SSH Tunneling

SlowCoder · 07-24-2008, 01:23 PM

I think I have my tunneling set up, but I just want to be sure it's correct, and that I know what I'm doing ...

Assume the command (taken from http://www.freebsd.org/doc/en/books/...openssh.html):

Code:

ssh -2NfL 2110:mail.example.com:110 user@ssh-server.example.com

Clarification:
* 2110 is the virtual port that will be set up on the local client.
* mail.example.com is the server my remote SSH server (ssh-server.example.com) will be talking to on the other end.
* 110 is the port of mail.example.com that the remote SSH server will connect to.
* I will connect to localhost:2110, which will then be routed to my remote ssh server securely, and the remote ssh server will then traffic packets to and from mail.example.com.
Is this correct?

ramram29 · 07-24-2008, 02:02 PM

All this will allow you to do is connect to a pop server using `telnet localhost 2110`. Why not just connect using `telnet remoteserver 110` instead. Why the need for this?

rjlee · 07-24-2008, 02:02 PM

Quote:

Originally Posted by SlowCoder

I think I have my tunneling set up, but I just want to be sure it's correct, and that I know what I'm doing ...

Assume the command (taken from http://www.freebsd.org/doc/en/books/...openssh.html):

Code:

ssh -2NfL 2110:mail.example.com:110 user@ssh-server.example.com

Clarification:
* 2110 is the virtual port that will be set up on the local client.
* mail.example.com is the server my remote SSH server (ssh-server.example.com) will be talking to on the other end.
* 110 is the port of mail.example.com that the remote SSH server will connect to.
* I will connect to localhost:2110, which will then be routed to my remote ssh server securely, and the remote ssh server will then traffic packets to and from mail.example.com.
Is this correct?

Looks right to me.

Your outgoing packets sent to port 2110 on your local machine will be forwarded over a secure tunnel from your machine to ssh-server.example.com, and then forwarded on an unencrypted network connection to mail.example.com on port 110.

Incoming packets will be sent unencrypted from mail.example.com to ssh-server.example.com, and then over a secure link to your local client.

Yours,

—Robert J Lee

SlowCoder · 07-24-2008, 03:33 PM

rjlee, Thank you for your response. That was what I was thinking. I just wanted to make sure.

Quote:

Originally Posted by ramram29

All this will allow you to do is connect to a pop server using `telnet localhost 2110`. Why not just connect using `telnet remoteserver 110` instead. Why the need for this?

The example I gave was just an example. However, the purpose is to establish an encrypted connection with a server through an untrusted network, such as a public WIFI. If I go to BlahBlah's cafe and connect to their WIFI, I don't want them to know what I'm browsing, or what my emails are.

estabroo · 07-24-2008, 07:11 PM

What's really fun if both sides are linux (might work in other OSes too) is to use the tap/tun stuff in ssh. The -w option. It lets you have a quick and easy vpn and you can route whatever you'd like through it. You do need privileges on the tun device (typically /dev/net/tun) to do this. And the remote sshd needs to have PermitTunnel yes (or ethernet). I wouldn't recommend having this option on all the time.

ssh -o Tunnel=ethernet -w any root@remote_host

This will give you two tap devices (do an ifconfig -a to see them) that are virtual ethernet connections and are connected (one on each machine) to each other. You can then give them ip addresses, do routing over them, even bridge them with another ethernet interface.

Code:

tap0      Link encap:Ethernet  HWaddr 00:ff:58:19:f6:e4  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ifconfig tap0 10.0.0.1 netmask 255.255.255.252
route add -net 192.168.0.0/24 gw 10.0.0.2
...