OpenSSH dynamic port forwarding - SSH

This is a discussion on OpenSSH dynamic port forwarding - SSH ; Hi guys, I have this problem. At work I am behind firewall but there is a server that's outside out trusted network. Thing is, that I cannot connect to this server (called "server2") directly, I have to do it through ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: OpenSSH dynamic port forwarding

  1. OpenSSH dynamic port forwarding

    Hi guys,
    I have this problem. At work I am behind firewall but there is a server
    that's outside out trusted network. Thing is, that I cannot connect to
    this server (called "server2") directly, I have to do it through
    another server (called "server1"). I managed to set static port
    forwarding for IRC for example.

    ssh -f -L 5551:localhost:5551 user@server1 ssh -f -L
    5551:localhost:5551 user@server2 ssh -f -N -L
    5551:efnet.demon.co.uk:6667 user@localhost

    Then if I connect to localhost:5551 in my IRC client, it is forwarded
    to efnet.demon.co.uk:6667. This works just fine. Problem is how to set
    connection for FTP or BitTorrent, which use more than one port. Is
    possible to set Dynamic Port Forwarding (ssh -D port ...) same way as
    this static port forwarding? Through two servers?

    I'd really appreciate some tips.

    Thanks a lot.

    Peter


  2. Re: OpenSSH dynamic port forwarding

    gnomee wrote:
    > Hi guys,
    > I have this problem. At work I am behind firewall but there is a
    > server that's outside out trusted network. Thing is, that I cannot
    > connect to this server (called "server2") directly, I have to do it
    > through another server (called "server1"). I managed to set static
    > port forwarding for IRC for example.
    >
    > ssh -f -L 5551:localhost:5551 user@server1 ssh -f -L
    > 5551:localhost:5551 user@server2 ssh -f -N -L
    > 5551:efnet.demon.co.uk:6667 user@localhost
    >
    > Then if I connect to localhost:5551 in my IRC client, it is forwarded
    > to efnet.demon.co.uk:6667. This works just fine. Problem is how to set
    > connection for FTP or BitTorrent, which use more than one port. Is
    > possible to set Dynamic Port Forwarding (ssh -D port ...) same way as
    > this static port forwarding? Through two servers?
    >
    > I'd really appreciate some tips.
    >
    > Thanks a lot.
    >
    > Peter


    Talk to your local IT staff about opening up a hole for you for FTP or
    Bittorrent. Seriously, if this is their security policy, I'm reluctant to
    help you start poking holes in it, and you should be cautious about doing it
    let you demonstrate that you're so sharp, you're cutting yourself. They may
    have actually have real policies for being this uptight: I've previously
    been asked to set up a site's firewalls in such a way to prevent outgoing
    FTP to avoid people exporting private internal documents, or using work's
    wonderful bandwidth for loading up their MP3 libraries, and if I had opened
    up an external SSH port for you in such a situation and noticed from the
    bandwidth logs that you were channeling in big amounts of data, I'd be upset
    with you.

    I've not tried to do exactly what you're asking to do, so I'm not sure it
    will work well. But why not do the downloads to the external machine, then
    grab them with scp or sftp or rsync when the transfer is complete?



  3. Re: OpenSSH dynamic port forwarding

    Nico Kadel-Garcia wrote:

    > Talk to your local IT staff about opening up a hole for you for FTP or
    > Bittorrent. Seriously, if this is their security policy, I'm
    > reluctant to help you start poking holes in it, and you should be
    > cautious about doing it let you demonstrate that you're so sharp,
    > you're cutting yourself. They may have actually have real policies


    That came out wrong: I meant: "lest you demonstrate you're so sharp, you cut
    yourself".



  4. Re: OpenSSH dynamic port forwarding

    I already did set rsync script for this... I was only looking for more
    comfortable solution.

    So there is no way how to set SOCKS with SSH and send it through 2
    hosts?

    "ssh -D socks_port host" will send it to host and then request the
    "target_serverort" from there, right? I need another hop to server2
    and then request "target_serverort" from there...

    Is that possible?

    Nico Kadel-Garcia wrote:
    > Nico Kadel-Garcia wrote:
    >
    > > Talk to your local IT staff about opening up a hole for you for FTP or
    > > Bittorrent. Seriously, if this is their security policy, I'm
    > > reluctant to help you start poking holes in it, and you should be
    > > cautious about doing it let you demonstrate that you're so sharp,
    > > you're cutting yourself. They may have actually have real policies

    >
    > That came out wrong: I meant: "lest you demonstrate you're so sharp, you cut
    > yourself".



  5. Re: OpenSSH dynamic port forwarding

    >>>>> "gnomee" == gnomee writes:

    gnomee> I already did set rsync script for this... I was only looking
    gnomee> for more comfortable solution.

    gnomee> So there is no way how to set SOCKS with SSH and send it
    gnomee> through 2 hosts?

    Assuming you have netcat (nc) on server1:

    ssh -D 1080 server2 -o proxycommand="ssh -qax server1 nc %h %p"

    gnomee> "ssh -D socks_port host" will send it to host and then request
    gnomee> the "target_serverort" from there, right? I need another hop
    gnomee> to server2 and then request "target_serverort" from there...

    gnomee> Is that possible?

    gnomee> Nico Kadel-Garcia wrote:
    >> Nico Kadel-Garcia wrote:
    >>
    >> > Talk to your local IT staff about opening up a hole for you for

    >> FTP or > Bittorrent. Seriously, if this is their security policy,
    >> I'm > reluctant to help you start poking holes in it, and you
    >> should be > cautious about doing it let you demonstrate that you're
    >> so sharp, > you're cutting yourself. They may have actually have
    >> real policies
    >>
    >> That came out wrong: I meant: "lest you demonstrate you're so
    >> sharp, you cut yourself".



    --
    Richard Silverman
    res@qoxp.net


  6. Re: OpenSSH dynamic port forwarding

    Thanks,
    that's what I'm looking for.

    Really appreciate it,
    cheers


    Richard E. Silverman wrote:
    > >>>>> "gnomee" == gnomee writes:

    >
    > gnomee> I already did set rsync script for this... I was only looking
    > gnomee> for more comfortable solution.
    >
    > gnomee> So there is no way how to set SOCKS with SSH and send it
    > gnomee> through 2 hosts?
    >
    > Assuming you have netcat (nc) on server1:
    >
    > ssh -D 1080 server2 -o proxycommand="ssh -qax server1 nc %h %p"
    >
    > gnomee> "ssh -D socks_port host" will send it to host and then request
    > gnomee> the "target_serverort" from there, right? I need another hop
    > gnomee> to server2 and then request "target_serverort" from there...
    >
    > gnomee> Is that possible?
    >
    > gnomee> Nico Kadel-Garcia wrote:
    > >> Nico Kadel-Garcia wrote:
    > >>
    > >> > Talk to your local IT staff about opening up a hole for you for
    > >> FTP or > Bittorrent. Seriously, if this is their security policy,
    > >> I'm > reluctant to help you start poking holes in it, and you
    > >> should be > cautious about doing it let you demonstrate that you're
    > >> so sharp, > you're cutting yourself. They may have actually have
    > >> real policies
    > >>
    > >> That came out wrong: I meant: "lest you demonstrate you're so
    > >> sharp, you cut yourself".

    >
    >
    > --
    > Richard Silverman
    > res@qoxp.net



  7. Re: OpenSSH dynamic port forwarding

    I have one more question.
    I set this SOCKS4 server with SSH (I have older version of SSH 3.6.1 on
    MAC OS X Panther which supports only SOCKS4):

    ssh -D 1080 server2 -o proxycommand="ssh -qax server1 nc %h %p"

    I was able to run IRC and BitTorrent but I am still unable to get FTP
    working through SOCKS4.

    Any ideas? Is that because of SOCKS4? Will it work with new SSH and
    SOCKS5?

    It is still trying to connect and it connects to FTP but it won't get
    any response...

    Cheers


    Richard E. Silverman wrote:
    > >>>>> "gnomee" == gnomee writes:

    >
    > gnomee> I already did set rsync script for this... I was only looking
    > gnomee> for more comfortable solution.
    >
    > gnomee> So there is no way how to set SOCKS with SSH and send it
    > gnomee> through 2 hosts?
    >
    > Assuming you have netcat (nc) on server1:
    >
    > ssh -D 1080 server2 -o proxycommand="ssh -qax server1 nc %h %p"
    >
    > gnomee> "ssh -D socks_port host" will send it to host and then request
    > gnomee> the "target_serverort" from there, right? I need another hop
    > gnomee> to server2 and then request "target_serverort" from there...
    >
    > gnomee> Is that possible?
    >
    > gnomee> Nico Kadel-Garcia wrote:
    > >> Nico Kadel-Garcia wrote:
    > >>
    > >> > Talk to your local IT staff about opening up a hole for you for
    > >> FTP or > Bittorrent. Seriously, if this is their security policy,
    > >> I'm > reluctant to help you start poking holes in it, and you
    > >> should be > cautious about doing it let you demonstrate that you're
    > >> so sharp, > you're cutting yourself. They may have actually have
    > >> real policies
    > >>
    > >> That came out wrong: I meant: "lest you demonstrate you're so
    > >> sharp, you cut yourself".

    >
    >
    > --
    > Richard Silverman
    > res@qoxp.net



  8. Re: OpenSSH dynamic port forwarding

    On 2006-07-18, gnomee wrote:
    > I was able to run IRC and BitTorrent but I am still unable to get FTP
    > working through SOCKS4.
    >
    > Any ideas? Is that because of SOCKS4? Will it work with new SSH and
    > SOCKS5?


    No, the most likely cause is that you're trying to use active mode
    FTP which means that the server will try to connect back to you which
    doesn't work. If your FTP client supports it, try passive mode.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

+ Reply to Thread