From bf8f858c685442e1841cb25283824f546e985468 Mon Sep 17 00:00:00 2001 From: Ian Gulliver Date: Sun, 21 Apr 2019 16:45:38 +0000 Subject: [PATCH] SSH Tunnelling 101 --- 2006-01-23-ssh-tunnelling-101.html | 53 +++++++++++++++++++++++ index.html | 1 + markdown/2006-01-23-ssh-tunnelling-101.md | 47 ++++++++++++++++++++ markdown/index.md | 1 + 4 files changed, 102 insertions(+) create mode 100644 2006-01-23-ssh-tunnelling-101.html create mode 100644 markdown/2006-01-23-ssh-tunnelling-101.md diff --git a/2006-01-23-ssh-tunnelling-101.html b/2006-01-23-ssh-tunnelling-101.html new file mode 100644 index 0000000..d357eda --- /dev/null +++ b/2006-01-23-ssh-tunnelling-101.html @@ -0,0 +1,53 @@ + + + + + +

The Players

+ +

I’ll be referring to 3 hosts:

+ + + +

Configuring B

+ +

Some sshd configuration needs to be done on B before any of this will work. In the sshd_config file (/etc/ssh/sshd_config on Debian):

+ +
AllowTcpForwarding yes
+GatewayPorts yes
+
+ +

Remember to restart sshd after making changes (/etc/init.d/ssh restart).

+ +

Building the Tunnel

+ +

On A, run:

+ +
ssh -g -n -R <port on B>:127.0.0.1:<port on A> <address of B> sleep 999999
+
+ +

This will hang with no output; that’s the expected result.

+ +

You should now be able to connect to the port on B and be talking to A. To get this to restart if the connection dies, run it inside:

+ +
while :; do <command>; done
+
+ +

As with all shell commands, put a “&” on the end to run it in the background.

+ +

Tunnelling FTP

+ +

Due to a trick in the FTP protocol, you can use this tunnelling arrangement but have FTP data connections go directly from A to C, without touching B. This only works with so-called “active” FTP (using the PORT command instead of PASV). C must also be unfirewalled for this to work.

+ +

The only thing you’ll need to change is the FTP server configuration. In proftpd.conf, add:

+ +
AllowForeignAddress on
+
+ +

For pure-ftpd, run it with the “-w” commandline flag, or with a file named “AllowUserFXP” and a contents of “on” if you’re using pure-ftpd-wrapper.

+ + diff --git a/index.html b/index.html index b03b676..189dc79 100644 --- a/index.html +++ b/index.html @@ -40,6 +40,7 @@
  • 2009-Sep-11: Confusing BIND with CNAMEs
  • 2009-Feb-19: The odd case of my mugging
  • 2009-Feb-03: 5-packet TCP connection?
    • +
  • 2006-Jan-23: SSH Tunnelling 101
  • 2006-Jan-23: How to install Debian Sarge on an IBM Blade
  • 2006-Jan-22: Why does my machine think its name is localhost...
  • 2006-Jan-22: Flashing without Microsoft or floppy drives
    • diff --git a/markdown/2006-01-23-ssh-tunnelling-101.md b/markdown/2006-01-23-ssh-tunnelling-101.md new file mode 100644 index 0000000..c115e0b --- /dev/null +++ b/markdown/2006-01-23-ssh-tunnelling-101.md @@ -0,0 +1,47 @@ + + + + + +### The Players + +I’ll be referring to 3 hosts: + +* A: The server; this machine is behind a firewall that allows outgoing connections but doesn’t allow incoming. +* B: The bounce host; this machine is unfirewalled. +* C: The client. + +### Configuring B + +Some sshd configuration needs to be done on B before any of this will work. In the sshd\_config file (/etc/ssh/sshd\_config on Debian): + + AllowTcpForwarding yes + GatewayPorts yes + +Remember to restart sshd after making changes (/etc/init.d/ssh restart). + +### Building the Tunnel + +On A, run: + + ssh -g -n -R :127.0.0.1:
    sleep 999999 + +This will hang with no output; that’s the expected result. + +You should now be able to connect to the port on B and be talking to A. To get this to restart if the connection dies, run it inside: + + while :; do ; done + +As with all shell commands, put a “&” on the end to run it in the background. + +### Tunnelling FTP + +Due to a trick in the FTP protocol, you can use this tunnelling arrangement but have FTP data connections go directly from A to C, without touching B. This only works with so-called “active” FTP (using the PORT command instead of PASV). C must also be unfirewalled for this to work. + +The only thing you’ll need to change is the FTP server configuration. In proftpd.conf, add: + + AllowForeignAddress on + +For pure-ftpd, run it with the “-w” commandline flag, or with a file named “AllowUserFXP” and a contents of “on” if you’re using pure-ftpd-wrapper. + + diff --git a/markdown/index.md b/markdown/index.md index 6fef878..07af9ec 100644 --- a/markdown/index.md +++ b/markdown/index.md @@ -39,6 +39,7 @@ 1. 2009-Sep-11: [Confusing BIND with CNAMEs](2009-09-11-confusing-bind-with-cnames.html) 1. 2009-Feb-19: [The odd case of my mugging](2019-02-19-the-odd-case-of-my-mugging.html) 1. 2009-Feb-03: [5-packet TCP connection?](2009-02-03-5-packet-tcp-connection.html) +1. 2006-Jan-23: [SSH Tunnelling 101](2006-01-23-ssh-tunnelling-101.html) 1. 2006-Jan-23: [How to install Debian Sarge on an IBM Blade](2006-01-23-how-to-install-debian-sarge-on-an-ibm-blade.html) 1. 2006-Jan-22: [Why does my machine think its name is localhost...](2006-01-22-why-does-my-machine-think-its-name-is-localhost-even-though-i-changed-it.html) 1. 2006-Jan-22: [Flashing without Microsoft or floppy drives](2006-01-22-flashing-without-microsoft-or-floppy-drives.html)