Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
05-09-2013, 12:43 AM
|
#1
|
Senior Member
Registered: Aug 2005
Location: Brazil
Distribution: Debian
Posts: 1,538
Rep: 
|
Let other machine use localhost tunnel
I am sharing my notebook's Internet connection with a Wifi router through an Ethernet cable. This router then provides connection to other devices (phone/tablet).
I always have an SSH tunnel running on this notebook, so I can check my email securely:
Code:
autossh -f -q -f -N -C -T \
$USER@$SERVER \
-L 22225:0.0.0.0:25 \
-L 11110:0.0.0.0:110
I used to link -L 11110:127.0.0.1:110, but after reading I found out that 127.0.0.1 restricts incoming connections to the local machine, while 0.0.0.0 is supposed to allow them from other machines as well. So I changed it, but that didn't solve my problem.
Moving on, I configure my email client to poll 127.0.0.1:11110 instead of server.com:110. Okay, it works.
But now I am sharing the connection with other devices, say the tablet. I want the tablet to use that same tunnel.
I know that my notebook's IP address is 10.41.42.1 because ifconfig told me so and I have Apache running and I can browse my test page on http://10.41.42.1:port from the tablet.
So I thought that polling my mail through 10.41.42.1:11110 on the tablet would work, but it doesn't.
Wasn't 0.0.0.0 supposed to solve that problem? Do I have to open something up with iptables to let the tablet use the tunnel that runs constantly on the notebook?
|
|
|
05-09-2013, 03:34 AM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
the IP in the middle of the string is the destination to be connected to from the remote machine. making it 0.0.0.0 will not make anything work (unless it somehow defaults to localhost or something I'm not aware of.
If you want someone to be able to connect to the tunnel on your local machine, then you don't need to do anything special in ssh at all. It's more likely that iptables is not permitting the traffic into the box.
you can specify a single local IP to listen on by adding the optional bind_address "-L [bind_address:]port:host:hostport", but you shouldn't need to. when your tunnel is up, check what's listening locally with "netstat -plnt" and you should see an entry for 0.0.0.0:11110 or something. that'll show it's listening on ALL interfaces.
|
|
|
05-09-2013, 11:13 AM
|
#3
|
Senior Member
Registered: Aug 2005
Location: Brazil
Distribution: Debian
Posts: 1,538
Original Poster
Rep: 
|
I thought that maybe iptables was blocking something, but I am not so convinced. If iptables were blocking it, I wouldn't be able to ping 10.41.42.1 from the phone, which I can.
On the other hand, I can't ping 10.41.42.1:9000, but I can view it with the browser.
I find networking very confusing.
|
|
|
05-09-2013, 12:42 PM
|
#4
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
you can't "ping" 10.41.42.1:9000, that doesn't make sense. you ping IP addresses, not ports. show us the output of "iptables -vnL" on the box, that'll show the current ruleset.
|
|
|
05-09-2013, 04:07 PM
|
#5
|
Senior Member
Registered: Aug 2005
Location: Brazil
Distribution: Debian
Posts: 1,538
Original Poster
Rep: 
|
# iptables -vnL
Code:
Chain INPUT (policy DROP 6 packets, 312 bytes)
pkts bytes target prot opt in out source destination
11 3545 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
587 37877 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
9547 1310K DROP all -- * * 192.168.0.0/16 0.0.0.0/0
47354 21M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1319 103K ACCEPT all -- eth0 * 10.41.42.0/24 0.0.0.0/0 state NEW
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:67
951 58007 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
438 63050 TRUSTED all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2734 1704K ACCEPT all -- * eth0 0.0.0.0/0 10.41.42.0/24 state RELATED,ESTABLISHED
3323 539K ACCEPT all -- eth0 * 10.41.42.0/24 0.0.0.0/0
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * eth0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0
747 137K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
375 43710 ACCEPT all -- eth0 * 10.41.42.0/24 0.0.0.0/0 state NEW
0 0 TRUSTED all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- wlan0 eth0 10.41.42.0/24 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 25825 packets, 15M bytes)
pkts bytes target prot opt in out source destination
434 37622 ACCEPT icmp -- * eth0 0.0.0.0/0 10.41.42.0/24
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain TRUSTED (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.1.204 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 172.16.116.1 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 172.16.190.1 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 10.88.250.1 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 10.41.42.1 icmp type 8
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
438 63050 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
|
|
|
05-09-2013, 04:20 PM
|
#6
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
right, so no, there's no rule to permit, for example, 11110 into the system.
|
|
|
05-09-2013, 11:03 PM
|
#7
|
Senior Member
Registered: Aug 2005
Location: Brazil
Distribution: Debian
Posts: 1,538
Original Poster
Rep: 
|
Quote:
Originally Posted by acid_kewpie
right, so no, there's no rule to permit, for example, 11110 into the system.
|
I am not sure your statement is correct.
I am using a firewall script which I don't remember where I got, but I think it was on the Ubuntu repository. It's a script that begins like this:
Code:
#!/bin/bash
#
# rc.firewall Linux Firewall version 2.0rc9 -- 05/02/03
# http://projectfiles.com/firewall/
#
# Copyright (C) 2001-2003 Scott Bartlett <srb@mnsolutions.com>
Don't bother going to projectfiles.com, it is just a link farm now.
Further down, the script goes like this:
Code:
# The PERMIT option below allows remote access to this machine
# in the three ways listed below. Note that blah blah blah...
PERMIT="10.41.42.0/24"
DENY="198.168.0.0/24 198.168.1.0/24"
# List internal (private) interfaces here to allow this machine to act as a
# router. All interfaces NOT listed here are considered external (public)
# and will be automatically protected by the firewall.
# Example: INTERNAL_INTERFACES="eth1 eth2 brg0"
INTERNAL_INTERFACES="eth0"
Please note these two lines:
PERMIT="10.41.42.0/24"
INTERNAL_INTERFACES="eth0"
I am indeed trying to connect from a tablet that is connected to a router that is connected to the notebook through eth0. And eth0 is marked as an INTERNAL i.e. trusted interface. Everything to and from the notebook and eth0 should be free to move unhindered.
|
|
|
05-16-2013, 03:34 AM
|
#8
|
Senior Member
Registered: Aug 2005
Location: Brazil
Distribution: Debian
Posts: 1,538
Original Poster
Rep: 
|
Someone helped me in another forum. Here is the solution:
Code:
autossh -f -q -f -N -C -T \
$USER@$SERVER \
-L *:22225:0.0.0.0:25 \
-L *:11110:0.0.0.0:110
Those asterisks make it work as I expected.
Solved.
|
|
|
All times are GMT -5. The time now is 07:11 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|