Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, I have successfully set up an SSH tunnel connection using Putty and my OpenSSH server at home. I am simply forwarding TCP/FTP traffic through the encrypted port 22. I recently discovered that although all traffic is encrypted through the tunnel DNS requests are not. The work around is to turn on the flag option in Firefox and Thunderbird called network.proxy.socks_remote_dns to true. When I turn this flag on I get the following error from my SSH server: Forwarded connection refused by server: Administratively prohibited [open failed].
I know this is a DNS issue however I'm not sure were the problem exists, is it my SSH server, my putty SOCKS client or possibly my home firewall?
Below is the configuration of my sshd_config file. Any direction or help will be much appreciated.
#Port 22
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
#now ssh is only used by rsync ==> auth by passwd file of rsync server
#AuthPassFile /etc/rsyncd.secrets
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#DenyUsers admin
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
Might try SOCKS first. With ssh you supply "-D localhost:$localport", in PuTTY set the "dynamic" option, for dynamic tunnelling.
Thanks Unspawn yes I have already tried the dynamic option in putty, I simply set a high dynamic port number in the Source port in putty and add it. I then set the proxy server configuration in Firefox to point to that SOCKS host in the manual proxy configuration options of Firefox. That is what I have been doing so far but it's not helping.
Your sshd_config AllowTcpForwarding is default so it must be Something Else. Only thing I can think of is a restrictive firewall on the SSH server or you calling the SSH server by its domain name (try IP address instead?).
Your sshd_config AllowTcpForwarding is default so it must be Something Else. Only thing I can think of is a restrictive firewall on the SSH server or you calling the SSH server by its domain name (try IP address instead?).
I'm pretty sure that on my box AllowTcpForwarding was set to no by default. Is it possible that you just changed this value but forgot to uncomment the line (remove the leading #)?
Your sshd_config AllowTcpForwarding is default so it must be Something Else. Only thing I can think of is a restrictive firewall on the SSH server or you calling the SSH server by its domain name (try IP address instead?).
Thanks unSpawn I have no firewall on the SSH server I only have a physical firewall which is allowing TCP port 22 inbound. I am calling the SSH server by a domain name that I own which resolves to the public IP address assigned to the external interface of my firewall nothing fancy. The SSH server is behind the firewall.
I'm pretty sure that on my box AllowTcpForwarding was set to no by default. Is it possible that you just changed this value but forgot to uncomment the line (remove the leading #)?
You might want to try that just for fun.
Thanks jlamothe I tried removing the leading # for AllowTcpForwarding however it made no difference, keep in mind here that TCP forwarding is working no problem its just DNS that's failing, keep the ideas flowing any help is appreciated.
Another workaround that I use is to use openvpn. And here I choose between use only openvpn or if I can use only the ssh port, I set the tunnel with ssh and over it I forward openvpn traffic on that tunnel.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.