Port Forwarding via SSH

Nefarious · 20 Feb 2017 at 09:24

I am using TightVNC regularly by local port forwarding via SSH, but am wondering whether the following is possible.

TightVNC Viewer runs a mini-webserver (default 5800), I want to get a server in one office to 'present' the web server port of a remote computer by tunneling through a remote server.... is this possible?

lamboman · 20 Feb 2017 at 14:58

You can add a bind address on the local side of the -L switch of the ssh command if I'm understanding your requirements correctly.

Nefarious · 21 Feb 2017 at 02:58

I tried that, but haven't been able to get that to work.

I was trying things along the lines of:

ssh -L *:80:192.168.0.55:8080 saucysusan.com

but that didn't seem to work.

p.s. I added this to the firewall
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -s 192.168.4.0/24 -j ACCEPT

lamboman · 21 Feb 2017 at 15:25

Two machines: client, which is the machine that forwards, and server, the server hosting the website. With firewall disabled, works as expected.

A default set of rules, such as the simple_firewall.rules file included with Arch, may look as follows:

Code:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT

I then added the following rule on the client and server to enable SSH:

Code:

sudo iptables -I INPUT -p tcp -i eno1 --dport 22 -m state --state NEW -j ACCEPT

And the following rule on the client to allow connections to HTTPS port 443:

Code:

sudo iptables -I INPUT -p tcp -i eno1 --dport 443 -m state --state NEW -j ACCEPT

Then setup forwarding as follows:

Code:

sudo ssh -L '*:443:<SERVER>:8384' <USER>@<SERVER>

In this case, I'm redirecting 443 (HTTPS port) to 8384 (Syncthing web management port). Works successfully. The issue lies somewhere in your firewall configuration on either machine, depending on what the error is. Note that I've used -I to prepend the rules to the top of the INPUT chain, so it may be that you have a rule that is overriding the one you've added. You don't want a forwarding rule in iptables, as the forwarding isn't taking place there. You should just need an accept rule as above, and on the server a rule set that will allow the local connection.

Rich · 21 Feb 2017 at 18:38

Why not use SSH to proxy your connections down the SSH tunnel?

On your machine:

ssh -D 9090 user@ipaddress_of_server

Enter your password for the server.

Now you can configure your browser's proxy settings to point to localhost:9090 (socks) and you can browse down the SSH tunnel on whatever port you want. You can also configure proxychains to use that tunnel to send other traffic down.