[Courses] [Security] Port forwarding with SSH andipchains/iptables

[Raven, corporate courtesan]

Heya --

	Sorry it took me so long to get to this; today seems to be "Unix
servers decide to eat their filesystems in painful ways" day.  (The
Linux box that I posted on Kai's behalf to techtalk about, and a Solaris
box at work, too.)

	That was Friday.  Then the weekend happened, and I got sick (I'm
better now).  Sorry about the turnaround time here.  And ack -- away
from the keyboard for three days, and I have over 1,000 messages when I
get back!

	Also, are you using ssh1, ssh2, or OpenSSH for this?

Quoth jennyw (Thu, Mar 21, 2002 at 11:54:12AM -0800):
> I have a Linux box (192.168.1.3) and two Windows boxes on my test network.
> One of the Windows boxes is my test anti-virus server running IIS
> (192.168.1.108). The other Windows box is just used as a Web client
> (192.168.1.100). On the Linux box, I ran this command:
> 
> su -c "ssh -L 80:192.168.1.108:80 192.168.1.3 -l jen"
>
> After typing the root password and my password to login to the Linux box
> (this seems kind of weird -- isn't there a way to forward ports without
> getting a shell?),

	Why are you using the -l jen in there?  Is ssh on the remote
machine set up to run under that userid rather than as root?  I've never
seen port forwarding for ports under 1024 work when run as a user -- you
need to be root most of the time to open any port under 1024.  So you
might have problems opening port 80 if you don't run the ssh command as
root.  I can see that you're root on the local side, and the user jen on
the remote side -- let me know if you do make this work.  I'm interested
to see what happens.

	As for a way to forward ports without getting a shell -- I know
if you just want to run a single command with ssh, ssh -c will do that
for you, but you still need a password.  I've never tried running that
with port forwarding, but I would think it would work.  The other sneaky
thing -- port forwarding will stop when your ssh session stops, so make
sure there are no timeouts on this ssh session if you want it to be a
perpetual thing.

	If you don't want to type in passwords all the time, look into
using ssh-agent.  I'm rather a fan of it.  More detail available if
desired.

> I noticed that if I try to access http://192.168.1.3, the
> connection is refused in Netscape on the Linux box. However, when I go to
> http://127.0.0.1 in Netscape, the page loads.  The Windows client also is
> refused a connection when trying to connect to the Linux box
> (http://192.168.1.3).
> 
> Does this mean that port forwarding only works for the local machine? If so,
> then the whole scheme to use SSH as a VPN substitute probably isn't going to
> fly. If someone with more SSH experience could offer some advice, that'd be
> really appreciated!
 
	SSH forwarding is usually a local machine thing; using it as
a VPN substitute could entail having one of the Windows ssh programs
mentioned beforehand on the clients.  If they're not listening on ports
with real IPs (i.e. they can listen on 127.0.0.1:80 to do the
forwarding, but not on their real IP addresses:22) then you're not
running much of a security risk having them there.

	If you really want to use ssh instead of a VPN on the firewall,
use the -g option.  This tells ssh (must be ssh1 or OpenSSH) to act as a
gateway, and allow other machines besides the local machine to use the
port forwarding.  This is off by default to prevent people from
inadvertantly opening ports.  So, 

ssh -g -L80:192.168.1.108:80 192.168.1.3

should work for you.

Cheers,
Raven

"Incoming packet over rabbit. SYN."
"Incoming packet over duck. quACK!"
  -- me and Tiff, flinging stuffed animals and tech humor