SCP and SSH thru tunneling?
Hi all! I must be either totally blind or just plain stupid, but i cant find the way to scp and ssh thru a firewall. Scenario 1: Workstation connecting to the outside of a firewall and then from the wall to a server on the inside network. Ok the stupid way is probably: ssh user@red-net.domian.com (loggin in) ssh another-user@green-server.inside.net I know there must be a way to redirect the ssh session so i wont have to login twice (Did it with VNC a few years back, but cant seem to find the page that described how...) Scenario 2. Same set up, but i need to copy a file from workstation to green-server via the firewall. Can that be done via a allready set up ssh session (sort of like VPN) Can the scp command be redirected? -- /Rikard ----------------------------------------------------------------------------- email : rikard.j@rikjoh.com web : http://www.rikjoh.com mob : +46 (0)736 19 76 25 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
On Thursday 13 October 2005 17:59, Rikard Johnels wrote:
Hi all!
I must be either totally blind or just plain stupid, but i cant find the way to scp and ssh thru a firewall.
Scenario 1: Workstation connecting to the outside of a firewall and then from the wall to a server on the inside network. Ok the stupid way is probably: ssh user@red-net.domian.com (loggin in) ssh another-user@green-server.inside.net
This is sort of involuted way of doing things. Why not just ssh another-user@green-server.inside.net ? Why the hop on the firewall?
-- /Rikard
Jerry
Jerry Westrick wrote:
On Thursday 13 October 2005 17:59, Rikard Johnels wrote:
Hi all!
I must be either totally blind or just plain stupid, but i cant find the way to scp and ssh thru a firewall.
Scenario 1: Workstation connecting to the outside of a firewall and then from the wall to a server on the inside network. Ok the stupid way is probably: ssh user@red-net.domian.com (loggin in) ssh another-user@green-server.inside.net
This is sort of involuted way of doing things. Why not just ssh another-user@green-server.inside.net ?
Why the hop on the firewall?
Probably because, if there's a firewall and NAT to RFC1914 addresses, there's no way to directly reach the computers behind the firewall, without using a VPN.
Rikard Johnels wrote:
Hi all!
I must be either totally blind or just plain stupid, but i cant find the way to scp and ssh thru a firewall.
Scenario 1: Workstation connecting to the outside of a firewall and then from the wall to a server on the inside network. Ok the stupid way is probably: ssh user@red-net.domian.com (loggin in) ssh another-user@green-server.inside.net
I know there must be a way to redirect the ssh session so i wont have to login twice (Did it with VNC a few years back, but cant seem to find the page that described how...)
Scenario 2. Same set up, but i need to copy a file from workstation to green-server via the firewall.
Can that be done via a allready set up ssh session (sort of like VPN) Can the scp command be redirected?
You have to set up port forwarding. If you still want to be able to connect to the firewall, you'll have to choose a second port number. This way, one port number talks to the firewall and the other is forwarded to a computer behind the firewall.
On Thursday 13 October 2005 18.07, James Knott wrote:
Rikard Johnels wrote:
Hi all!
I must be either totally blind or just plain stupid, but i cant find the way to scp and ssh thru a firewall.
Scenario 1: Workstation connecting to the outside of a firewall and then from the wall to a server on the inside network. Ok the stupid way is probably: ssh user@red-net.domian.com (loggin in) ssh another-user@green-server.inside.net
I know there must be a way to redirect the ssh session so i wont have to login twice (Did it with VNC a few years back, but cant seem to find the page that described how...)
Scenario 2. Same set up, but i need to copy a file from workstation to green-server via the firewall.
Can that be done via a allready set up ssh session (sort of like VPN) Can the scp command be redirected?
You have to set up port forwarding. If you still want to be able to connect to the firewall, you'll have to choose a second port number. This way, one port number talks to the firewall and the other is forwarded to a computer behind the firewall.
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
The problem is: I have three different servers and five workstations on the inside. (192.168.0.x/24 network) And i need to get to them independently. I do NOT want to set up individual portforwards in the firewall. -- /Rikard ----------------------------------------------------------------------------- email : rikard.j@rikjoh.com web : http://www.rikjoh.com mob : +46 (0)736 19 76 25 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
On 10/13/05, Rikard Johnels
The problem is: I have three different servers and five workstations on the inside. (192.168.0.x/24 network) And i need to get to them independently. I do NOT want to set up individual portforwards in the firewall.
-- /Rikard
Then maybe a VPN solution is better for you. -- Svetoslav Milenov (Sunny)
Rikard Johnels wrote:
The problem is: I have three different servers and five workstations on the inside. (192.168.0.x/24 network) And i need to get to them independently. I do NOT want to set up individual portforwards in the firewall.
Set up a VPN to the firewall. That way, remote systems will be able to connect directly to the local network, without any additional configuration of the local computers.
On Thursday 13 October 2005 18.31, James Knott wrote:
Rikard Johnels wrote:
The problem is: I have three different servers and five workstations on the inside. (192.168.0.x/24 network) And i need to get to them independently. I do NOT want to set up individual portforwards in the firewall.
Set up a VPN to the firewall. That way, remote systems will be able to connect directly to the local network, without any additional configuration of the local computers.
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
I would use VPN if i had a private laptop or the "originating" computer were the same every time. But i need to be able to work this way from any machine anywhere and most of them don't have VPN. -- /Rikard ----------------------------------------------------------------------------- email : rikard.j@rikjoh.com web : http://www.rikjoh.com mob : +46 (0)736 19 76 25 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
On Thursday 13 October 2005 12:51 pm, Rikard Johnels wrote:
On Thursday 13 October 2005 18.31, James Knott wrote:
Rikard Johnels wrote:
The problem is: I have three different servers and five workstations on the inside. (192.168.0.x/24 network) And i need to get to them independently. I do NOT want to set up individual portforwards in the firewall.
Set up a VPN to the firewall. That way, remote systems will be able to connect directly to the local network, without any additional configuration of the local computers.
If you don't want to use a VPN, a trivial method is to use port forwarding in your router and then assign a high port to each machine. (might also be a bit more secure to keep script kiddies from beating on port 22) such as: port 12061 = machine 1 port 12062 = machine 2 Thus with your normal ssh command and using the port option... you can select the machine you want.
Bruce Marshall wrote:
On Thursday 13 October 2005 12:51 pm, Rikard Johnels wrote:
On Thursday 13 October 2005 18.31, James Knott wrote:
Rikard Johnels wrote:
The problem is: I have three different servers and five workstations on the inside. (192.168.0.x/24 network) And i need to get to them independently. I do NOT want to set up individual portforwards in the firewall. Set up a VPN to the firewall. That way, remote systems will be able to connect directly to the local network, without any additional configuration of the local computers.
If you don't want to use a VPN, a trivial method is to use port forwarding in your router and then assign a high port to each machine. (might also be a bit more secure to keep script kiddies from beating on port 22)
Well, he doesn't want to use port forwarding and he doesn't want to use a VPN. That limits the options somewhat.
On Thursday 13 October 2005 22.06, James Knott wrote:
Bruce Marshall wrote:
On Thursday 13 October 2005 12:51 pm, Rikard Johnels wrote:
On Thursday 13 October 2005 18.31, James Knott wrote:
Rikard Johnels wrote:
The problem is: I have three different servers and five workstations on the inside. (192.168.0.x/24 network) And i need to get to them independently. I do NOT want to set up individual portforwards in the firewall.
Set up a VPN to the firewall. That way, remote systems will be able to connect directly to the local network, without any additional configuration of the local computers.
If you don't want to use a VPN, a trivial method is to use port forwarding in your router and then assign a high port to each machine. (might also be a bit more secure to keep script kiddies from beating on port 22)
Well, he doesn't want to use port forwarding and he doesn't want to use a VPN. That limits the options somewhat.
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
I cant use a VPN solution as i use different computers every time. And i want to refrain from opening and portredirecting to much in the firewall as i want it as tight as possible. (Yes i know i need at least ONE hole to get in myself) Its "bad enough" to have a redirect of ftp/web inside the wall. -- /Rikard ----------------------------------------------------------------------------- email : rikard.j@rikjoh.com web : http://www.rikjoh.com mob : +46 (0)736 19 76 25 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
Rikard Johnels wrote:
Well, he doesn't want to use port forwarding and he doesn't want to use a VPN. That limits the options somewhat.
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
I cant use a VPN solution as i use different computers every time. And i want to refrain from opening and portredirecting to much in the firewall as i want it as tight as possible. (Yes i know i need at least ONE hole to get in myself) Its "bad enough" to have a redirect of ftp/web inside the wall.
The only available options for what you want to do, are port forwarding or VPN. If those aren't suitable, then we can't help you. You're asking for something that doesn't exist.
On Thursday 13 October 2005 23.31, James Knott wrote:
Rikard Johnels wrote:
Well, he doesn't want to use port forwarding and he doesn't want to use a VPN. That limits the options somewhat.
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
I cant use a VPN solution as i use different computers every time. And i want to refrain from opening and portredirecting to much in the firewall as i want it as tight as possible. (Yes i know i need at least ONE hole to get in myself) Its "bad enough" to have a redirect of ftp/web inside the wall.
The only available options for what you want to do, are port forwarding or VPN. If those aren't suitable, then we can't help you. You're asking for something that doesn't exist.
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Thank you all for you time and effort. Having a "talk" with the boss about reconfiguring the network some :) (And getting me a laptop..) -- /Rikard ----------------------------------------------------------------------------- email : rikard.j@rikjoh.com web : http://www.rikjoh.com mob : +46 (0)736 19 76 25 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
On Fri, 14 Oct 2005 19:48, Rikard Johnels wrote:
On Thursday 13 October 2005 23.31, James Knott wrote:
Rikard Johnels wrote:
Well, he doesn't want to use port forwarding and he doesn't want to use a VPN. That limits the options somewhat.
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
I cant use a VPN solution as i use different computers every time. And i want to refrain from opening and portredirecting to much in the firewall as i want it as tight as possible. (Yes i know i need at least ONE hole to get in myself) Its "bad enough" to have a redirect of ftp/web inside the wall.
The only available options for what you want to do, are port forwarding or VPN. If those aren't suitable, then we can't help you. You're asking for something that doesn't exist.
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Thank you all for you time and effort. Having a "talk" with the boss about reconfiguring the network some :) (And getting me a laptop..)
The other possibility is using port knocking but you must have access to the firewall to implement it. Personally I would not use it because of the security problems this may introduce. See below for information on port knocking http://new.linuxjournal.com/article/6811 To find utilities implementing port knocking I suggest searching freshmeat. -- Regards, Graham Smith
On Thursday 13 October 2005 17:59, Rikard Johnels wrote:
Hi all!
I must be either totally blind or just plain stupid, but i cant find the way to scp and ssh thru a firewall.
Scenario 1: Workstation connecting to the outside of a firewall and then from the wall to a server on the inside network. Ok the stupid way is probably: ssh user@red-net.domian.com (loggin in) ssh another-user@green-server.inside.net
I know there must be a way to redirect the ssh session so i wont have to login twice (Did it with VNC a few years back, but cant seem to find the page that described how...)
Scenario 2. Same set up, but i need to copy a file from workstation to green-server via the firewall.
Can that be done via a allready set up ssh session (sort of like VPN) Can the scp command be redirected?
After following the thread and being pointed out my misunderstandings I think this is what you want: ssh -L 26:green-server.inside.net:22 user@red-net.domian.com This will ssh to the router, and setup a port forward to ssh on green-server.inside.net. Now you can ssh -p 26 another-user@red-net.domian.com through the tunnel... scp will also work... Jerry
-- /Rikard
--------------------------------------------------------------------------- -- email : rikard.j@rikjoh.com web : http://www.rikjoh.com mob : +46 (0)736 19 76 25 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
On Thursday 13 October 2005 17:37, Jerry Westrick wrote:
After following the thread and being pointed out my misunderstandings I think this is what you want:
ssh -L 26:green-server.inside.net:22 user@red-net.domian.com
This will ssh to the router, and setup a port forward to ssh on green-server.inside.net. Now you can
ssh -p 26 another-user@red-net.domian.com through the tunnel...
scp will also work...
I think you'll find that second command should be: ssh -p 26 another-user@localhost You'll also not be able to use port 26 as a regular user, as it is privileged, so replace 26 with something > 1024, i.e. 2222 if you are a regular user. -- Steve Boddy
participants (7)
-
Bruce Marshall
-
Graham Smith
-
James Knott
-
Jerry Westrick
-
Rikard Johnels
-
Stephen Boddy
-
Sunny