LinuxQuestions.org - [SOLVED] SSH tunneling issue

- Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)

- - SSH tunneling issue (https://www.linuxquestions.org/questions/linux-general-1/ssh-tunneling-issue-4175466308/)

SSH tunneling issue

Self answered(solution identified and not cause).
The text in grey has proved to be a bunch of wrong conclusions.
The corrections and details are to be found in the reply below.

Hi,

I've recently received a request to install and prepare a machine(virtual with vmware)for an application server in internet. This server should be accesible on port 8080 where a jboss application is listening and providing a web interface.
The server should also be accesible directly from the intranet(other servers) on the same port. However in our company the following policies are applied: internet-intranet(no connections allowed), intranet-internet ssh port allowed(through firewall with nat, although all our IP addresses are public addresses).

Having the following:
subnet A - lab internet network
subnet B - lab intranet network 1
subnet C - lab intranet network 2
subnet D - office intranet network
machine X - vm running redhat in A to hold the web application
machine Y - vm running centos in B to hold a tunnel to X
machine Z - another vm running redhat in C
mylaptop - me in the office
Policies
A->*, all reject
B,C,D->A 22 allow, all reject(firewall with NAT)
B,C<->D all allow(firewalled)
B<->C all allow(routed only)

So i did the following:
I created X and assigned it in A. I then created Y and assigned it in B. I then launched on Y the tunnel #ssh -fgNL 8080:127.0.0.1:8080 user@ipX

Now any browser connecting to http://ipY:8080 should automatically receive the responses from ipX:8080

What actually happens:
If i connect from mylaptop to http://ipY:8080, 6 http requests are launched. 3 of those are finished and 3 not. I experience a pretty high load time(for just a login page). The tunnel hangs in that status with those tcp connections and dies in a few minutes.
If i connect from Z to http://ipY:8080, same as above happens.If i connect from Y(to itself) to http://127.0.0.1:8080, 6 http requests are launched. 6 of those are finished and everything works great.
If i connect from another VM in same subnet B to http://127.0.0.1:8080, 6 http requests are launched. 6 of those are finished and everything works great.
So from what i see everything outside the subnet of the tunnel head is going chaotic. I only have 1 network interface on all machines so it shouldn't be a routing problem i think.

More strange: if i launch the tunnel from mylaptop(running windows) to A, all other machines in intranet are tunneled perfectly.

Any ideas what is going and where should i investigate further?

Thank you,

If you've started with 1 http connection and soon after got 6 that will be because a page served by X contains links. And probably they are not links relative to the page but contain ipX or 127.0.0.1 or something else that doesn't make sense from some of your client locations.

final conclusions and solution

I mentioned in my first post that if i connect from the same subnet as the tunnel server everything works fine. I was actually wrong, everything worked fine because of an old firefox loading each part of the page in a serial manner.

After many wiresahrk/telnet & other investigations i noticed that:
If i was having multiple page elements, modern browsers will load a bunch of them in concurrent connections. Problem is that if i was having more than 3 TCP connections sent through the tunnel, all of them hanged(nothing reaching the end of the tunnel) and after a few minutes the tunnel itself died.
Still wondering if this is a SSH issue or not(putty from my laptop was tunneling just fine in any condition) i have cloned the internet server VM and put the clone in intranet. I've modified the tunnel to point to this new machine and surprise, NO PROBLEMS!
After this i concluded it either has to do with the firewalls(though i doubt they can sense encrypted tcp connections in the tunnel) or with the combination of firewalls+ssh client.

The solution:
I though of many things: firewalls being able to distinguish tunneled conversations(from a numeric perspective), ssh failing due to overhead added to original frames and somehow messing up the data, etc.
I then had the ideea to try the -C option. This adds a compression to the tunnel. It should be used only where the connections are slow(not my case, but i gave it a try). Surprise is that after this i was able to tunnel perfectly. I tested with a page displaying 100 diferent images of 1,6 MB each. All went fine(except my browser which hated me for that :) ).
I worried about the CPU overhead that will be added by the compression. There was no noticeable increase in CPU consumption.

Quote:

Originally Posted by linosaurusroot (Post 4973868)

Thank you for your time. My problem is not that i don't know why i have more than one connection, but why my SSH tunnel fails to tunnel those conversations.

To make it more clear. In the first moment of requesting a page, the browser requests that page(file) only. After receiveing and parsing it, it will start a number of concurent tcp connections for loading page elements(css files, image files, script files, etc). After this, also other TCP connections will be made requesting information if the page uses AJAX like parts. It has nothing to do with links(i'm not dumping the site content, but browsing it) nor has anything to do with path of the files. All the page elements in my case were relative path defined elements.