ssh port forwarding (tunneling) in linux - linux

I have a specific scenario that I want to solve. I currently connect to a host via port forwarding:
laptop -> gateway -> remote_server_1
and another host:
laptop -> remote_server_2
with passwordless login working on both. Neither of the remote servers are visible to the outside world. Now I'm running a service on remote_server_2, that I'd like to be able to access on remote_server_1. I presume I have to setup reverse port forwarding from remote_server_1 to my laptop, and then on to remote_server_2, but I'm not sure how to do this. Anyone come across this situation before?
Edit:
The full solution in case anyone else needs it:
mylaptop$ ssh -L 3001:localhost:3000 server_2
server_2$ netcat -l 3000
Then setup the tunnel via gateway to server_1:
ssh -t -t -L 3003:server_1:22 gateway
Then access it from server_1:
ssh -R 3002:localhost:3001 -p3003 localhost
echo "bar" | nc localhost 3002`
and hey presto server_2 shows bar :-)

You have to do exactly as you've described. Setup the server on server_2.
mylaptop$ ssh -L 3001:localhost:3000 server_2
server_2$ netcat -l 3000
Then access to it from server_1.
mylaptop$ ssh -R 3002:localhost:3001 server_1
server_1$ echo "foo" | netcat localhost 3002
server_2 will show foo.

Related

Ssh port forwarding google compute engine

I am trying to forward traffic with google instances but no luck.
Here is the scenario:
I have 2 instances currently main-server, and mini-server-1
I want to ssh mini-server-1 from main-server and create a dynamic port forwarding like so:
gcloud compute ssh "mini-server-1" --zone="us-central1-f" --ssh-flag="-D:5551" --ssh-flag="-N" --ssh-flag="-n" &
I have this error:
bind: Cannot assign requested address
I tried: ssh -N username#mini-server-1(all ips internal external, hostname) -D 5551 &
When i run netstat i can see that ports are free.
Here is wget with proxy from main-server
wget google.com -e use_proxy=yes -e http_proxy=127.0.0.1:5551
Connecting to 127.0.0.1:5551... connected.
Proxy request sent, awaiting response...
Does someone know how can i achieve this?
Much simpler syntax:
gcloud compute ssh my-vm-name --zone=europe-west1-b -- -NL 4000:localhost:4000
You can pass as many options as you want:
-NL 8080:localhost:80 -NL 8443:localhost:443
https://cloud.google.com/solutions/connecting-securely
https://cloud.google.com/community/tutorials/ssh-tunnel-on-gce
https://cloud.google.com/community/tutorials/ssh-port-forwarding-set-up-load-testing-on-compute-engine
run the command with the debug flag to help you find more information:
gcloud compute ssh --ssh-flag=-vvv "mini-server-1" \
--zone="us-central1-f" \
--ssh-flag="-D:5551" \
--ssh-flag="-N" \
--ssh-flag="-n" &
and as mention in my comment before, use https_proxy.
gcloud compute ssh --ssh-flag="-L 2222:localhost:8080" --zone "us-central1-a" "your_instance_name"
With this command you can port forward and connect to a port running on a particular VM instance from your local PC
2222 refer to local IP
8080 is the remote port where our application will be running

How to sync when you can't connect directly to the remote computer

I have my home computer A and a work computer C that I want to synchronise using unison. In the middle is a work computer B. A can communicate with B and B can communicate with C directly but A and C can't directly connect to each other. In fact the communication diagram looks like A->B<->C. That is A can connect to B but B can't connect to A.
To give an example how I use this setup, I currently do the following if I want to ssh from A to C
ssh -t -X -C me_B#B ssh -X me_C#C
How can I run unison from A and sync with C, maybe using ssh port forwarding?
To make it a little clearer, C has unfiltered outgoing connectivity to the Internet. B has unfiltered in and outgoing connectivity to both C and the Internet. A is my home computer.
Update
The following command line works for me to at least copy files from A to C
scp -oProxyCommand="ssh me_B#B nc -v %h %p" foo/* me_C#C:foo
Is there some way to use this idea to get unison to work?
Yes, ssh port forwarding can be used for that. Use the following command on A if you want to forward ssh on port 22 at C to the local port 3000 (for example):
# Create the tunnel
ssh -L 3000:C:22 userB#B -N
After you have issued the command, you can login into C from A using:
# Connect using the tunnel
ssh -p 3000 userC#localhost
Note: During the discussion below it turned out, that in OP's network, the connection trough the tunnel can only be established using the following command:
ssh -p 3000 -l userC localhost
Note that I'm using -l userC instead of userC#.
Now you can use unison like this:
unison directory ssh://userC#localhost:3000 directory

Connect to rsync with custom port and NO SSH

using an rsync server on a QNAP NAS which is configured to port 50011, I try to connect from an Ubuntu Server.
So far I have not found a way to change default port 873 to a custom one for connection, except when using the -e 'ssh -p50011' option. Unfortunately QNAP does not understand SSH for rsync.
The web has plenty of how-to's about using a custom port with SSH. Is there a way WITHOUT USING SSH?
thanks & regards
David
Found it:
use the --port=50011 directive.
brgds
David
Besides --port one should be able to use port inside the address when specifying rsync:// prefix: rsync://[USER#]HOST[:PORT]/SRC :
> rsync --list-only rsync://127.0.0.1:9010/test1/ | grep test2
-rw-r--r-- 0 2021/05/19 12:40:25 test2

How to transfer a file in an "indirect" ssh connection?

I have to access my server in such way: localhost -> remote1 -> remote2 (my server)
[xxxx#localhost] $ ssh yyyy#remote1
[yyyy#remote1] $ ssh zzzz#remote2
[zzzz#remote2] $ echo "now I logined into my server..."
I know how to transfer files with scp. however I have no read or write permissions on remote1. How can I transfer a file to remote2?
Another alternative could be to use a Proxy command:
scp -o ProxyCommand='ssh yyy#remote1 netcat %h %p 2> /dev/null' zzz#remote2:fromfile tofile
if remote1 has netcat installed. Other viable options could be nc or socat (the latter has a different syntax).
Try this,
ssh -L localhost:8022:remote2:22 remote1
Now, you can use localhost port 8022 to contact 22 of remote2 via remote1. This session session should be active whenever you need to transfer. Use
scp -P 8022 /path/locale/file 127.0.0.1:/path/on/remote2
This is commonly called as SSH Tunneling. You can search and get to know lot about it.

How to purge connections left open by SSH ProxyCommand?

I have a webserver WWW1 and a front-facing proxy PRX. I use SSH ProxyCommand to connect to WWW1's internal IP (private IP) via PRX (private+public IP). For some connections (not all) I see a network connection left open after I'm finished. These add up!
~/.ssh/config
Host *
ServerAliveInterval 5
ControlMaster auto
ControlPath ~/.ssh/master-%r#%h:%p
Host WWW1 WWW2 WWW3
User foo
ProxyCommand ssh -q -a -x PRX nc %h 22
IdentityFile ~/.ssh/id_foo_WWWx
On PRX, lsof | grep WWW1:ssh shows 124 open connections at the moment. On WWW1, the same command shows 243 open connections. There are similar open connections for WWW2, WWW3 etc.
WWW1 and PRX are Debian. Client connections are coming from a mix of Debian, Ubuntu and OSX10.6. I use Emacs Tramp but this has no special configuration (AFAIK) outside of my ~/.ssh/config.
I'm concerned about running out of internal ports, and ideally I want these connections to clean themselves up without intervention. Ideally by configuring them to kill themselves off; failing that a command I can kill old processes with is fine!
A better way would be to use the -W option of SSH, so you could put
ProxyCommand ssh -q -a -x PRX -W %h:22
instead of
ProxyCommand ssh -q -a -x PRX nc %h 22
This way you get rid of dependence on nc too.
Don't know whether it matters but I use nc -w 1 %h %p

Resources