tunneling HTTP with SSH

kdelover · 12-16-2010, 03:32 PM

Hi,

I am pretty new to the ssh tunneling concept,and i wanted to know if i was doing anything wrong as i am getting the following error message:

Code:

channel 2: open failed: connect failed: Connection refused
channel 2: open failed: connect failed: Connection refused

I am on hostA trying to forward my http traffic out via SSH through hostB. hostA and hostB are in the same network.

hostA====(ssh)====HostB------->Internet

Code:

hostA> ssh -L 80:127.0.0.1:9999 user@hostB -N

In firefox i selected SOCKS V5,with SOCKS host as 127.0.0.1 and port as 9999.

Thanks !

pwc101 · 12-16-2010, 03:38 PM

Code:

ssh -D9999 user@hostB -N

That should do it. Then set SOCKS host (V5) proxy in Firefox to localhost port 9999.

kdelover · 12-16-2010, 03:50 PM

Still i get the same error. Do i need to check for anything in sshd config file on hostB?

Skaperen · 12-16-2010, 04:04 PM

Quote:

Originally Posted by kdelover

Still i get the same error. Do i need to check for anything in sshd config file on hostB?

If you get connected to hostB, it's mostly OK. But you could check for any options that would disable forwarding.

But sure the previous ssh command using -L has been killed before trying to use pwc101's ssh command using -D. Otherwise the new command cannot bind to port 9999. Or use a different port number.

Can you run tcpdump (need root access) on hostB to see what actual network traffic is being attempted?

Just to be sure, this is all about using Firefox on hostA, with all the traffic going out of hostA being through the SSH connection from hostA to hostB, and the traffic going to various internet sites going out of hostB. So if these hosts have static IP addresses without translation to the internet, web sites will see the HTTP(S) requests coming from hostB.

kdelover · 12-16-2010, 04:28 PM

@Skaperen

I am exactly trying to do what you just said.

netstat from hostA

Code:

hostA>tcp        0      0 127.0.0.1:9999          0.0.0.0:*               LISTEN      29761/ssh

Code:

hostB>tcpdump -i eth0 dst port 22

03:50:19.401146 IP hostA.51842 > hostB.ssh: S 1320164285:1320164285(0) win 5840 <mss 1460,sackOK,timestamp 160938463 0,nop,wscale 7>
03:50:19.401402 IP hostA.51842 > hostB.ssh: . ack 380061965 win 46 <nop,nop,timestamp 160938463 156729199>
03:50:19.407065 IP hostA.51842 > hostB.ssh: . ack 22 win 46 <nop,nop,timestamp 160938464 156729200>

shouldn't hostAs source port be 9999 instead of 51842? Also,in the sshd.conf file i see that allowTCPforwarding is commented out on hostA and B. When i did a wireshark on hostA,and captured few packets,i could see the ssh encrypted packets.

pwc101 · 12-16-2010, 05:01 PM

Quote:

Originally Posted by kdelover

Also,in the sshd.conf file i see that allowTCPforwarding is commented out on hostA and B.

No, that's fine as is: I have the same line commented out and am perfectly able to forward the relevant ports from home.

Try a killall ssh as a normal user on the remote SSH server (host B in your example) to kill all existing ssh connections from host A. Then, try sshing in again from host A.

If you still get nowhere, turn up the verbosity on the ssh commands with -vvv to see what's happening as it connects, and look out for any error messages or warnings.

kdelover · 12-16-2010, 05:19 PM

Thanks for the help,may be i'll try it at home today.

Well i just tried my luck with mysql tunneling ,where mysql is running on hostC

Code:

hostA> ssh -L 3306:localhost:3306 user@hostB

Code:

hostA> mysql -h 127.0.0.1 -D mybackup
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 0

hostBs /var/log/messages has

Code:

sshd[3960]: error: connect_to localhost port 3306: failed.
sshd[3960]: error: connect_to localhost port 3306: failed.
sshd[3960]: error: connect_to localhost port 3306: failed.
sshd[3960]: error: connect_to localhost port 3306: failed.

also i still get the connection refused error,same as the http one.More over my /etc/hosts.allow looks fine as well,every line in there is commented.

Skaperen · 12-17-2010, 10:38 AM

Quote:

Originally Posted by kdelover

@Skaperen

I am exactly trying to do what you just said.

netstat from hostA

Code:

hostA>tcp        0      0 127.0.0.1:9999          0.0.0.0:*               LISTEN      29761/ssh

Code:

hostB>tcpdump -i eth0 dst port 22

03:50:19.401146 IP hostA.51842 > hostB.ssh: S 1320164285:1320164285(0) win 5840 <mss 1460,sackOK,timestamp 160938463 0,nop,wscale 7>
03:50:19.401402 IP hostA.51842 > hostB.ssh: . ack 380061965 win 46 <nop,nop,timestamp 160938463 156729199>
03:50:19.407065 IP hostA.51842 > hostB.ssh: . ack 22 win 46 <nop,nop,timestamp 160938464 156729200>

shouldn't hostAs source port be 9999 instead of 51842? Also,in the sshd.conf file i see that allowTCPforwarding is commented out on hostA and B. When i did a wireshark on hostA,and captured few packets,i could see the ssh encrypted packets.

For hostB the file /etc/ssh/sshd_config is what matters, since it is the server end.

It looks like you have ssh listening to port 9999 as it should. All connections from the browser in SOCKS5 mode should go to port 9999 on hostA, both ends being with address 127.0.0.1. But, in hostB, you should see connections originating from an sshd process, with arbitrary source ports, and appropriate source addresses depending on the destination, going to the designated destination address and port. Doing tcpdump on hostB is what is telling. The traffic between hostA and hostB over ssh does not matter beyond making sure there is an appropriate volume of traffic. So on hostB do this:

Code:

tcpdump -i any not port 22

Or better yet:

Code:

tcpdump -i any dst port 80

and visit a web server at the standard port 80. If you don't see any traffic in hostB going to the visited destination, then check the /etc/sshd/sshd_config file to see if it is set to disable any forwarding. If it is OK, the next thing to check is iptables.