[PLUG] Reverse SSH tunneling with HTTP proxy
Rodney W. Grimes
freebsd at gndrsh.dnsmgr.net
Mon Jul 8 18:55:53 UTC 2019
> On Sun, Jul 7, 2019 at 4:44 PM Rodney W. Grimes <freebsd at gndrsh.dnsmgr.net>
> wrote:
>
> > > Hello,
> > >
> > > I'm very possibly going about this the wrong way. I've tried all manner
> > of
> > > search terms that I can think of with variations of what I put in the
> > > subject line.
> > >
> > > Basically, for a long time it worked very well to just open an SSH
> > > tunneling command to connect to the network at my dad's house to do
> > > maintenance on the computers/networking equipment there. All was good
> > until
> > > he either changed providers or just had problems with his equipment.
> > Either
> > > way, he got a new modem, and instead of replacing his existing all-in-one
> > > modem and router, he and/or the tech decided it would be safer to just
> > add
> > > the new modem upstream of the existing one, and just have two NAT
> > > translations happening. This broke my port forwarding that I had working,
> > > so I had to change how I got access. I don't know if he even has access
> > to
> > > the settings in the new modem - it's a Comcast thing, and he's not sure,
> > > and I think he's also a little uneasy about the idea of changing
> > anything,
> > > since it's now working well and he went for a while with having things be
> > > really flaky.
> > >
> > > So to keep his stress level low, the first time afterwards that I went
> > out
> > > there I got onto the linux server that I have running there and set up a
> > > persistent reverse SSH tunnel using autossh. It works great, and all I
> > have
> > > to do from my local server machine is run 'ssh -p 2222 localhost' and I
> > get
> > > connected and everything is good.
> > >
> > > However, to do a fix for a current problem, I need to get http access to
> > a
> > > server running on that same machine. All of the logs make it look like
> > it's
> > > running fine, but they're reporting that something isn't right. Before, I
> > > could set up a tunnel and use a proxy command to then connect from a
> > local
> > > machine to a port on the server at my dad's house and do whatever amount
> > of
> > > troubleshooting I needed. With the new reverse tunnel set up, it doesn't
> > > seem to be accepting the proxy traffic, and I have no idea why.
> > >
> > > Dad's server Dad's old modem/router --- Dad's new modem --- internet
> > ----
> > > my modem/router --- my server --- my laptop
> > >
> > > So I want to use firefox on my laptop to view content served from my
> > dad's
> > > server, but the only possible connection is currently through a reverse
> > ssh
> > > tunnel set up on my server. It seems like this must be a somewhat basic
> > > thing to do, as all I want is for traffic sent to a chosen port on my
> > > server to be rerouted through the existing SSH tunnel and then appear to
> > > originate on my dad's private network so that it can then query the http
> > > server and send the response back through the tunnel.
> > >
> > > But maybe I'm trying to do this the hard way and there's a simpler
> > > solution? Maybe I just don't know the right search terms to use? I could
> > be
> > > calling these things the wrong names. It's a bit of a drive to get out
> > > there in person, and I'd like to get this running before the next time
> > that
> > > I'm planning to be there anyway, if possible.
> >
> > One thing that is kinda sic, but came to mind as a quick and
> > dirty would be to run a forward ssh ontop of your reverse
> > ssh with the proper -L options to get you a local port
> > pointing at the remote http server.
> >
> >
> Sorry - I should have mentioned that I did find things about forwarding SSH
> in my searches, and I did use the 'L' option on multiple different tries,
> but I can't seem to get the right combination to do this forwarding. Do you
> have an idea of what those might be? Is there something else that I should
> be searching on, or is just SSH forwarding good enough?
>
> Doing something like this was one of my first thoughts, as this is
> something that will hopefully only be needed extremely infrequently. I
> don't need anything elegant or efficient at all. :) Maybe I just have a
> very poor understanding of SSH and the -L options, but I couldn't get it to
> work.
>
> I've tried things of the format: ssh -L xxxx:localhost:yyyy where xxxx is
> the port that I would put in the proxy section of Firefox, and yyyy is the
> port that is on the reverse SSH already.
>
> I've also tried: ssh -L xxxx:localhost:yyyy erik at local-server-name
>
> and: ssh -L xxxx:localhost:yyyy erik at local-server-ip-address
>
> and: ssh -N -L localhost:xxxx:localhost:yyyy erik at local-server-ip-address
A sample I use on a daily basis, this is FORWARD ssh, you need to run
that ontop of the reverse conneciton you already have, assuming you
can ssh into the remote machine over the reverse channel:
ssh -l rgrimes \
-L 81:10.4.0.11:443 \
-L 82:10.4.0.12:443 \
-L 83:10.4.0.13:443 \
-L 3389:192.168.114.100:3389 \
-L 3390:192.168.114.111:3389 \
-L 3391:192.168.114.112:3389 \
-L 3392:192.168.114.114:3389 \
name_or_ip_of_remote_system
Note that 10.4.0.x and 192.168.114.x are IP addresses on the far end
of the ssh system accessable by the system "name_or_ip_of_remote_system"
The first port {81,82,83,3389,3390,3391} are the local ports
you would access as 127.0.0.1:81 these map to the remote ports
{443,443,3389,3389,3389,3389} on the respective systems.
Hope this helps...
> Erik
--
Rod Grimes rgrimes at freebsd.org
More information about the PLUG
mailing list