This question is probably answered already and there are numerous articles showing how to do reverse ssh tunnel. I am however stuck on the last step.
I have a Linux box that runs a web service on port 8080. This is behind a NAT and I can not port-forward from the overlaying routers to it.
I have a fresh Ubuntu 18 ec2 instance on AWS and I am using the following command to reverse the tunnel from my Linux box.
ssh -i "key.pem" -R \*:8080:\*:8080 ubuntu#ec2 -p 45332
EC2 ssh server listening on port 45332
On the server:
$ sudo lsof -i -P -n | grep LISTEN
systemd-r 650 systemd-resolve 13u IPv4 15830 0t0 TCP 127.0.0.53:53 (LISTEN)
sshd 893 root 3u IPv4 18322 0t0 TCP *:45332 (LISTEN)
sshd 893 root 4u IPv6 18333 0t0 TCP *:45332 (LISTEN)
sshd 20731 ubuntu 9u IPv6 75581 0t0 TCP [::1]:8080 (LISTEN)
sshd 20731 ubuntu 10u IPv4 75582 0t0 TCP 127.0.0.1:8080 (LISTEN)
If I do curl localhost:8080 on Ec2, I get the correct web service response.
But when I do the curl using the Public IP/Public DNS name from same ec2 or a completely different device I get:
curl: (7) Failed to connect to <IP> port 8080: Connection refused
I have checked my VPC ACL and allowed ALL inbound and outbound traffic in the security group.
I made sure that there the firewall rules are not blocking it:
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
45332/tcp ALLOW IN Anywhere
45332/udp ALLOW IN Anywhere
8080/tcp ALLOW IN Anywhere
8080/udp ALLOW IN Anywhere
45332/tcp (v6) ALLOW IN Anywhere (v6)
45332/udp (v6) ALLOW IN Anywhere (v6)
8080/tcp (v6) ALLOW IN Anywhere (v6)
8080/udp (v6) ALLOW IN Anywhere (v6)
When this didn't work, I removed the ssh tunnel and directly ran the same web service on the ec2.
This worked perfectly fine.
However, I want to run the service from my Linux box.
It is due to fact that by default SSH only listens for connections to the forwarded port on the loopback address for security purposes.
To change that behavior, open sshd configuration:
sudo nano /etc/ssh/sshd_config
Look up this flag and enable it:
GatewayPorts yes
References:
https://www.maketecheasier.com/reverse-ssh-tunnel-allow-external-connections/
http://www.snailbook.com/faq/gatewayports.auto.html
I had the same problem and this worked for me.
From you local Linux box:
ssh -i "key.pem" -R 8081:\*:8080 ubuntu#ec2 -p 45332
notice I use 8081 instead of 8080
Then in the EC2 instance, ssh to itself tunneling 8081 to 8080.
ssh locahlost -L 8080:localhost:8081
I don't really understand how, but after trying different combinations, this one worked for me.
Related
I have an external server that hosted in dreamcompute
Which it is can consider as virtual private server (vps)
I have test out using: https://ping.eu/port-chk/
the results:
xxx.xxx.xxx.xxx:443 port is closed
xxx.xxx.xxx.xxx:80 port is open
xxx.xxx.xxx.xxx:22 port is open
I have check my server port is open in linux:
username#server:~$ sudo ufw status
Status: active
To Action From
-- ------ ----
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp ALLOW Anywhere
3306/tcp ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
3306/tcp (v6) ALLOW Anywhere (v6)
I'm able to access the web server internally by
http://localhost/
https://example.com/
http://example.com/
which all of them I set an index.php with a code:
<?=phpinfo()?>
From my experience, it was my router firewall problem, but I don't have the control to do it.
Maybe it was my dns or something else ?
Steps you need to do to check your port :
verify that you can connect from your local machine... you can just telnet to port 443, both on localhost (127.0.0.1) as well as on your machine's IP address.(You have already done this what I saw.) You should at least get an answer (ie. verification that there is a listener on that port).
Just for an example:
$ telnet 127.0.0.1 443
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
This confirms port is listening
$ telnet 127.0.0.1 443
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
We can also do by checking NETSTAT
$ netstat -antl | grep 443
tcp 0 0 127.0.0.1:52421 127.0.0.1:443 TIME_WAIT
tcp6 0 0 :::443 :::* LISTEN
For SSL we can use openSSL
$ openssl s_client -connect 127.0.0.1:443
CONNECTED(00000003)
...
You may have to open and/or forward the address on your router or network firewall.
Hope it works fine!!
If not tell us, we will work on more solutions!
I have a simple Python server on a DigitalOcean Ubuntu droplet that should serve the index.html file in the /dist folder:
port = 8000
os.chdir(os.path.join(os.path.dirname(__file__), 'dist'))
Handler = http.server.SimpleHTTPRequestHandler
httpd = socketserver.TCPServer(('', port), Handler)
print('Serving at port ', port)
httpd.serve_forever()
I ran 'sudo ufw allow 80/tcp' to open the firewall and if I run ufw status it shows port 80 as being open to everybody. I ran 'sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8000' to redirect traffic from port 80 to port 8000.
If I run nmap from another box, the only open port is ssh on 22. Port 80 is filtered. Navigating to the host in my browser results in a connection timeout. What could be causing this?
It turns out I had to enable the DigitalOcean firewall and apply the correct rules, otherwise without the firewall it was just blocking ports by default.
I want to connect to my server via limited ip adresses. I thought that may be I can connect to my server via OPENVPN that is installed on my server. I have modified hosts.allow and hosts.deny files in /etc
/etc/hosts.allow file :
sshd : x.x.x.x (server ip )
/etc/hosts.deny file :
sshd : ALL
But I cant connect to my server via OpenVPN at the moment. OpenVPN has different ip adress like 10.8.0.x.
How I can set SSH connection to my server via OpenVpn?
You can use the ListenAddress directive in /etc/ssh/sshd_config to force SSHD to only listen on a specific IP address, namely the OpenVPN private address of your server, e.g.:
ListenAddress 10.8.0.1
This prevents sshd from listening on any other interfaces, including the public ones (by default sshd listens on all the available interfaces). Just make sure you restart sshd after updating the configuration.
After that to connect to SSH you will need to first establish the OpenVPN connection and then ssh into 10.8.0.1.
i suggest using iptables to limit IP addresses
iptables -A INPUT -s x.x.x.x -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
from this article: https://docs.newrelic.com/docs/apm/new-relic-apm/getting-started/networks
it suggests me to allow outgoing firewall with following ips and ports:
Networks
50.31.164.0/24
162.247.240.0/22
Ports
TCP 80
TCP 443
I'm using ufw, how can i do it?
I've tried this:
sudo ufw allow proto tcp from 50.31.164.0/24 port 80
sudo ufw allow proto tcp from 50.31.164.0/24 port 443
sudo ufw allow proto tcp from 162.247.240.0/22 port 80
sudo ufw allow proto tcp from 162.247.240.0/22 port 443
When I check my rules: they are like this:
Am I doing this right?
You already allow connections from anywhere to 80 & 443, so you don't need the extra allow statements for their specific IP ranges.
The request for outgoing connections is if you are running say your corporate site through it but are filtering outgoing traffic from your LAN (ie, only being able to get to a schools website from a kiosk in their hallway or from a lab) and you want people on your local network to be able to access it.
Sorry in advance for such a noob question, but I'm certainly a noob.
My question is what does it mean to LISTEN or ACCEPT on a port as it relates to my example?
EXAMPLE:
I have a tomcat server, and It will use port 8080. I want to make sure that port is available for me to use.
What commands should I perform on my unix server and why?
what information would a command like this give me: netstat -an | grep LISTEN
If a port shows up as LISTEN in netstat, it means the port is in use by a server process, so you can't use it. Here is an example:
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
which shows that port 631 is in use.
Ignore the UNIX type sockets at the end - they are irrelevant.
For checking port 8080 is in use or not, you can simply use the command netstat -an|grep 8080. If you get an output in below format, that means 8080 is already in use and you need to assign a new port for the tomcat.
# netstat -an
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN
Netstat command displays various network related information such as network connections, routing tables, interface statistics, masquerade connections, multicast memberships etc,
a option with netstat will give you both listening and non listening ports
n option when you don’t want the name of the host, port or user to be displayed, use netstat -n option. This will display in numbers, instead of resolving the host name, port name, user name. This also speeds up the output, as netstat is not performing any look-up.
For more understand the use of netstat command here are its options:
-a : All ports
-t : Ports TCP
-u : Ports UDP
-l : Listening ports
-n : IP address without domain name resolution
-p : Name of the program and it associated PID
So:
-To display all port (TCP & UDP), PId with the associated name of the program :
$ netstat -paunt
-To display all Listening ports (TCP), PId with the associated name of the program : (and we can also filter with the grep command)
$ sudo netstat -plnt | grep ':80'
I hope it will be helpful :)
You can also use telnet to check if the port is open and listening e.g,
Zeeshan$ telnet google.com 80
Trying 173.194.35.5...
Connected to google.com.
Escape character is '^]'.
I am telnetting google.com on port 80. If you see the third line in the output, you will notice it says it is connected with the Google's web server. The same way you have a JAVA application server called Tomcat and it is listening on port 8080. In fact it is asking clients to connect to it on port 8080 so it can give away the JAVA services to client. When I will use from a client side telnet localhost 8080 I will be connected the same way I have connected with Google's web server on port 80. Provided that Tomcat is running and listening on port 8080. If port 8080 is not free and occupied by some other application you can simply change the port 8080 to another free port. Telnet should give you the following status:
accepted (connected), refused, and timeout
connection refused - nothing is running on that port
accepted - some application is running on the port
timeout - a firewall is blocking access
So now there are two possible ways to check. From the same machine you are running Tomcat server:
telnet localhost 8080
Of if you want to check it from some other machine or outside of the network:
telnet 192.168.1.1 8080
I hope that helps.
use can also run the below command, it will list the Port and corresponding PID, if any process is using those ports
netstat -tulpn