My home computer has 11.3 and SuSEfirewall enabled. It connects to the net over the wireless and SuSEfirewall has this connection in the external zone.
I can successfully ssh into this computer from remote (the work computer) but none of the ssh port-forwarded connections work. I’m trying to tunnel VNC over ssh. I also tried setting http on the home computer to serve pages on a high-numbered port (8090) and tunnelling that but it also didn’t work - proving that it’s not a VNC problem.
Here are the relevant messages from the firewall logs on the home machine:
I don’t understand why this isn’t working now, I had the same setup on 11.2 and it worked fine.
Edit: The 95.91.92.92 is the public IP address of my home router, I don’t understand why a connection would appear to be coming from there when I use ssh-tunnelling?
Could you post the full SSH command line for doing the forwarding, plus
perhaps what you see both in the SSH session as well as from VNC (started
from the command line) when trying to access the remote box?
#launch vncviewer from the SSH-client machine to use the tunnel
vncviewer localhost
Good luck.
On 09/14/2010 07:40 AM, tk83 wrote:
>
> My home computer has 11.3 and SuSEfirewall enabled. It connects to the
> net over the wireless and SuSEfirewall has this connection in the
> external zone.
>
> I can successfully ssh into this computer from remote (the work
> computer) but none of the ssh port-forwarded connections work. I’m
> trying to tunnel VNC over ssh. I also tried setting http on the home
> computer to serve pages on a high-numbered port (8090) and tunnelling
> that but it also didn’t work - proving that it’s not a VNC problem.
>
> Here are the relevant messages from the firewall logs on the home
> machine:
>
> Code:
> --------------------
> Sep 14 10:33:52 homemachine kernel: [97500.489014] SFW2-INext-DROP-DEFLT IN=wlan0 OUT
> = MAC=00:13:e8:9d:73:59:00:24:01:36:74:9c:08:00 SRC=95.91.92.92 DST=192.168.0.19
> 4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53019 DF PROTO=TCP SPT=55227 DPT=5900 WIND
> OW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A05CB29670000000001030306)
>
> Sep 14 10:42:12 homemachine kernel: [98000.431658] SFW2-INext-DROP-DEFLT
> IN=wlan0 OUT= MAC=00:13:e8:9d:73:59:00:24:01:36:74:9c:08:00
> SRC=95.91.92.92 DST=192.168.0.194 LEN=60 TOS=0x00 PREC=0x00 TTL=64
> ID=52225 DF PROTO=TCP SPT=44038 DPT=8090 WINDOW=5840 RES=0x00 SYN
> URGP=0 OPT (020405B40402080A05D2CA4F0000000001030306)
> --------------------
>
>
> I don’t understand why this isn’t working now, I had the same setup on
> 11.2 and it worked fine.
>
> Edit: The 95.91.92.92 is the public IP address of my home router, I
> don’t understand why a connection would appear to be coming from there
> when I use ssh-tunnelling?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
(note that the SuSEfirewall on my home machine redirects port 443 to ssh to avoid continuous password-guessing attacks on port 22)
I’ve just found a workaround to this problem, if I change the ‘host’ part of the forwarding specification to be the internal IP address of my home machine on the home network it works:
I don’t understand why this is? I didn’t need to do this in 11.2 and the whole thing seems wrong to me - ssh forwarding should work and shouldn’t be interfered with by the firewall.
Edit: Just to note my home machine is in the ‘DMZ’ in the wireless router, ie. any firewall on the home router should not be a factor in this. Besides none of these settings have changed since I ran 11.2.
It looks like it is behaving as suspected, and correctly. At home what
does ‘myhomemachine.selfip.net’ resolve to? Did it resolve to the exact
same IP address before? It is possible (likely?) that the machine you are
SSH-ing to used to resolve that IP differently (to a private IP perhaps)
or maybe it is possible that the default firewall rules have changed to be
based on IP more than on device. Feel free to post the output of sudo /usr/sbin/iptables -L -n -v or sudo /usr/sbin/iptables-save to show us
how the firewall is setup on your machines. Also knowing a bit more about
how IPs and DNS are setup could help:
ip addr
ip route
cat /etc/hosts
Good luck.
On 09/15/2010 03:06 AM, tk83 wrote:
>
> The command I’m using to connect is:
>
> Code:
> --------------------
> ssh -L 5900:myhomemachine.selfip.net:5900 -p 443 tim@myhomemachine.selfip.net
> --------------------
>
> (note that the SuSEfirewall on my home machine redirects port 443 to
> ssh to avoid continuous password-guessing attacks on port 22)
>
> I’ve just found a workaround to this problem, if I change the ‘host’
> part of the forwarding specification to be the internal IP address of my
> home machine on the home network it works:
>
> Code:
> --------------------
> ssh -L 5900:192.168.0.194:5900 -p 443 tim@myhomemachine.selfip.net
> --------------------
>
>
> I don’t understand why this is? I didn’t need to do this in 11.2 and
> the whole thing seems wrong to me - ssh forwarding should work and
> shouldn’t be interfered with by the firewall.
>
> Edit: Just to note my home machine is in the ‘DMZ’ in the wireless
> router, ie. any firewall on the home router should not be a factor in
> this. Besides none of these settings have changed since I ran 11.2.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
It would also have worked with 5900:myhomemachine.selfip.net:5900 if I’d correctly typed in the hostname when I setup the machine, since Opensuse would’ve setup this line in /etc/hosts:
127.0.0.2 myhomemachine.selfip.net myhomemachine
But anyway using 5900:localhost:5900 is the best solution since it doesn’t rely on /etc/hosts being setup properly.
Good to hear! Thank-you for posting back your results.
Good luck.
On 09/16/2010 04:36 AM, tk83 wrote:
>
> I’ve worked out the problem now. I should’ve used localhost in the
> forwarding option, ie.
> Code:
> --------------------
> ssh -L 5900:localhost:5900 -p 443 tim@myhomemachine.selfip.net
> --------------------
>
>
> It would also have worked with 5900:myhomemachine.selfip.net:5900 if
> I’d correctly typed in the hostname when I setup the machine, since
> Opensuse would’ve setup this line in /etc/hosts:
>
> Code:
> --------------------
> 127.0.0.2 myhomemachine.selfip.net myhomemachine
> --------------------
>
>
> But anyway using 5900:localhost:5900 is the best solution since it
> doesn’t rely on /etc/hosts being setup properly.
>
> Thanks for your help with this
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/