ports and forwarding

Discuss Applications
Post Reply
byrdman
administrator
administrator
Posts: 225
Joined: Thu May 08, 2003 1:59 pm
Location: In the cloud

ports and forwarding

Post by byrdman » Tue Oct 05, 2010 10:23 am

I hope I can explain my issue correctly. I have a device behind a client firewall that is listening on 22 and on 9092. I can get to this device only from my server on 22. I want to figure out how to get to 9092 on device from my workstation.

So is there a way to forward 9092 over SSH...through the server over ssh?

Client firewall only allows 22 from a single IP, which is my server. I can ssh into server from my workstation and then into device behind firewall. I would like to be able to open up remote desktop viewer on my workstation and connect to device.
Is this helping any?

Workstation Remote desktop->(9092 over SSH) -> Server(SSH) ->(SSH) Device listening on 22&9092

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Tue Oct 05, 2010 12:35 pm

When you say "remote desktop" are you talking about RDPing into a Windows machine via a forwarded port on your server? Regardless, port forwarding via ssh is easy but if your server is Linux/iptables and you wanted these ports set up permanently I would just forward what you want via your iptables configuration and restrict what can connect to it. If what has to connect to it is dynamic (your home computer) then maybe write a little script to ssh into the server and forward the ports you want. I have scripts set up to forward several ports in a single script using ssh for various purposes.

Here is one I use to port not my wireless router to open up a forwarded port to my ssh daemon on a machine in my house and then forward several ports from various hosts in my house to my loopback interface for things like VMware consoles, VNC, ssh, mail, proxy, etc:

Code: Select all

knock voidmain.is-a-geek.net 2222 3333 4444
sleep 2
ssh -c blowfish -p 999 \
-L 5906:kflinux:5900 \
-L 3993:imap.gmail.com:993 \
-L 1902:localhost:902 \
-L 2200:localhost:22 \
-L 3128:localhost:3128 \
-L 5901:localhost:5900 \
-L 5902:localhost:5901 \
-L 5903:localhost:5902 \
-L 5904:localhost:5903 \
-L 8223:localhost:8222 \
-L 8334:localhost:8333 \
-L 1430:mail:143 \
-L 2500:mail:25 \
-L 1500:myth:1500 \
-L 5905:myth:5900 \
-L 8001:myth:8001 \
-L 8002:myth:8002 \
-L 3995:pop.gmail.com:995 \
-L 3333:proxy:3333 \
-L 3465:smtp.gmail.com:465 \
-L 33890:xp:3389 \
voidmain@voidmain.is-a-geek.net "while true; do date; sleep 30; done"
I changed a couple of numbers to protect the innocent of course. :) A couple of those forwards actually get me into my parents computer back on their farm which is connected to my home network via OpenVPN. That last line is just to keep the connection alive.

byrdman
administrator
administrator
Posts: 225
Joined: Thu May 08, 2003 1:59 pm
Location: In the cloud

Post by byrdman » Tue Oct 05, 2010 2:52 pm

the remote desktop is actually to a linux device, ubuntu, that I am trying to connect to. the vino-server listens on 9092 instead of the common 5800/5900. Typically, we have clients IT departments allow us in for remote management of our devices, but this one client only allowed our server which the device talks to.
Here is a better explaination ( I think :))

my workstation is 192.168.0.1, server is 192.168.25.10(External ip is x.x.x.164)
client only allows 22 inbound from the 192.168.25.10 server(the .164 external IP)
I can get into device if I ssh into server then into device. Is there a way to temporarily tunnel my workstation VNC program to connect to device:9092 over SSH through the 25.10 server?

BTW, thank you for the sample code...that is going to come in handy!!

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Tue Oct 05, 2010 10:03 pm

In addition to allowing port 22 does it allow the VNC port connection from your server? If so you would just:

Code: Select all

[byrdman@192.168.0.1 ~]$ ssh -L 9999:client:9092 byrdman@192.168.25.10
Then you would:

Code: Select all

[byrdman@192.168.0.1 ~]$ vncviewer localhost:9999
From the client's perspective you are vnc'ing to it from the server. From your perspective you are vnc'ing to your loopback interface port 9999. Now, if *only* port 22 on the client is open to the server you can still do it but it will take another step but it sounds like both ports are open to your server. There is no significance to why I picked port 9999 to forward to. I just used a number other than 9092 so you can see which side is the local port and which side is the remote port. You could have used 9092 for both local and remote. By using different local ports you could set up a connection to multiple clients that are listening on 9092. You would just use a different local port for each one.

byrdman
administrator
administrator
Posts: 225
Joined: Thu May 08, 2003 1:59 pm
Location: In the cloud

Post by byrdman » Wed Oct 06, 2010 6:57 am

I guess I forgot a statement that may have been important. The client device is behind a firewall that only allows 22 from our server and the client device iptables only allows 22 but the client device is listening on 22 and 9092.
also when on the server I then have to login as the device's user, not me. That's were I was getting lost.

So all in all, I need to tunnel 9092 over 22 from workstation to client through server. So what would that extra step be?


byrdman to server as byrdman then client_user to device as client_user.
then would I open the vncviewer to localhost?

does this help?
Now, if *only* port 22 on the client is open to the server you can still do it but it will take another step but it sounds like both ports are open to your server
This is correct and what I would need help with.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Wed Oct 06, 2010 8:07 am

Ahh, so what you really ultimately want are two tunnels. One to tunnel ssh through your server to the client and the second tunnel is to use the first tunnel to get localhost:9092 on the client to go to some port on your workstation's localhost (9999 in my other example).

You could do it in two steps or you could do it in one more complicated step. To do it in two steps you would:

Code: Select all

[byrdman@192.168.0.1 ~]$ ssh -L 2022:client:22 serveruser@192.168.25.10
At this stage you should be able to "ssh -p 2022 clientuser@localhost" to log into the remote client directly from your workstation, but if in that same process you forward that client's 9092 to your 9999 you would in another shell on your workstation:

Code: Select all

[byrdman@192.168.0.1 ~]$ ssh -p 2022 -L 9999:localhost:9092 clientuser@localhost
Then in another shell:

Code: Select all

[byrdman@192.168.0.1 ~]$ vncviewer localhost:9999
That should work for now and I can come up with a single command to do the same thing but I would have to think about it and don't have time right this minute. Will do it later though. Maybe that will spark a thought.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Wed Oct 06, 2010 7:17 pm

Just tried the above at home and it all worked for me. Hopefully it worked for you. I use keys everywhere as well so I don't have to type in a password.

Post Reply