Difference between revisions of "SSH/Tunneling"
| Line 1: | Line 1: | ||
{{DISPLAYTITLE: Tunneling over SSH}} |
{{DISPLAYTITLE: Tunneling over SSH}} |
||
[[Category: SSH]] [[Category: Hacks]] |
[[Category: SSH]] [[Category: Hacks]] |
||
Whacky tunnel stuff |
|||
== Advanced == |
|||
| ⚫ | |||
=== Tunneling using the actual destination IP === |
|||
'''Disclaimer:''' Don't use this on a production machine unless you fully grasp the mechnism. |
|||
==== Problem ==== |
|||
| ⚫ | |||
| ⚫ | |||
: Asuming my target we want to connect to is 1.2.3.4 on port 56789 we have to first make sure we have the sshd accept remote forwards on all interfaces and ip addresses. |
|||
| ⚫ | |||
Asuming the target to connect to is <span class="highlight">1.2.3.4</span> on port <span class="highlight">56789</span> and we use <span class="highlight">4.3.2.1</span> as the jump host. |
|||
Before starting <tt>sshd</tt> has to accept remote forwards on all interfaces and IP addresses. To do that on the host running actual application the <tt>/etc/ssh/sshd_config</tt> file requires the <tt>AllowTcpForwarding</tt> and <tt>GatewayPorts</tt> to be set to <tt>yes</tt> |
|||
| ⚫ | |||
GatewayPorts <span class="input">yes</span> |
|||
| ⚫ | |||
In /etc/ssh/sshd_config file ensure that these two values are set to yes |
|||
ssh <span class="input"><JumpHost></span> -R <span class="input"><LocalPort>:<DestinationIP>:<DestinationPort></span> |
|||
| ⚫ | |||
GatewayPorts yes |
|||
ssh <span class="highlight">4.3.2.1</span> -R <span class="highlight">56789:1.2.3.4:56789</span> |
|||
| ⚫ | |||
ssh source-host -R 56789:destination-host:56789 |
|||
On the |
On the application host create an interface on the lo interface with this address with the traditional <tt>ifconfig</tt> it looks like below. |
||
ifconfig lo:1 <span class="input"><DestinationIP></span> netmask 255.255.255.255 broadcast <span class="input"><DestinationIP></span> up |
|||
ifconfig lo:1 1.2.3.4 netmask 255.255.255.255 broadcast 1.2.3.4 up |
ifconfig lo:1 <span class="highlight">1.2.3.4</span> netmask 255.255.255.255 broadcast <span class="highlight">1.2.3.4</span> up |
||
With the <tt>ip</tt> command on linux this is how it looks like. |
|||
'''Note:''' <tt>label lo:1</tt> is optional. |
|||
ip addr add <span class="input"><DestiantionIP></span>/32 brd + label lo:1 dev lo |
|||
ip addr add <span class="highlight">1.2.3.4</span>/32 brd + label lo:1 dev lo |
|||
As soon as you bring the interface up you should see traffic going via the tunnel. |
As soon as you bring the interface up you should see traffic going via the tunnel. |
||
Revision as of 19:26, 24 May 2012
Advanced
Tunneling using the actual destination IP
Disclaimer: Don't use this on a production machine unless you fully grasp the mechnism.
Problem
Create a tunnel on a machine where an application is supposed to connect to a host that has been blocked by a firewall. Condition you can not change configuration and restart the application using the connection.
Solution
Asuming the target to connect to is 1.2.3.4 on port 56789 and we use 4.3.2.1 as the jump host. Before starting sshd has to accept remote forwards on all interfaces and IP addresses. To do that on the host running actual application the /etc/ssh/sshd_config file requires the AllowTcpForwarding and GatewayPorts to be set to yes
AllowTcpForwarding yes GatewayPorts yes
HUPing the sshd process will enable the new configuration. With ssh this out of the way connection to the host in question.
ssh <JumpHost> -R <LocalPort>:<DestinationIP>:<DestinationPort>
ssh 4.3.2.1 -R 56789:1.2.3.4:56789
On the application host create an interface on the lo interface with this address with the traditional ifconfig it looks like below.
ifconfig lo:1 <DestinationIP> netmask 255.255.255.255 broadcast <DestinationIP> up
ifconfig lo:1 1.2.3.4 netmask 255.255.255.255 broadcast 1.2.3.4 up
With the ip command on linux this is how it looks like. Note: label lo:1 is optional.
ip addr add <DestiantionIP>/32 brd + label lo:1 dev lo
ip addr add 1.2.3.4/32 brd + label lo:1 dev lo
As soon as you bring the interface up you should see traffic going via the tunnel.