[PLUG] Reverse SSH tunneling with HTTP proxy

Erik Lane eriklane at gmail.com
Mon Jul 8 19:54:38 UTC 2019 

On Mon, Jul 8, 2019 at 11:56 AM Rodney W. Grimes <freebsd at gndrsh.dnsmgr.net>
wrote:

> > On Sun, Jul 7, 2019 at 4:44 PM Rodney W. Grimes <
> freebsd at gndrsh.dnsmgr.net>
> > wrote:
> >
> > > > Hello,
> > > >
> > > > I'm very possibly going about this the wrong way. I've tried all
> manner
> > > of
> > > > search terms that I can think of with variations of what I put in the
> > > > subject line.
> > > >
> > > > Basically, for a long time it worked very well to just open an SSH
> > > > tunneling command to connect to the network at my dad's house to do
> > > > maintenance on the computers/networking equipment there. All was good
> > > until
> > > > he either changed providers or just had problems with his equipment.
> > > Either
> > > > way, he got a new modem, and instead of replacing his existing
> all-in-one
> > > > modem and router, he and/or the tech decided it would be safer to
> just
> > > add
> > > > the new modem upstream of the existing one, and just have two NAT
> > > > translations happening. This broke my port forwarding that I had
> working,
> > > > so I had to change how I got access. I don't know if he even has
> access
> > > to
> > > > the settings in the new modem - it's a Comcast thing, and he's not
> sure,
> > > > and I think he's also a little uneasy about the idea of changing
> > > anything,
> > > > since it's now working well and he went for a while with having
> things be
> > > > really flaky.
> > > >
> > > > So to keep his stress level low, the first time afterwards that I
> went
> > > out
> > > > there I got onto the linux server that I have running there and set
> up a
> > > > persistent reverse SSH tunnel using autossh. It works great, and all
> I
> > > have
> > > > to do from my local server machine is run 'ssh -p 2222 localhost'
> and I
> > > get
> > > > connected and everything is good.
> > > >
> > > > However, to do a fix for a current problem, I need to get http
> access to
> > > a
> > > > server running on that same machine. All of the logs make it look
> like
> > > it's
> > > > running fine, but they're reporting that something isn't right.
> Before, I
> > > > could set up a tunnel and use a proxy command to then connect from a
> > > local
> > > > machine to a port on the server at my dad's house and do whatever
> amount
> > > of
> > > > troubleshooting I needed. With the new reverse tunnel set up, it
> doesn't
> > > > seem to be accepting the proxy traffic, and I have no idea why.
> > > >
> > > > Dad's server  Dad's old modem/router --- Dad's new modem --- internet
> > > ----
> > > > my modem/router --- my server --- my laptop
> > > >
> > > > So I want to use firefox on my laptop to view content served from my
> > > dad's
> > > > server, but the only possible connection is currently through a
> reverse
> > > ssh
> > > > tunnel set up on my server. It seems like this must be a somewhat
> basic
> > > > thing to do, as all I want is for traffic sent to a chosen port on my
> > > > server to be rerouted through the existing SSH tunnel and then
> appear to
> > > > originate on my dad's private network so that it can then query the
> http
> > > > server and send the response back through the tunnel.
> > > >
> > > > But maybe I'm trying to do this the hard way and there's a simpler
> > > > solution? Maybe I just don't know the right search terms to use? I
> could
> > > be
> > > > calling these things the wrong names. It's a bit of a drive to get
> out
> > > > there in person, and I'd like to get this running before the next
> time
> > > that
> > > > I'm planning to be there anyway, if possible.
> > >
> > > One thing that is kinda sic, but came to mind as a quick and
> > > dirty would be to run a forward ssh ontop of your reverse
> > > ssh with the proper -L options to get you a local port
> > > pointing at the remote http server.
> > >
> > >
> > Sorry - I should have mentioned that I did find things about forwarding
> SSH
> > in my searches, and I did use the 'L' option on multiple different tries,
> > but I can't seem to get the right combination to do this forwarding. Do
> you
> > have an idea of what those might be? Is there something else that I
> should
> > be searching on, or is just SSH forwarding good enough?
> >
> > Doing something like this was one of my first thoughts, as this is
> > something that will hopefully only be needed extremely infrequently. I
> > don't need anything elegant or efficient at all. :)  Maybe I just have a
> > very poor understanding of SSH and the -L options, but I couldn't get it
> to
> > work.
> >
> > I've tried things of the format: ssh -L xxxx:localhost:yyyy   where xxxx
> is
> > the port that I would put in the proxy section of Firefox, and yyyy is
> the
> > port that is on the reverse SSH already.
> >
> > I've also tried: ssh -L xxxx:localhost:yyyy erik at local-server-name
> >
> > and: ssh -L xxxx:localhost:yyyy erik at local-server-ip-address
> >
> > and: ssh -N -L localhost:xxxx:localhost:yyyy erik at local-server-ip-address
>
> A sample I use on a daily basis, this is FORWARD ssh, you need to run
> that ontop of the reverse conneciton you already have, assuming you
> can ssh into the remote machine over the reverse channel:
>
> ssh -l rgrimes   \
>         -L 81:10.4.0.11:443 \
>         -L 82:10.4.0.12:443 \
>         -L 83:10.4.0.13:443 \
>         -L 3389:192.168.114.100:3389 \
>         -L 3390:192.168.114.111:3389 \
>         -L 3391:192.168.114.112:3389 \
>         -L 3392:192.168.114.114:3389 \
>         name_or_ip_of_remote_system
>
> Note that 10.4.0.x and 192.168.114.x are IP addresses on the far end
> of the ssh system accessable by the system "name_or_ip_of_remote_system"
>
> The first port {81,82,83,3389,3390,3391} are the local ports
> you would access as 127.0.0.1:81 these map to the remote ports
> {443,443,3389,3389,3389,3389} on the respective systems.
>
>
Thanks for your time, Rod!

However, I'm not having any luck with any of this. Maybe I just need to let
it go for now.

My process is that I will log onto my local server before running any of
these commands. Then I try to use various combinations of the command, but
either it brings up the help section of the command (ie. the list of
available options, because I'm not using it correctly) or alternatively, it
then has me log in again, but it opens up a new session on my local server.
I can't get anything to forward connections from a port on my local server
to anything on the remote server through the reverse SSH connection.

>From all my searching it felt like I was just missing something simple, but
if none of these other things are working for me, either, then maybe I have
something more significant blocking me... :(

Anyway, thanks a ton for trying!
Erik






> Hope this helps...
> > Erik
> --
> Rod Grimes
> rgrimes at freebsd.org
>

More information about the PLUG mailing list