My ISP, Fastweb.it is the only company in the country where I live (Italy) that is capable of providing some real speed, especially on upload which I badly need for Freenet, i2p, BitTorrent seeding, and possibly other stuff that I may set up if I get around the problem caused by the 'dark side' of fastweb.

Abusing their de-facto monopoly on almost-high speed connections they use what I call "mobster marketing", which gies pretty much like this:
"I'm the only one who has this product, so you pay my price and stick to my rules: take it or leave it".
I'm not gonna discuss their policy here, what'm looking for is a solution to a practical problem.

The problem that I have to solve is that the ISP does the NAT and I can't port forward, and to get a routable address I should pay €4 a (!) which are to be added to the €65 a month (!!) that I already pay for my 10/10Mbit cable connection (includes a VoIP markedted as a "land line")

Some days ago, a friend who lives in another country got himself a 100/100Mbit connection, so routing my 10Mbit _max_ (often much less) wouldn't be a problem for him.
I asked him if he could set up a limited ssh account for me and let me forward a bunch of ports to his box, which he agreed to.

Now the problem is that once opened the tunnel, I can't connect to the remote port that is supposed to be listening.

Some details:
I run a Ubuntu 8.04 64bit and the remote system is a well mantained and efficient Windows box running WinXP Pro.
The server is Winsshd, the guy on the other end made an account for me and opened the ports that I need to open even tho they should be opened by my remote command, because it wasn't working and that was a try.

I use the command:

ssh -L <localport>:<remotehost>:<remoteport> user@remotehost shellserver

(I also tried:
ssh -L <localport>:<remotehost>:<remoteport> user@remotehost sleep 150
no difference)

The connection seems to work, the tunnel is open, I can access my directory on the remote box everything, but when I try to open a connection to the forwarded port through the tunnel using another terminal window, on the tunnel window appears the output:

\channel 3: open failed: connect failed:

without any explanation of why the connection failed.

Any suggestions?

Perhaps the host at the destination end of the tunnel is not accepting connections on '<remoteport>'. The way your question is worded, it sounds like you are trying to connect to a service on the same host that is doing the tunneling. In principle, I suppose this should work, although it is not how tunnels are traditionally used, AFIAK. What command are you trying to use to access the service at the end of the tunnel?
--- rod.

The other possibility is that there is a ssh key mismatch in ~/.ssh/known_hosts. This is a problem with tunnels, as the destination host always shows up as localhost, but the key is actually transmitted from the host on the end of the tunnel. To see if this is the problem, first set the tunnel <remoteport> to 22, then try to make a ssh connection to the host at the end of the tunnel.
If it complains about a changed remote host key, then edit the known_hosts file appropriately and/or set up your keys correctly.

--- rod.

Another possibility is that is in the sshd_config file on your buddy's Windows server. MaxSessions at zero means that you cannot connect by the command line. It will forward all day long but not allow logins via the sshd listener on the box.

Sometimes another error with MaxSessions at zero is something like "Administratively prohibited: open failed"

Rod's suggestions were pretty good. Luke771, did you get your issue solved?

I get this error.

I use 'ssh -ND 9999 username@localhost

Then I change firefox's manual network settings, and use socks v.5

local host port 9999

I also go to about:config and change the network.proxy.socks_remote_dns to true.

I am not sure if my browsing is being encrypted or not?

I would also try connecting with the '-v' (or even -vv or -vvv for more detail) option to ssh. This will usually show you if the tunnel was created, and if not what the error was. It does sound like something is already listening on the either local or remote ports.

Kill the connection, try Firefox. If Firefox can't pull anything up because the connection is down, you are golden. Bring the ssh connection back up, try Firefox again. It should work again. Then you'll know traffic is going where you intend.

Good luck.

Yup, exactly what I did.

I used the -v option and it doesn't report a connection failed.

I mean it obviously works because I have my browser set to use port 9999 and if the ssh tunnel is not created, it simply wont browse the net. Once I do the ssh -ND 9999 dance, browsing works, but spits out those connection failed errors.

Now there is a new confusing error:

debug1: Connection to port 9999 forwarding to socks port 0 requested.


What does this mean? I didnt even know I had a socks port 0. Is this because of the Firefox option for No proxy for Localhost?

No being silent here. I have no idea on this error and I proxy all day, every day through straight squid or sometimes ssh through squid. I love it. Squid makes browsing so much faster. Also you can anonymize/encrypt on untrusted networks. I tunnel wireless traffic all the time because it's faster than WEP or WPA. I can switch it on anytime when I'm doing things like banking or opening confidential documents and I can turn it off if I don't care if other people snoop, like checking the weather.

I wish I could help you but I simply don't know. Sorry.

I've used the same config for ssh tunnel but I install squid at other part , it work ok but very slow. I need to send my outbound traffic via tunnel and receive in regular way. any comment?

A lot of things could be slowing you down. Check the squid cache files, make sure you are not hammering the hard disk with some thing else. If the hard disk is busy, browsing will appear slow because the cache hits won't be served quickly. Other than that, I don't know. You might also try using the verbose options mentioned in earlier parts of this thread to see if there are squid errors being kicked out: -v, -vv, or -vvv

scott

Is it one and the same remote machine and you specified localhost for <remoteport>?

you know
it is not as simple as you think. we are located in middle east and for some political reason they filter our outgoing traffic based on some site or traffic pattern. we use vpn for bypass filtering. but they find other way to filter us and some other tools such as tor , yourfreedom, etc..
So this is not only my problem and this is problems of millions people trying to find a way to freedom, so I need some special and new way for by pass this kind of traffic, any linux or network grue comment will help us in this way

You might try the Opera web browser along with your ssh tunnel. Opera has a Turbo mode that might help you get some more speed. It's just a thought since things are working and the tunnel is what might be slow.

Hello

I was issuing the same message : channel 3 : connexion refused
in my SSH console, when trying to reach my tunneled port 3000 ( ntop )

The simple answer is : nothing was listening to port 3000 on my destination machine.
I restarted the NTOP service, then everything worked and I got rid of the error message.

Regards.