/launch-reverse-ssh-tunneling.sh: not found
I even tried enabling Port Forwarding for Port 22 and then 19999 on the router to which Inside is connected, but no luck.


I just have an update.

I was looking at the ~/var/mail/openemr on the Inside, and see this mail that's being generated every minute
Quote:
From openemr@oemrserver Wed Nov 21 13:06:01 2012
Return-Path: <openemr@oemrserver>
X-Original-To: openemr
Delivered-To: openemr@oemrserver
Received: by oemrserver (Postfix, from userid 1000)
id 966CD28EB9; Wed, 21 Nov 2012 13:06:01 +0300 (EAT)
From: root@oemrserver (Cron Daemon)
To: openemr@oemrserver
Subject: Cron <openemr@oemrserver> ~/home/openemr/launch-reverse-ssh-tunneling.sh
Content-Type: text/plain; charset=ANSI_X3.4-1968
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/home/openemr>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=openemr>
Message-Id: <20121121100601.966CD28EB9@oemrserver>
Date: Wed, 21 Nov 2012 13:06:01 +0300 (EAT)

/bin/sh: 1: /home/openemr/home/openemr/launch-reverse-ssh-tunneling.sh: not found

Last edited by \/4A; 11-21-2012 at 04:10 AM.
 
Old 11-23-2012, 08:32 AM   #28
\/4A
Member
 
Registered: Aug 2012
Posts: 112

Original Poster
Rep: Reputation: Disabled
I just don't know why the crontab is looking for the script from /home/openemr/home/openemr/launch-reverse-ssh-tunneling.sh
Really surprised where the extra '/home/openemr' is coming from.
 
Old 11-23-2012, 09:02 AM   #29
suicidaleggroll
Senior Member
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 2,834

Rep: Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001
Quote:
Originally Posted by \/4A View Post
I just don't know why the crontab is looking for the script from /home/openemr/home/openemr/launch-reverse-ssh-tunneling.sh
Really surprised where the extra '/home/openemr' is coming from.
Code:
Output from command ~/home/openemr/launch-reverse-ssh-tunneling.sh ..

/bin/sh: 1: /home/openemr/home/openemr/launch-reverse-ssh-tunneling.sh: not found
~ is a shortcut to the user's home directory, so ~/home/openemr expands to /home/openemr/home/openemr
 
1 members found this post helpful.
Old 11-23-2012, 09:47 AM   #30
\/4A
Member
 
Registered: Aug 2012
Posts: 112

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by suicidaleggroll View Post
~ is a shortcut to the user's home directory, so ~/home/openemr expands to /home/openemr/home/openemr
Thanks.

I changed it to
Code:
~/launch-reverse-ssh-tunneling.sh
and looks like it can now find the script.However, when I now run the cronjob, it gives the error
Code:
Output from command ~/launch-reverse-ssh-tunneling.sh ..

/home/openemr/launch-reverse-ssh-tunneling.sh: 1: /home/openemr/launch-reverse-ssh-tunneling.sh: Syntax error: "(" unexpected
I'm really surprised why, 'cos I've directly copied/pasted the code from http://wiki.fabelier.org/index.php?t..._SSH_Tunneling and chmod +x to the file I made.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] accessing server from remote host ridoy Programming 1 03-02-2011 07:35 AM
SLOW Accessing Home Web Server on LAN cyngallery Linux - General 9 08-19-2006 09:15 PM
accessing a host from a remote server onlynimal Linux - Networking 5 04-20-2006 07:37 AM
Accessing a remote X server from a Windows machine escordeiro Linux - Software 1 03-23-2005 09:24 PM
accessing mail server from remote tushar_mahakul Linux - Networking 1 09-14-2004 04:40 AM


All times are GMT -5. The time now is 05:14 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration