SSH Tunnels

pricejm · 01-02-2008, 11:17 AM

Having trouble getting an SSH tunnel to connect to my Slackware 12.0 box.

Here's my setup:

- EXTERNAL_BOX: putty to SLACKWARE_12:SSH_PORT, tunnel 1111 (local) to SLACKWARE_12:FORWARDING_PORT
- ROUTER: forwards port SSH_PORT to SLACKWARE_12 (which I can log in fine) and forwards FORWARDING_PORT to SLACKWARE_12
- SLACKWARE_12:
...sshd_conf:

Code:

AllowTcpForwarding yes

...firewall: allows the FORWARDING_PORT

Now I've tried it behind the router with the same results: Connection refused.

I don't know if it is sshd stopping the tunnel or what. inetd?

I'll try a local tunnel to see if I can at least do that.

Thanks.

Shade · 01-02-2008, 02:26 PM

This might help. Depending on what you're trying to tunnel, you could use SSH as a socks proxy.

http://tipotheday.com/2007/12/16/bor...r-connections/

pricejm · 01-06-2008, 08:16 PM

I'll have to try the SSH and SOCKS out...

So I can do this:

# ssh -L 2001:localhost:25 localhost

then in that session I can telnet to localhost 2001 and get my smtp...

So I still don't know why it want let any external sessions.

If I add a "PermitOpen 192.168.1.100:7838" to the sshd_config I'll get the error message in Putty: Forwarded connection refused by server: Administratively prohibited [open failed]

Something's changing for sure.

If I had the "PermitOpen any" I get the connection refused again.

The ports are open through the firewall, unless I'm screwing that up (I'm getting different responses, so I'd think I have the firewall right though).

I'm totally baffled at this point.

Alien_Hominid · 01-07-2008, 03:32 AM

Disable firewall for now.

pricejm · 01-07-2008, 10:33 AM

I set the firewall to accept all by default.

Something I thought was interesting:

...
sshd[12657]: debug1: server_request_direct_tcpip: originator 0.0.0.0 port 0, target server.com port 7777
...

When it works from my router, i.e. ssh -L 2000:server:25 or whatever, I get:
sshd[12550]: debug1: server_request_direct_tcpip: originator 127.0.0.1 port 59556, target server.com port 25

So maybe figuring out why I'm not getting an originating IP might fix me.

pricejm · 01-07-2008, 10:55 AM

OK. I might be an idiot, but this seemed to fix it:

The hostname has always been domain-serv, since I always thought of my router as being domain.com...so after running `hostname domain.com`...bam! It finally works...

I guess sometimes it is too simple. sshd had to be resolving domain.com to my router, ergo the connection failed.

I spent a couple weeks on this just for one command to fix it...but I learned much in the process.

Now I'm only a Level 2 idiot.