LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 05-20-2004, 05:22 AM   #1
Edaph
LQ Newbie
 
Registered: May 2004
Posts: 6

Rep: Reputation: 0
SSH tunnels and VNC, yet again.


Here's my setup:

Code:
x.x.x.x          x.x.x.x|192.168.0.1     192.168.0.50

--------          -------------          -----------
| WORK |----------| LINUX BOX |----------| WIN2000 |
--------          -------------          -----------
I'm trying to access Windows machine running TightVNC server at home from work. I've planned to use ssh to tunnel the connection from WORK to LINUX BOX, and at LINUX BOX just forward (and DNAT) the connection to the Windows computer on the LAN. The problem is, that I don't seem to find any info on how the tunneled connection appears in the remote (LINUX BOX) end, so I could set up an iptables rule for forwarding.

It is suggested, that the connection appears as a local connection (on lo interface?), but I seem to fail to confirm this. Also, as the ssh tunnel does not seem to require authentication (ssh -L port:HOST1:port user@HOST2 seems to be completely legitimate and working (the local port IS actually forwarded to HOST1 without need for a password)), this appears to me as a major security risk. Basically every iptables tutorial on the net suggest giving unrestricted access on the local interface, can't ssh tunnels then be used to bypass iptables firewall and get *unrestricted access* on local services on remote machine?

It's possible that I've missed something here, and I'd appreciate if someone had the time to clarify...

Regards,
Edaph
 
Old 05-20-2004, 02:41 PM   #2
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 65
You don't really need to nat to the windows box on your home network - you could like you say nat it, then use ssh to map the port on the loopback address of the linux box. It would be easier to do this from your work:
ssh -L 5900:192.168.0.50:5900 -l root -N public.ip.of.linux

If you are using putty at work you can translate that to:
Map a local port of 5900 to the destination 192.168.0.50:5900

Since you are mapping a local port this implies that the destination host is remote and so it can be anywhere on your home network.
 
Old 05-21-2004, 03:08 AM   #3
Edaph
LQ Newbie
 
Registered: May 2004
Posts: 6

Original Poster
Rep: Reputation: 0
Ah, yes! Of course! Thanks David! I actually had the impression that the connection is forwarded directly to the remote host, i.e. work->Windows box, so that's why I neglected the thought of tunneling as you are suggesting (as it would've required running ssh-server on the windows machine, I thought). Thanks for clearing up the *basics* of ssh port forwarding. I wonder how I've managed to misunderstand the idea so badly... and with that, the babbling about ssh tunnels being a security risk can also be buried. Thanks David!

Regards,
Edaph
 
Old 05-21-2004, 05:03 AM   #4
Poetics
Senior Member
 
Registered: Jun 2003
Location: California
Distribution: Slackware
Posts: 1,181

Rep: Reputation: 49
As silly as this sounds, could you explain that just a biiiiit slower, David? My mind just can't connect the dots as they've been explained thus far Basically he's just linking port 5900 on his *nix box to an internal IP? If that's the case, cool and I got it! I'm still new to tunnelling / port forwarding / et cetera and am trying to learn more more more!

-- Poetics
 
Old 05-21-2004, 07:23 PM   #5
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 65
Yes that right. I think the best way to draw it is:
Code:
(Work PC)===>{Internet}===>(Home Linux)--->(Home Windows)

= is an entrypted connection
- is not an encrypted connection
So, from the Work PC you create a secure tunnel to your Home Linux box. From there the Home Linux box connects to the Home Windows machine.

In the example of running this at work:
ssh -L 5900:192.168.0.50:5900 -l root -N public.ip.of.linux

-L 5900 Open a port (5900) on the local machine (the Work PC is local as it is initiating the connection)
192.168.0.50:5900 The host and port on the other side of the tunnel (the other side must be remote in this case since the created port is local)
-l root The username is root
-N Don't run a command when you login (good if you are leaveing the connected machine unattended as you don't leave a shell open)
public.ip.of.linux The remote machine to connect to (in this case Home Linux)

The above would let you access the VNC server of the machine "192.168.0.50" in your home lan from the Work PC by getting the vnc client on the Work PC to connect to the work PC itself.




In the example of running this at work:
ssh -R 5900:127.0.0.1:5900 -l root -N public.ip.of.linux

-R 5900 Open a port (5900) on the remote machine (the Home Linux box is remote as the Work PC is initiating the connection)
127.0.0.1:5900 The host and port on the other side of the tunnel (the other side must be local in this case since the created port is remote)
-l root The username is root
-N Don't run a command when you login (good if you are leaveing the connected machine unattended as you don't leave a shell open)
public.ip.of.linux The remote machine to connect to (in this case Home Linux)

The above in this case would let you access the VNC server of the Work PC "127.0.0.1" (this could be any ip on your work network - I just wanted to show that it could be done with a loopback address) By VNCing to the Home Linux box.

When mapping remote ports you may only be able to vnc from Home Linux to Home Linux. This is because sshd server only lets you bind ports to the loopback address by default. You can change this behaviour by adding "GatewayPorts YES" in sshd_config and restarting sshd (firewalls may also be an issue in this instance)

If there is anythign that I haven't made clear then let me know and I'll see if I can reword it a bit more

Last edited by david_ross; 05-21-2004 at 07:24 PM.
 
Old 05-22-2004, 12:46 AM   #6
Poetics
Senior Member
 
Registered: Jun 2003
Location: California
Distribution: Slackware
Posts: 1,181

Rep: Reputation: 49
Took a few re-readthroughs on that second example, but I'm grateful you took the time to explain it -- very very useful stuff. Deffinately something I'd love to know more about as I plunge deeper and deeper into the power of linux networking!

-- Poetics

Edit: The Affero button isn't working Failure in a script on their site.

Last edited by Poetics; 05-22-2004 at 12:51 AM.
 
Old 05-23-2004, 08:00 AM   #7
sonesay
Member
 
Registered: May 2004
Location: AUCKLAND
Distribution: Fedora core 2 , RH9
Posts: 64

Rep: Reputation: 15
ok newbie here. I been trying to spend as much time as i can on linux. at home i have this setup

(internet)====(windows 2k)---------(redhat 9)-- (windows xp)

my 3 computers are network through an hub. the windows 2000 machine is sharing the internet connection. I dont have a monitor for my linux box so i just ssh to it when i am on my xp machine. I would rather setup my linux for the internet sharing but I dont have time at the moment. and I hate being offline trying to get my modem to work. I havent attemped it yet. anyway when I am at school is there a way for me to ssh to my linux box ? is it a dumb thing to do? should i get rid of windows 2000?
thanks for your replys.

Last edited by sonesay; 05-23-2004 at 08:01 AM.
 
Old 05-23-2004, 10:55 AM   #8
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 65
For security I wouldn't reccomend having a windows machine on the edge of your network. You can do it though if you install AnalogX portmapper or equivalent and forward port 22 to the IP if your linux box.
http://www.analogx.com/contents/down...rk/pmapper.htm
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH-Tunnels, Firewall, VNC bojo Linux - Security 3 03-16-2006 06:08 AM
Server Defined SSH Tunnels dlublink Linux - Software 1 09-29-2005 09:11 PM
VNC over SSH or ????? alirezan1 Mandriva 2 01-04-2005 11:55 AM
Creating a router out of SSH Tunnels. Technoslave Linux - Networking 1 10-04-2004 07:07 PM
Automatic SSH Tunnels fearofcarpet Linux - Software 1 12-05-2003 12:36 AM


All times are GMT -5. The time now is 09:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration