[Courses] [Security] Port forwarding with SSH andipchains/iptables

Linda Laubenheimer ljl at rahul.net
Tue Mar 26 18:30:03 EST 2002 

"Raven, corporate courtesan" wrote:
> 
> Quoth jennyw (Thu, Mar 21, 2002 at 11:54:12AM -0800):
> > I have a Linux box (192.168.1.3) and two Windows boxes on my test network.
> > One of the Windows boxes is my test anti-virus server running IIS
> > (192.168.1.108). The other Windows box is just used as a Web client
> > (192.168.1.100). On the Linux box, I ran this command:
> >
> > su -c "ssh -L 80:192.168.1.108:80 192.168.1.3 -l jen"
> >
> > After typing the root password and my password to login to the Linux box
> > (this seems kind of weird -- isn't there a way to forward ports without
> > getting a shell?),
> 
>         Why are you using the -l jen in there?  Is ssh on the remote
> machine set up to run under that userid rather than as root?  I've never
> seen port forwarding for ports under 1024 work when run as a user -- you
> need to be root most of the time to open any port under 1024.  So you
> might have problems opening port 80 if you don't run the ssh command as
> root.  I can see that you're root on the local side, and the user jen on
> the remote side -- let me know if you do make this work.  I'm interested
> to see what happens.

Huh??  I port forward my POP mail and outgoing mail all the time, 
with no root access.

Like so on windows (with a plain vanilla ssh utility):

	C:\ssh\ssh.exe -l rasteris -L 25:offsite.rahul.net:25 -L
110:pop.rahul.net:110 waltz.rahul.net

I did the same thing from a NetBSD box at my last job, so I could get 
my mail from my offsite POP box, and into Netscrape.  It seems to work 
perfectly well on the low number ports.

>         As for a way to forward ports without getting a shell -- I know
> if you just want to run a single command with ssh, ssh -c will do that
> for you, but you still need a password.  I've never tried running that
> with port forwarding, but I would think it would work.  The other sneaky
> thing -- port forwarding will stop when your ssh session stops, so make
> sure there are no timeouts on this ssh session if you want it to be a
> perpetual thing.
> 
>         If you don't want to type in passwords all the time, look into
> using ssh-agent.  I'm rather a fan of it.  More detail available if
> desired.

ssh-agent??  is that for key based authentication??


-- 
Linda J Laubenheimer - UNIX Geek, Sysadmin, Bibliophile and Iconoclast
http://www.modusvarious.net/ - consultants available
http://www.laubenheimer.net/ - personal demo site
http://www.geocities.com/laubenheimer/ - web design gaffes (I wouldn't 
disgrace a real ISP with these) and rants about bad design.

More information about the Courses mailing list