Specifying tunnel output interface? - SSH

This is a discussion on Specifying tunnel output interface? - SSH ; Hi there, I'm trying to run a ssh tunnel through an internal ip and out through an external IP on another device. Here's my current command line: ssh -D 1080 margo@192.168.1.10 192.168.1.10 is set up as so: eth0: 192.168.1.10 (internal, ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Specifying tunnel output interface?

  1. Specifying tunnel output interface?

    Hi there,

    I'm trying to run a ssh tunnel through an internal ip and out through an
    external IP on another device. Here's my current command line:

    ssh -D 1080 margo@192.168.1.10

    192.168.1.10 is set up as so:

    eth0: 192.168.1.10 (internal, sshd)
    eth1: ext.ext.ext.ext (external IP, no services running)

    Is there any way to ssh in through eth0 and direct all traffic tunneled
    through to eth1? I've looked through the man page and can't see a way to
    specify output address or interface.

    Thanks!

    Margo Szathmár


  2. Re: Specifying tunnel output interface?

    In article
    =?iso-8859-1?Q?Margo_Szathm=E1r?= writes:
    >
    >ssh -D 1080 margo@192.168.1.10
    >
    >192.168.1.10 is set up as so:
    >
    >eth0: 192.168.1.10 (internal, sshd)
    >eth1: ext.ext.ext.ext (external IP, no services running)
    >
    >Is there any way to ssh in through eth0 and direct all traffic tunneled
    >through to eth1? I've looked through the man page and can't see a way to
    >specify output address or interface.


    Why would you need or want to do that? The outgoing interface is chosen
    by "192.168.1.10"'s (hey, it gets clearer if you give it a name:-)
    kernel based on its routing tables and the ultimate destination address
    just as for any other connection originating there. Trying to force it
    generally just causes breakage.

    --Per Hedeland
    per@hedeland.org

  3. Re: Specifying tunnel output interface?

    In article
    =?iso-8859-1?Q?Margo_Szathm=E1r?= writes:
    >
    >Thank you for your response. I oversimplified my original post for ease of
    >understanding.
    >
    >In reality, the box is set up like this:
    >
    >eth0: 192.168.2.254 (for example -- it isn't relevant)
    >eth1: 192.168.2.1
    >eth1:0: 192.168.2.2
    >eth1:1: 192.168.2.3
    >eth1:2: 192.168.2.4
    >
    >and so on.
    >
    >I'm tunneling because I need to access a certain web page -- a service
    >portal of sorts -- that is set up to deny connections coming in unless
    >they're from certain prespecified addresses. When I tunnel, by default, it
    >goes out on an address that isn't one of those predefined few.


    Yes, that's a rather different picture - i.e. you apparently need to
    choose one address out of a set that are all *on the same subnet* (as
    opposed to your earlier description of "external" vs "internal", which
    would by any sane interpetation be on *different* subnets).

    Still seems like a pretty weird setup where most anything connecting
    from this host would have problems - very few "client" applications
    allow you to specify which source address to use for their connections.
    At least assuming Linux, I believe you can control this to some degree
    with the routing tables though, but its pretty "advanced", of course
    requires root privilege, and couldn't easily differentiate between a
    "really" locally originating connection and an ssh-"forwarded" one
    (which really just is one case of "locally originating").

    Anyway, as far as I know there is no way to control this source address
    with any version of OpenSSH - it may even be a limitation of the SSH
    protocol as such (i.e. it would be necessary for the client to pass the
    desired source address to the server, and the protocol may not provide a
    way to do that).

    --Per Hedeland
    per@hedeland.org

  4. Re: Specifying tunnel output interface?

    Per Hedeland wrote:
    >
    > Anyway, as far as I know there is no way to control this source address
    > with any version of OpenSSH - it may even be a limitation of the SSH
    > protocol as such (i.e. it would be necessary for the client to pass the
    > desired source address to the server, and the protocol may not provide a
    > way to do that).


    I'm not sure if this will help the OP (I don't understand the setup, but
    from the descriptions I think it will help):

    [from man ssh]

    -b bind_address
    Specify the interface to transmit from on machines with multiple
    interfaces or aliased addresses.

    --
    Regards,
    Harrie

  5. Re: Specifying tunnel output interface?

    In article <484ffc3e$0$1973$e4fe514c@dreader26.news.xs4all.nl> Harrie
    writes:
    >Per Hedeland wrote:
    >>
    >> Anyway, as far as I know there is no way to control this source address
    >> with any version of OpenSSH - it may even be a limitation of the SSH
    >> protocol as such (i.e. it would be necessary for the client to pass the
    >> desired source address to the server, and the protocol may not provide a
    >> way to do that).

    >
    >I'm not sure if this will help the OP (I don't understand the setup, but
    >from the descriptions I think it will help):
    >
    >[from man ssh]
    >
    > -b bind_address
    > Specify the interface to transmit from on machines with multiple
    > interfaces or aliased addresses.


    Unfortunately not, that refers to the source address of the basic ssh ->
    sshd connection - the OP was asking about the forwarded connections
    originated by sshd, i.e. the connection from the host where sshd runs to
    host:hostport in a local forwarding of -Lport:host:hostport.

    --Per Hedeland
    per@hedeland.org

  6. Re: Specifying tunnel output interface?

    Per Hedeland wrote:
    > In article <484ffc3e$0$1973$e4fe514c@dreader26.news.xs4all.nl
    > Harrie writes:
    >> Per Hedeland wrote:


    >>> Anyway, as far as I know there is no way to control this source address
    >>> with any version of OpenSSH - it may even be a limitation of the SSH
    >>> protocol as such (i.e. it would be necessary for the client to pass the
    >>> desired source address to the server, and the protocol may not provide a
    >>> way to do that).

    >>
    >> I'm not sure if this will help the OP (I don't understand the setup, but
    >> from the descriptions I think it will help):
    >> [from man ssh]
    >>
    >> -b bind_address
    >> Specify the interface to transmit from on machines with multiple
    >> interfaces or aliased addresses.

    >
    > Unfortunately not, that refers to the source address of the basic ssh ->
    > sshd connection - the OP was asking about the forwarded connections
    > originated by sshd, i.e. the connection from the host where sshd runs to
    > host:hostport in a local forwarding of -Lport:host:hostport.


    Ah, yes, sorry, like I said, I didn't understand the setup of the OP, or
    what she(?) exactly tries to accomplish.

    I think I've got it now (thanks to your explanation) and yes, I agree,
    it's probably only possible by changing the routing table.

    To the OP:

    Have a look at the"iproute2" (package, it has a handful of commands to
    alter the routing on a box), but be prepared to get your hands dirty

    Or maybe this can be done by making a dedicated tunnel *before* you make
    the tunnel you want, that way, I think, you can control the outgoing
    device and/or address, but personally I need more info on what exactly
    you try to do to see if that should work or not ..

    HTH

    --
    Regards,
    Harrie

+ Reply to Thread