LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-16-2015, 08:28 AM   #1
khuongdp
LQ Newbie
 
Registered: Aug 2005
Posts: 16

Rep: Reputation: 0
tunnel ssh with port forwarding


Hi

I have this setup:

client -> (22) bastion-server (1433) -> backend-server (1433)

On the bastion-server I have this in iptables:
Code:
-A PREROUTING -p tcp --dport 1433 -j DNAT --to-destination backend-server:1433
-A POSTROUTING -p tcp -d backend-server --dport 1433 -j SNAT --to-source bastion-server
If I open for port 1433 on the bastion-server I can fine connect to the backend-server from the client with telnet:
Code:
telnet bastion-server 1433
But now I want to tunnel port 1433 through ssh from the client (Don't want to open for port 1433 on the bastion-server):
Code:
ssh -i .ssh/mykey.pem -L 1433:localhost:1433 bastion-server
When I now try to connect (telnet) from the client I get this:
Code:
telnet localhost 1433
Escape character is '^]'.
Connection closed by foreign host.

Last edited by khuongdp; 03-16-2015 at 08:52 AM.
 
Old 03-16-2015, 08:36 AM   #2
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, SLES, CentOS, Red Hat
Posts: 2,385

Rep: Reputation: 477Reputation: 477Reputation: 477Reputation: 477Reputation: 477
Quote:
If I open for port 1433 on the bastion-server I can fine connect to the backend-server from the client.

But now I want to tunnel port 1433 through ssh from the client:
What do you mean by this?

Also what you are trying to telnet when you get that connection closed message and from where?

From what you have mentioned you are using bastion-server as jumpoff host to connect to backend-server.
 
Old 03-16-2015, 08:53 AM   #3
khuongdp
LQ Newbie
 
Registered: Aug 2005
Posts: 16

Original Poster
Rep: Reputation: 0
I have updated my post

Quote:
Originally Posted by T3RM1NVT0R View Post
What do you mean by this?

Also what you are trying to telnet when you get that connection closed message and from where?

From what you have mentioned you are using bastion-server as jumpoff host to connect to backend-server.
 
Old 03-16-2015, 09:09 AM   #4
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, SLES, CentOS, Red Hat
Posts: 2,385

Rep: Reputation: 477Reputation: 477Reputation: 477Reputation: 477Reputation: 477
You said you don't want to open port 1433 on bastion-server and that same port you are using as source. I mean since you have closed communication from that port it will fail.

Choose some random port for the source and then allow that on bastion-server. For example:

Code:
ssh -i .ssh/mykey.pem -L 11111:localhost:1433 bastion-server
Try this and let us know if it works. I haven't tested it but logically this is how it should be.

Edit: You might not require open source port, try first without opening it

Last edited by T3RM1NVT0R; 03-16-2015 at 09:15 AM.
 
Old 03-16-2015, 09:23 AM   #5
michaelk
Moderator
 
Registered: Aug 2002
Posts: 25,842

Rep: Reputation: 5977Reputation: 5977Reputation: 5977Reputation: 5977Reputation: 5977Reputation: 5977Reputation: 5977Reputation: 5977Reputation: 5977Reputation: 5977Reputation: 5977
To tunnel to your backend-server via the bastion-server:

ssh -L 1433:backend-server:1433 user@bastion-server (include any options etc)
 
1 members found this post helpful.
Old 03-16-2015, 03:21 PM   #6
khuongdp
LQ Newbie
 
Registered: Aug 2005
Posts: 16

Original Poster
Rep: Reputation: 0
Thanks. It's working fine. Why do I need to specified the backend-server and not localhost? I thought the iptables rules is doing the last part and the backend-server should be transparent for the client

Quote:
Originally Posted by michaelk View Post
To tunnel to your backend-server via the bastion-server:

ssh -L 1433:backend-server:1433 user@bastion-server (include any options etc)
 
Old 03-16-2015, 04:03 PM   #7
michaelk
Moderator
 
Registered: Aug 2002
Posts: 25,842

Rep: Reputation: 5977Reputation: 5977Reputation: 5977Reputation: 5977Reputation: 5977Reputation: 5977Reputation: 5977Reputation: 5977Reputation: 5977Reputation: 5977Reputation: 5977
Using backend-server instead of localhost in 1433:backend-server:1433, ssh is now port forwarding 1443 traffic from bastion to the backend. Using localhost will forward port 1433 traffic just to the bastion server. By establishing the tunnel your bypassing the firewall with traffic on port 1433.
 
1 members found this post helpful.
Old 03-16-2015, 08:44 PM   #8
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, SLES, CentOS, Red Hat
Posts: 2,385

Rep: Reputation: 477Reputation: 477Reputation: 477Reputation: 477Reputation: 477
@ michaelk,

Thanks Michael for the explanation.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
can't connect to listening port (reverse tunnel\port forwarding) YS* Linux - Networking 0 05-16-2011 01:48 PM
SSH Tunnel Forwarding with no shell Unixscript Linux - Server 1 07-10-2010 12:58 AM
ssh tunnel port forwarding andycol Linux - Server 2 03-18-2010 07:01 AM
ssh tunnel / port forwarding Q FrayAdjacent Linux - Networking 2 07-05-2005 03:37 PM
SSH tunnel or Iptables forwarding jatro Linux - Networking 5 06-15-2005 03:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration