Will an SSH tunnel do this?

[kevinthenerd]

I'm using these systems in a college:

System A: Red Hat 8.0 PC
System B: Red Hat 7.3 PC (acting as a web server at the moment)
System C: Mac OS X iBook

Here's how they're configured network-wise:
System A is sitting inside of a class-B LAN (172.16.*.*) with a firewall, packeteer, etc.
System B is sitting unguarded on the open Internet.
System C is on a home network.

System A can reach B and C, but B and C can't reach A. SSH shells work fine from A to B, but for some reason, I can't figure out how to set up an SSH tunnel to make port 22 on system A reachable by system C.

Here's what I want to do: I have a computer in my dorm that I want to access from my house to transfer stuff from one to the other without using recordable media or physically moving it. I also want to be able to reattach screens from my house that are running in my dorm.

Thanks, guys.

 

[Oaf357]

Sounds like it's possible to do it if you setup your firewalls correctly.

 

[Soybomb]

It sounds like you've been unable to make an incoming connection to system a although you could make outgoing ones. Why can't anything reach system A? Is the firewall blocking access? If it is you could probably effectively circumvent it with ssh, but that admin would most likely dislike those actions so check with them first if that is the problem.

 

[kevinthenerd]

Originally posted by: Oaf357
Sounds like it's possible to do it if you setup your firewalls correctly.

Read the post. It's in my dorm, and I have no administrative access to those particular systems in my college.

 

[kevinthenerd]

Originally posted by: Soybomb
It sounds like you've been unable to make an incoming connection to system a although you could make outgoing ones. Why can't anything reach system A? Is the firewall blocking access? If it is you could probably effectively circumvent it with ssh, but that admin would most likely dislike those actions so check with them first if that is the problem.

The network administrator is cool with this. He knows I won't be hosting MP3s or anything like that; all I want is access to my homework. He won't help me because changing the firewall and packeteer settings would compromise the security of the server we use to house student records.

Here are some specifics to help you understand:

Machine A: The Red Hat 8.0 machine in my dorm has the IP 172.16.3.161
The external IP of the router on that network is 199.44.215.254
(Internal is 172.16.1.1)
Machine B: The machine I want to use to hop between the two (Red Hat 7.3) is 199.44.214.23. Note that it's on a different network (214); it has no access to the internal part of the 199.44.215.254 network. I'm the adminstrator of this machine.

I'm hoping there's a way to initiate the connection from within the 172 network to machine B, keep it alive, and send all the traffic via that initiated connection.

 

[kevinthenerd]

I forgot to make this clear... Systems A, B, and C are on all different networks. A lot of people are under the impression that System B is part of the network that System A is on. This is not true. The two networks are in the same building, but they're on completely different connections to Sprint, and I have no control over how they're moved.

 

[kevinthenerd]

bump

 

[kevinthenerd]

bump... help me out here

 

[kevinthenerd]

bump... nobody knows?

 

[Soybomb]

Google. Its possible the administrator-ly spirit in some is keeping them from offering advice on how to circumvent a firewall. I've seen pages going over before how people have setup ssh to make the outgoing connection to another box and keep it alive so you can access it that way, but I didn't book mark it or anything nor have I done it. It can be done, you'll just have to dig alot to find out how to make it do what you want.

 

[kevinthenerd]

Dude, it ain't the firewall that's stopping me. It's the fact that I have no way of specifying the individual machine within the local network. Machine A has the IP address of 172.16.3.161, and it's sitting behind a firewall with an IP that starts with 199.44.215.*. Anyone with a basic understanding of TCP/IP would know that an IP that starts with 172 is a LOCAL IP, purposely not available on the open Internet. They did that to save money by not needing so many IP addresses. (Local IP's start with 192, 172, and 10 for class C, B, and A networks, respectively.) It's not that I'm trying to get through some sort of security system. It's that I don't know how to make an SSH tunnel backwards.

I know the local administrator has no problem with this. He just doesn't want to make this easy by giving me access to his VPN server. There's a good reason why, too..... direct unguarded access to the VPN available via a port on an external machine (via SSH) would give people direct access to the system that holds student records. The version of their OS is archaic, and I'm sure anyone on this forum can figure out a way in. My method would not allow this as easily; the system in my dorm is guarded with a strong password, and you can't get into that system without a login.

 

[skyking]

You have answered your own question. I did not understand the goal at first, but now I do. Unless the router at system A is set to forward port 22 to your machine specifically, you would have to do as others suggested, and keep the connection alive from A to a machine exposed or routed properly.

 

[kevinthenerd]

Originally posted by: skyking
You have answered your own question. I did not understand the goal at first, but now I do. Unless the router at system A is set to forward port 22 to your machine specifically, you would have to do as others suggested, and keep the connection alive from A to a machine exposed or routed properly.

So... how do I keep the SSH connection alive on port 22 from System A to System B and kick the traffic from B:10000 to A:80 (or some other port)? The following command issued from System A did not work, and I'd like to know why:

ssh -R 10000:localhost:80 root@IP_of_System_B

 

[Soybomb]

Dude, it ain't the firewall that's stopping me. It's the fact that I have no way of specifying the individual machine within the local network. Machine A has the IP address of 172.16.3.161, and it's sitting behind a firewall with an IP that starts with 199.44.215.*. Anyone with a basic understanding of TCP/IP would know that an IP that starts with 172 is a LOCAL IP, purposely not available on the open Internet.

Heh thats like saying dude its not the firewall, its the firewall! Thats called network address translation and many firewalls do that (or whatever happens to be in the way of you and the outside world). I work at an ISP where were have all the IP addresses we could want available yet I choose to use nat on the firewalls for the both the flexibility it gives me in redirecting traffic destined for internal machines within the network but also because, as you've noticed, unless the device performing the NAT is specifically told to forward traffic on to an internal device, it doesn't get in. No matter what purpose they chose it for, the effect is the same. Its not that I don't want to help, I've just never used ssh for that so I don't know and offered it as a suggestion as to why others had not replied yet.

A quick google found this perhaps it will be of help http://www.onsight.com/faq/ssh/ssh-faq-5.html#ss5.2

Also consider ditching password based logins and using passphrase protected keys. Often root is denied remote login (for good reason) so you might want to check your sshd config files if thats what you really want to do.

 

[kevinthenerd]

Dude, it was NOT the firewall! I found the problem! Yes, one machine could not talk to the other. No, it was not the firewall as the root of the problem! It was the sshd configuration. I needed these lines in /etc/ssh/sshd_config :

GatewayPorts yes
AllowTcpForwarding yes

The problem was not that the forwarded ports were not getting through. It was that those ports weren't accepting connections from machines other than localhost on the outside machine.

Edit:

Yes, the firewall keeps people from directly accessing machines by IP, but that's not the issue. An initiated SSH connection can ignore this concept as long as the port is open. I thought for a moment that a forwarded SSH connection would have to initiate a new connection and run into all of the problems that a regular connection would run into, but that's not true because it keeps it open when intiated from within the network.

The connection was initiated from within the local network with a command like this:

ssh -R remote_port:localhost:localport root@remote_machine


This like Bill Gates trying to find somebody in a poor country. The poor citizen may have an easy time reaching Microsoft's CEO (assuming he reads his mail in this idealized scenario), but Gates has no way of contacting a person without an address.

Now, let's assume somebody (such as Steve Jobs) wants to get a hold of that poor person. The poor person gets a hold of Gates and gives him a way of contacting him (such as a public telephone). (Let's say the country is behind a communist Iron Curtain (firewalled) that only allows conversations intiated from within.) Then, Gates has the option of forwarding or not forwarding Jobs' conversation to the poor person. Without the poor person knowing that Jobs wants to contact him, the conversation depends entirely on whether Gates wants to forward the two-way traffic.

(No copyright is claimed if someone else wants to use this analogy in the future.)