LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-08-2013, 11:43 PM   #1
lucmove
Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Debian Jessie, Slackware
Posts: 661

Rep: Reputation: 72
Let other machine use localhost tunnel


I am sharing my notebook's Internet connection with a Wifi router through an Ethernet cable. This router then provides connection to other devices (phone/tablet).

I always have an SSH tunnel running on this notebook, so I can check my email securely:

Code:
autossh -f -q -f -N -C -T \
	$USER@$SERVER \
	-L 22225:0.0.0.0:25 \
	-L 11110:0.0.0.0:110
I used to link -L 11110:127.0.0.1:110, but after reading I found out that 127.0.0.1 restricts incoming connections to the local machine, while 0.0.0.0 is supposed to allow them from other machines as well. So I changed it, but that didn't solve my problem.

Moving on, I configure my email client to poll 127.0.0.1:11110 instead of server.com:110. Okay, it works.

But now I am sharing the connection with other devices, say the tablet. I want the tablet to use that same tunnel.

I know that my notebook's IP address is 10.41.42.1 because ifconfig told me so and I have Apache running and I can browse my test page on http://10.41.42.1:port from the tablet.

So I thought that polling my mail through 10.41.42.1:11110 on the tablet would work, but it doesn't.

Wasn't 0.0.0.0 supposed to solve that problem? Do I have to open something up with iptables to let the tablet use the tunnel that runs constantly on the notebook?
 
Old 05-09-2013, 02:34 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970
the IP in the middle of the string is the destination to be connected to from the remote machine. making it 0.0.0.0 will not make anything work (unless it somehow defaults to localhost or something I'm not aware of.

If you want someone to be able to connect to the tunnel on your local machine, then you don't need to do anything special in ssh at all. It's more likely that iptables is not permitting the traffic into the box.

you can specify a single local IP to listen on by adding the optional bind_address "-L [bind_address:]port:host:hostport", but you shouldn't need to. when your tunnel is up, check what's listening locally with "netstat -plnt" and you should see an entry for 0.0.0.0:11110 or something. that'll show it's listening on ALL interfaces.
 
Old 05-09-2013, 10:13 AM   #3
lucmove
Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Debian Jessie, Slackware
Posts: 661

Original Poster
Rep: Reputation: 72
I thought that maybe iptables was blocking something, but I am not so convinced. If iptables were blocking it, I wouldn't be able to ping 10.41.42.1 from the phone, which I can.

On the other hand, I can't ping 10.41.42.1:9000, but I can view it with the browser.

I find networking very confusing.
 
Old 05-09-2013, 11:42 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970
you can't "ping" 10.41.42.1:9000, that doesn't make sense. you ping IP addresses, not ports. show us the output of "iptables -vnL" on the box, that'll show the current ruleset.
 
Old 05-09-2013, 03:07 PM   #5
lucmove
Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Debian Jessie, Slackware
Posts: 661

Original Poster
Rep: Reputation: 72
# iptables -vnL

Code:
Chain INPUT (policy DROP 6 packets, 312 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   11  3545 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:67 
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:67 
  587 37877 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
 9547 1310K DROP       all  --  *      *       192.168.0.0/16       0.0.0.0/0           
47354   21M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
 1319  103K ACCEPT     all  --  eth0   *       10.41.42.0/24        0.0.0.0/0           state NEW 
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:67 
  951 58007 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW 
  438 63050 TRUSTED    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2734 1704K ACCEPT     all  --  *      eth0    0.0.0.0/0            10.41.42.0/24       state RELATED,ESTABLISHED 
 3323  539K ACCEPT     all  --  eth0   *       10.41.42.0/24        0.0.0.0/0           
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 ACCEPT     all  --  eth0   tun0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tun0   eth0    0.0.0.0/0            0.0.0.0/0           
  747  137K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  375 43710 ACCEPT     all  --  eth0   *       10.41.42.0/24        0.0.0.0/0           state NEW 
    0     0 TRUSTED    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 ACCEPT     all  --  wlan0  eth0    10.41.42.0/24        0.0.0.0/0           state NEW 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

Chain OUTPUT (policy ACCEPT 25825 packets, 15M bytes)
 pkts bytes target     prot opt in     out     source               destination         
  434 37622 ACCEPT     icmp --  *      eth0    0.0.0.0/0            10.41.42.0/24       
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 

Chain TRUSTED (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.1.204       icmp type 8 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            172.16.116.1        icmp type 8 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            172.16.190.1        icmp type 8 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            10.88.250.1         icmp type 8 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            10.41.42.1          icmp type 8 
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
  438 63050 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
 
Old 05-09-2013, 03:20 PM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970
right, so no, there's no rule to permit, for example, 11110 into the system.
 
Old 05-09-2013, 10:03 PM   #7
lucmove
Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Debian Jessie, Slackware
Posts: 661

Original Poster
Rep: Reputation: 72
Quote:
Originally Posted by acid_kewpie View Post
right, so no, there's no rule to permit, for example, 11110 into the system.
I am not sure your statement is correct.

I am using a firewall script which I don't remember where I got, but I think it was on the Ubuntu repository. It's a script that begins like this:

Code:
#!/bin/bash
#
# rc.firewall Linux Firewall version 2.0rc9 -- 05/02/03
# http://projectfiles.com/firewall/                                
#
# Copyright (C) 2001-2003 Scott Bartlett <srb@mnsolutions.com>
Don't bother going to projectfiles.com, it is just a link farm now.

Further down, the script goes like this:

Code:
# The PERMIT option below allows remote access to this machine 
# in the three ways listed below. Note that blah blah blah...

PERMIT="10.41.42.0/24"
DENY="198.168.0.0/24 198.168.1.0/24"

# List internal (private) interfaces here to allow this machine to act as a
# router.  All interfaces NOT listed here are considered external (public) 
# and will be automatically protected by the firewall.
# Example: INTERNAL_INTERFACES="eth1 eth2 brg0"

INTERNAL_INTERFACES="eth0"
Please note these two lines:

PERMIT="10.41.42.0/24"
INTERNAL_INTERFACES="eth0"

I am indeed trying to connect from a tablet that is connected to a router that is connected to the notebook through eth0. And eth0 is marked as an INTERNAL i.e. trusted interface. Everything to and from the notebook and eth0 should be free to move unhindered.
 
Old 05-16-2013, 02:34 AM   #8
lucmove
Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Debian Jessie, Slackware
Posts: 661

Original Poster
Rep: Reputation: 72
Someone helped me in another forum. Here is the solution:

Code:
autossh -f -q -f -N -C -T \
	$USER@$SERVER \
	-L *:22225:0.0.0.0:25 \
	-L *:11110:0.0.0.0:110
Those asterisks make it work as I expected.

Solved.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN/tunnel to connect back to a remotely installed machine jlinkels Linux - Networking 3 07-20-2012 03:56 AM
[SOLVED] SSH tunnel not accessible from different machine on same network batfastad Linux - Security 6 12-17-2010 07:23 AM
Can I test GRE tunnel on single machine sourabhsinghmanak Linux - Newbie 0 07-26-2007 06:48 AM
Reverse SSH tunnel active only from localhost andreag Linux - Networking 2 12-19-2006 02:05 AM
SSH Tunnel to an XP Machine metallica1973 Linux - Networking 5 03-27-2006 07:36 PM


All times are GMT -5. The time now is 10:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration