Results 1 to 6 of 6

Thread: SSH tunneling: how much can it help against firewall?

  1. #1

    Question SSH tunneling: how much can it help against firewall?

    I have the following problem, and wonder whether one or two SSH tunnels can help.

    Computers A and B are on different networks, far from each other. I have control of both (root access). Both run Leap.


    Computer A is behind a firewall, which likely does not forward ports. I don't have control over that firewall.

    Computer B is in "free Internet", and, although behind a firewall, ports can be forwarded through it, since I have control over the router that creates the firewall. Normally, I sit in front of B.

    The question: Can I login from B to A, or can clients running in B connect to servers running in A, for example, to VNC server or sshd, so that I get control of A from B?

    Any commands can be issued in A and B for this.

    I am wondering whether some commands like
    Code:
     
     ssh -L ...
     ssh -R ...
     ssh -D ...
     x11vnc -rfbport ...
     ssh -X ...
    issued in A or B could help? Are there bi-directional ssh tunnels?


    I know that the task can be accomplished by TeamViewer or similar commercial software, but I would like to use ssh or vncviewer.

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,935
    Blog Entries
    2

    Default Re: SSH tunneling: how much can it help against firewall?

    You want to set up a special VPN configuration called a "callback"

    The idea is that although you can't connect directly to Computer A, there is usually <some> way you can execute something on that machine. Maybe it's monitoring a mail account. Or, it's periodically checking for something on the Internet. When the condition is satisfied, then Computer A will initiate a VPN to Computer B and then you can access Computer A from Computer B for anything you want to do.

    You can also set up VNC this way (do an Internet search for a guide).

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #3
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,043

    Default Re: SSH tunneling: how much can it help against firewall?

    Depends on the firewall configuration.

    If port 22 is allowed out, then sure, it can help with TCP traffic at a
    minimum.

    There are lots of options for firewall piercing - but that does get into
    the realm of hacking - and doing so without permission of the owner of
    the network in question is generally not a good idea, because you're
    creating weaknesses in their network in order to circumvent controls and
    could be held liable if their network were compromised.

    So the easiest solution is to talk to the network owner about getting the
    ports opened that you need, or collaborating with them on a solution.

    Jim
    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  4. #4

    Default Re: SSH tunneling: how much can it help against firewall?

    On 08/09/2017 09:06 PM, ZStefan wrote:
    >
    > I have the following problem, and wonder whether one or two SSH tunnels
    > can help.


    SSH tunnels allow you to have TCP data go in a socket on one machine and
    come out of a socket on the other machine, going through an established
    SSH connection. If you can SSH from one box to another then you can
    tunnel data between those two boxes or networks, assuming the SSH
    configuration on either side does not somehow prevent SSH tunnels (allowed
    by default, they are).

    > Computers A and B are on different networks, far from each other. I have
    > control of both (root access). Both run Leap.
    >
    >
    > Computer A is behind a firewall, which likely does not forward ports. I
    > don't have control over that firewall.
    >
    > Computer B is in "free Internet", and, although behind a firewall, ports
    > can be forwarded through it, since I have control over the router that
    > creates the firewall. Normally, I sit in front of B.
    >
    > The question: Can I login from B to A, or can clients running in B
    > connect to servers running in A, for example, to VNC server or sshd, so
    > that I get control of A from B?
    >
    > Any commands can be issued in A and B for this.


    SSH from serverB to serverA using the following command, and setup a
    tunnel from TCP 5900 on serverB to go to the "localhost" TCP 5901 on serverA:

    Code:
    ssh root@serverA.goes.here -L 5900:localhost:5901
    Once done, you can connect vncviewer to 127.0.0.1:5900 on serverB in orer
    to access localhost:5901 on serverA, which may be what you want.

    Reverse tunnels are also possible, so if you can SSH from serverA to
    serverB, you can then forward traffic from serverB back to serverA. See
    the ssh manpage for specifics, or ask follow-up questions here.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.

  5. #5

    Default Re: SSH tunneling: how much can it help against firewall?

    How about an openVPN server on B (or on the router for the network B is connected to)? With A connecting, both can interact as on the same network...
    Kind regards

    raspu

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,935
    Blog Entries
    2

    Default Re: SSH tunneling: how much can it help against firewall?

    Hey guys,
    The original description regarding Computer A
    Computer A is behind a firewall, which likely does not forward ports. I don't have control over that firewall.
    So, no inbound connections. No SSH. Nothing.

    So,
    1. Computer A has to initiate any connections, assuming outbound connections are not blocked.
    2. Something needs to trigger initiating the outbound connection. I suggested an email message, since email is commonly supported in networks by way of an on-site mail server. Or, permitted through the firewall. The idea is a machine somewhere on the network that acts to proxy or forward a communication of some sort. Or, if that isn't possible, then simply run a CRON job periodically testing for a sign to initiate the outbound VPN (can be something simple like whether a file exists on an Internet website).

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •