LinuxQuestions.org
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Failed SSH tcp forwarding (https://www.linuxquestions.org/questions/linux-security-4/failed-ssh-tcp-forwarding-880910/)

tjjt 05-15-2011 09:02 PM
Failed SSH tcp forwarding
 
I want to create a tunnel from my home computer to a linux server by SSH, then i can use the tunnel as a tcp forwarding proxy(SOCK 5) to access the web via the linux server.
But i got "Internet Explorer cannot display the webpage" on my home computer, and when i check the "/var/log/secure" in the linux server(fedora), I found:
"sshd[17926]: error: connect to xx.xx.xx.xx port 80 failed: Permission denied"

How can i solve this problem? Thanks in adv.

kbp 05-16-2011 12:29 AM
Can you post the steps you're using to create the tunnel ?

tjjt 05-16-2011 02:45 AM
I just use the ssh server included in fedora.
"service sshd start".

Then i use the "putty" or "myentunnel" in the home computer.

I can use putty login in the fedora server via ssh, and i set the tunnel in the putty config .

I also try the "myentunnel" as the ssh client, and the log show :
"[15:43:53 05/16] plink.exe: Sent password
[15:43:53 05/16] plink.exe: Access granted
[15:43:53 05/16] plink.exe: Local port 7070 SOCKS dynamic forwarding
[15:44:00 05/16] Connection is stable
"

But when i use browser via the proxy 127.0.0.1:7070, it doesn't work.
I check the log file in the fedora server,the i found:
"sshd[17926]: error: connect to xx.xx.xx.xx port 80 failed: Permission denied"

Noway2 05-16-2011 04:33 AM
Just a thought, but check in your sshd_config and make sure you don't have a line like the following:
Quote:
AllowTcpForwarding no

tjjt 05-16-2011 05:06 AM
Quote:
Originally Posted by Noway2 (Post 4357628)
Just a thought, but check in your sshd_config and make sure you don't have a line like the following:
Thanks. I have checked the sshd_config and found the following:
AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts yes

so i think i have already turn the allow tcp forwarding on.

Reuti 05-16-2011 10:20 AM
If you use SOCKS, this must be setup in the browser network setup instead of specifying a port for the URL. Are you just forwarding port 7070 to a remote machine or setting up SOCKS in putty?

tjjt 05-16-2011 10:34 AM
Quote:
Originally Posted by Reuti (Post 4357930)
If you use SOCKS, this must be setup in the browser network setup instead of specifying a port for the URL. Are you just forwarding port 7070 to a remote machine or setting up SOCKS in putty?
Yes, I use the network setup in the browser opetion-network-proxy setup, and in putty, i just set the tunnel as a Dynamic prot of 7070.
As the server's log tell me :""sshd[17926]: error: connect to xx.xx.xx.xx port 80 failed: Permission denied"
I think that the request has been received by the server, but it can't open the destination web page for some reason and it can return the client machine the correct result.

But i don't know why the server can't open the remote web page and return to the proxy of putty in the client machine.

Reuti 05-16-2011 01:12 PM
You are accessing a webserver on the server machine itself or an external one?

tjjt 05-16-2011 05:42 PM
Quote:
Originally Posted by Reuti (Post 4358074)
You are accessing a webserver on the server machine itself or an external one?
an extrenal one.

A

Noway2 05-16-2011 06:49 PM
Do you perchance have any sort of firewall, such as iptables running on this system that would prevent outbound traffic? It wouldn't necessarily be port 80, but could be on a higher order port.

tjjt 05-16-2011 08:55 PM
Quote:
Originally Posted by Noway2 (Post 4358273)
Do you perchance have any sort of firewall, such as iptables running on this system that would prevent outbound traffic? It wouldn't necessarily be port 80, but could be on a higher order port.
The following is iptables,i don't know whether it matters:

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Reuti 05-17-2011 04:06 AM
Are all external servers blocked or just one particular one?

Noway2 05-17-2011 04:13 AM
Quote:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I would try removing this rule, at least as an experiment. So far it is the only thing that I can see from the discussion that could relate to the permission denied error. I think the FORWARD chain is probably the least understood of the three iptables chains which makes it difficult to say whether or not it would make a difference. With the SSH proxy, you are effectively translating from one network to another, so in that regards it is plausible that it could cause problems, but my thinking is that the proxy is happening at a software level.

I also notice you have a rule "ACCEPT all -- anywhere anywhere" is this perchance on the loop back interface? If not, the other rules below it are nullified. If it is, one thing that occurred to me is that with a socks proxy works on a higher port, but the thing is that this is on the local machine, not the server. In other words, this shouldn't impact the ability to proxy via SSH. Again, the more I think about it, with your iptables policy to ACCEPT, which is fine, you might want to temporarily flush all the rules and see if that is the behind the difficulties.

tjjt 05-17-2011 05:32 AM
Are all external servers blocked or just one particular one?

--------------------------------------------------------

Yes, all external servers blocked.



Quote:
Originally Posted by Noway2 (Post 4358609)
I would try removing this rule, at least as an experiment. So far it is the only thing that I can see from the discussion that could relate to the permission denied error. I think the FORWARD chain is probably the least understood of the three iptables chains which makes it difficult to say whether or not it would make a difference. With the SSH proxy, you are effectively translating from one network to another, so in that regards it is plausible that it could cause problems, but my thinking is that the proxy is happening at a software level.

I also notice you have a rule "ACCEPT all -- anywhere anywhere" is this perchance on the loop back interface? If not, the other rules below it are nullified. If it is, one thing that occurred to me is that with a socks proxy works on a higher port, but the thing is that this is on the local machine, not the server. In other words, this shouldn't impact the ability to proxy via SSH. Again, the more I think about it, with your iptables policy to ACCEPT, which is fine, you might want to temporarily flush all the rules and see if that is the behind the difficulties.
I try to remove all the rules in iptables , now my iptable is :
"
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
"

And then i do the same thing before, and the log ifle still says:
test1 sshd[22712]: error: connect to X.X.X.X port 80 failed: Permission denied

:(

Reuti 05-17-2011 07:16 AM
Can you access the external website with the server machine itself, to rule out that the problem is on your side at all.


All times are GMT -5. The time now is 05:05 PM.
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page