I have a question about Remote port forwarding in SSH
Hi, I am trying do remote port forwarding in SSH and make the forwarded
port available over a network.
One machine, S, is behind a firewall and I can ssh out, but not ssh
in. I can connect using a VPN which only works with Windoze. The other
machine, H, is behind a different firewall, and it can SSH in or out.
So I what I do is connect to the machine S from the machine H and then
give the command:
user@S$ ssh -R22222:localhost:22 H
Then, on the machine H, I give the command
user@H$ ssh -p 22222 localhost
and I am connected. Using public key authentication, I don't need to
provide a passphrase, unless I want to.
Now, here is the problem. I have a machine, H2, which is on the same
(private) LAN as H, and I would like to be able to do something like
user@H2$ ssh -p 22222 H
but that doesn't work. I have tried using the -g switch on the first
ssh command, but no joy. Anybody have any suggestions?
Incidentally, this construct is a covert channel, so it's probably wise
not to get caught doing that.
On Tue, 06 Sep 2005 23:23:57 -0700, Jeff Silverman wrote:
Hey, that's my name! Sorry no help for your question, though.
JDS | firstname.lastname@example.org
DJMBS | http://newtnotes.com/doctor-jeff-master-brainsurgeon/
...To Port Forward or Not To Port Forward
System: DP MDD G4, OS 10.4.9
Inet connection: DSL with static i.p.,Broadcom Gateway to Linksys
WRT54G Wireless Router using DHCP, 1 computer connected via enet, 3
connected wirelessly, basic home use only
Wireless security is very basic: Unique router name and pw, SSID
disabled, and connections allowed by MAC addresses only, Linksys
firewall is enabled with all the other features set to their defaults,
Mac OS firewall is disabled
I recently purchased a Logitec QuickCam Pro 5000 webcam that works just
fine with iChat right out of the box. Learning how to use it I found
some Apple docs and ot...ssh remote port forwarding
I have a little problem using ssh and remote port forwarding. Here is
the problem: I have one machine (A) behind a nat firewall that I'd like
to be able to access from the outside via ssh. Unfortunately I have no
control over the router, so no DMZing it.
So I was thinking of sshing from machine A behind the firewall to a
machine outside the nat (machine B) and using reverse port forwarding on
that machine. Then I could ssh to machine B and that would then forward
the connection to A.
so far I run this on A:
sudo ssh -g -N -R 2222:127.0.0.1:22 machineBusername@machineB.something
then running the following in the outside world:
ssh -p 2222 machineAusername@machineB.something
yields a time out.
I'm a bit confused on how to get this to work. Is what I want to do
pricipally possible and if so, what can I do to make it work?
s v e n (dot) d (dot) m e i e r (at) g m x (dot) n e t
In article <email@example.com> Sven <firstname.lastname@example.org> writes:
>I have a little problem using ssh and remote port forwarding. Here is
>the problem: I have one machine (A) behind a nat firewall that I'd like
>to be able to access from the outside via ssh. Unfortunately I have no
>control over the router, so no DMZing it.
>So I was thinking of sshing from machine A behind the firewall to a
>machine outside the nat (machine B) and using reverse ...SSH Port Forwarding Question
I am having a problem using OpenSSH_3.8.1p1 Debian 1:3.8.1p1-4,
OpenSSL 0.9.7d on the client and OpenSSH_3.7p1 for Solaris 7 on the
I have port forwarded the default Oracle port from my local machine
through a bastion host to my Oracle machine like so:
ssh -L 1521:oracle_box:1521 username@bastion
And all works fine at first. I am doing some load testing on an
application and am trying to see how many instances I can run at one
time. Each instance of the application initiates its own connection
to the Oracle database through the SSH tunnel. This works great until
I get to 25 hosts and then I start seeing this error on the console of
the bastion host where I have ssh'd to:
channel 53: open failed: administratively prohibited: open failed
It appears there is some sort of hard limit that I have reached and I
am wondering if this is something I can change on the client side, the
server side, or whether it is hardcoded into either the server or
client and I'm out of luck. I do not have the luxury of simply
selecting another local port to forward because of the way the
application is configured so I'd really like to be able to get at
least 100 connections through per tunnel. I have tried this on 3
different Linux boxes, all with the same result.
The per-process limit on concurrent open file descriptors for sshd on the
server is probably set to 64; try increasing it.
...remote/reverse port forward, ssh client setting source IPs to what ssh server reports
Note: most of this post is based on OpenSSH
When I do a remote forward (port on server listens for incoming
traffic, traffic gets forwarded to port that is listening on client),
the source IPs of all the incoming connections in the server app on
the client machine are 127.0.0.1/localhost. Using "-v", I can see that
sshd passes the IP addresses of what computers connected to the sshd's
port that forwards to the client. The client does not use/set the
originating information when connect. RFC 4254 requires the server
send the originating IP across the wire to the client.
7.2. TCP/IP Forwarding Channels
When a connection comes to a port for which remote forwarding has
been requested, a channel is opened to forward the port to the
uint32 sender channel
uint32 initial window size
uint32 maximum packet size
string address that was connected
uint32 port that was connected
###string originator IP
uint32 originator port
The 'originator IP address' is the numeric IP address of the
from where the conn...ssh port forwarding questions
I am trying to setup X11 base working environment on my macbook (at
home). What I am trying to do is to login to my work unix machine, run
commands, bring up GUI's (on my macbook). I was told that SSH port
forwarding is best for this. (I am unix VNC, and it works great, but
problem is I end up using mouse lot; cant' easily switch between
windows on KDE..and on mac I can use all shortcuts to navigate
So here is what I have:
work machine: name.company.com (I use hostname to find out; not sure
how to get ip or full name, I am just assuming that domain is
comp...SSH Port Forwarding Question #2
I would like to create a large amount of local port forward ports to
another host. When setting them up on 1 putty session I get an error
at about the 42nd tunnel port that I have too many.
This is before I even try to connect to the server.
Due to new policies I need to set up tunnel sessions through 1 gateway
to up to 312 different ip/ports on the other side. NOT at one time
though. I want my users to be able to ssh 1 time to the gateway and
use a Procomm Directory to telnet to a max of 25 sessions at one time.
But these 25 sessions could be any combination of the 312 available
Is there any way to increase the available local port fwd sessions on
one Putty session? Can you point me to any documentation to allow me
to increase this limit? Is there another alternative?
SSH from windows to UNIX gateway
On windows computer telnet to localhost 13000 - 13499 individually up
to 25 consecutive. Putty sets tunnel L13000=192.x.x.001:23 -
L13499=10.x.x.250:23 each local port being a separate server that can
only be accessed from the unix gateway.
"email@example.com" <firstname.lastname@example.org> writes:
> I would like to create a large amount of local port forward ports to
> another host. When setting them up on 1 putty session I get an error
> at about the 42nd tunnel port that I have too many.
> This is before I even try to connect to the server.
> Due to new policies I need to set up tunnel sessions through...FTP port forwarding in SSH.. Secure??
I was trying the "FTP Port Forwarding"
to secure the FTP transfer). I really like it, but I have a question:
On the unix manual pages (man ssh2), the description of the "-L"
option indicates that part of the connection is not secure when you
use FTP Port Forwarding, could someone please explain me what part is
not secure? Is it referring to the FTP data which is non-encrypted
inside the tunnel? Below is text from manual
page for F-Secure SSH2
ssh2 - secure shell client (remote login program)
-L [protocol/][localhost:]port:host:hostport or -L
The given port on the local (client) host is forwarded
to the given host and port on the remote side. This
allocates a listener port port on the local side.
Whenever a connection is made to this listener, the
connection is forwarded over the secure channel and a
connection is made to host:hostport from the remote
machine (this latter connection will not be secure, it
is a normal TCP connection). Port forwarding can also
be specified in the configuration file. ...What is the difference between local port forwarding (-L) and remote port forwarding (-R)
I need to do an SSH tunnel to encrypt the data sent between an agent
and a the server. I'm able to establish a tunnel but there's something
that I can't understand...
What is the difference between the bit -L and the bit -R. I've read
the man of SSH on Fedora. It's seems to be simple but in practice, I
Can somebody help me on this subject?
Thanks a lot!
> What is the difference between the bit -L and the bit -R.
-L forwards a port from the client to the server.
-R forwards a port from the server to the client.
To reply by email, replace "deadspam.com" by "alumni.utexas.net"
In article <email@example.com>,
Yann Laviolette <firstname.lastname@example.org> wrote:
>What is the difference between the bit -L and the bit -R. I've read
>the man of SSH on Fedora. It's seems to be simple but in practice, I
Example: "ssh -L 2000:22.214.171.124:2000 server" is a "local" forward and will
listen on the client (ie the machine you ssh'ed from) on port 2000.
If something connects to the client on port 2000, a "channel" will be
opened inside the SSH connection and the server will connect to 126.96.36.199 on
port 2000. Any data sent or received will be forwarded over this channel.
In contrast, "ssh -R 2000:188.8.131.52:2000 server" is a "remote" forward,
which will cause the *server* to listen o...Symantec 200R Firewall port forwarding remote desktop security
I have set up the 200R to allow a virtual server for port 3389 so that I can
connect to our remote server using terminal services to the public Internet
IP address. It all works OK but I have disabled it because of security
reasons. Two questions:-
Is there any way to tie down this access to my own PC or network?
Can I make the port appear in Stealth mode rather than Open?
Vic Russell wrote:
> I have set up the 200R to allow a virtual server for port 3389 so that I
> can connect to our remote server using terminal services to the public
...ssh port forward
Im trying to set up ssh local port forward.
But I dont know the ports to connect to on the remote machine
Is it possible to setup forward for a range of ports?
You can specify multiple ports to forward on the command line, or
establish a VPN if you have the need for UDP. See:
for info on both types.
On 21 Nov 2006 15:57:54 -0800
> Im trying to set up ssh local port forward.
> But I dont know the ports to connect to on the remote machine
> Is it possible to setup forward for a range of ports?
For UNIX, Linux and security articles
In article <email@example.com>
>Im trying to set up ssh local port forward.
>But I dont know the ports to connect to on the remote machine
You could perhaps use OpenSSH's "dynamic" port forwarding, i.e. SOCKS -
see the -D option.
>Is it possible to setup forward for a range of ports?
Not as such (with OpenSSH), though (with OpenSSH) you can AFAIK give any
number of -L options - i.e. a range is just a matter of giving one -L
option for every port in the range. A bit verbose, but the end result
would be the same - ssh (any flavour) would need to open a separate
socket for every port in the range, the...Port Forwarding and Multiple SSH Servers
Behind my firewall I have several SSH servers that I connect to with
ssh -p xx user@firewall_IP_address
and then the firewall forwards it to the correct server, generally
running some version of Linux. The problem is this error message:
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this
Offending key in /home/user/.ssh/known_hosts:19
Password authentication is disabled to avoid man-in-the-middle
Keyboard-interactive authentication is disabled to avoid
X11 forwarding is disabled to avoid man-in-the-middle attacks.
Permission denied (publickey,password,keyboard-interactive).
On the client system $HOME/.ssh/config I've put :
but I still get the error message. My workaound is to remove the key
in known_hosts and then connect but I need to find a better solution.
Is there one?
The client is cygwin running on WinXP.
Thanks...remote host access on a remote forwarded port
I tried to connect my home lan to my office.
So I want to use VNC in order to forward only one port.
Because of the firewall of my office(I don't manage), I want to create a
tunnel by this way :
to be able to use VNC by this way :
I use port 443 to bypass the firewall of my office.
So I use the commands :
OFFICE: ssh -g -R 5900:VNCServer:5900 -p 443 HOME_FIREWALL
HOME: vncclient HOME_FIREWALL
But it looks like if the -g option doesn't work with -R option ?
Is that true ?
Thanks in advance !
PS : sorry for my english ! :)
...port tunneling over ssh (not port-forwarding in the traditional sense)
Does anybody know of a way to do port forwarding over ssh not using the
standard ssh functionality, but rather by running a utility on the server
and using a special client that forwards data through the terminal session.
I think PPP and slirp would do the job, but I would prefer to have a
standalone client that exists solely to forward one (or several) ports,
rather than acting as my main network connection.
> Does anybody know of a way to do port forwarding over ssh not using the
> standard ssh functionality, but rather by running a utility on the server
> and using a spe...Ports for DB2 behind firewall / ssh port forward
I'd like to connect to a remote DB2 Database V 8.2 using the "DB2
Steuerzentrale" (I guess it's called something like "DB2 management console"
in the English version). Since the database host is behind a firewall I
tried to communicate through ssh port forwarding.
Therefore, I run:
ssh -L 6789:remotename:6789 -L 50000:remotename:50000 -L
50001:remotename:50001 -L 523:remotename:523 remotename
Though the ssh connection is established, my "DB2 Steuerzentrale" won't
connect to localhost successfully and shows an error num...Warning: remote port forwarding failed for listen port 4043
I have a script that does a port forwarding for me:
ssh -n -R localhost:4043:localhost:22 remoteserver.example.com
The problem with this is that if port forwarding fails, ssh prints
Warning: remote port forwarding failed for listen port 4043
But it STAYS CONNECTED instead of properly failing with exit code.
So it is a MAJOR pain to detect this condition and kill ssh.
How can I change is so that, when report port forwarding cannot be
accomplished, ssh exits right away?
I think that it is a bug, period.
>>>>> "Ignoramus3694" == Ignoramus3694 <ignoramus3694@NOSPAM.3694.invalid> writes:
Ignoramus3694> I have a script that does a port forwarding for me: ssh
Ignoramus3694> -n -R localhost:4043:localhost:22
Ignoramus3694> The problem with this is that if port forwarding fails,
Ignoramus3694> ssh prints
Ignoramus3694> Warning: remote port forwarding failed for listen port
Ignoramus3694> But it STAYS CONNECTED instead of properly failing with
Ignoramus3694> exit code.
Ignoramus3694> So it is a MAJOR pain to detect this condition and kill
Ignoramus3694> How can I change is so that, when report port
Ignoramus3694> forwarding cannot be accomplished, ssh exits right
Reading the documentation [ssh_config(5)]:
ExitOnForwardFai...Port forwarding question
Greetings to all,
Here is the issue that I do not know how to resolve. There is a Debian
based internet gateway with iptables firewall.
There are 3 servers currently running, all 3 with up and running web
servers (apache, apache2 and IIS). How can I direct traffic from the
Internet to the web server that is not on gateway, but in the local
network? In addition, how can enable users from the internet to use
*all* 3 web servers at their discretion (for example, when user writes
www.mydomain.net/server1 - IIS on local IP x.x.x.y server pops out,
www.mydomain.net/server2 -apache2 server on local...Port security question
I'm running SQL server 2000, on W2K server. All the latest patches/etc
for both installed.
I've a need to allow remote access to the DB. I have a strong password
on the sa account, and have completed the various security checklists
on the MS website, including running the baseline security program they
Due to the nature of the application, windows authentication is not
Besides someone trying to hack in via a password guess, are there any
other things I need to worry about? Again, all the latest patches and
what not are installed.
Matt (ma...ssh security question
I just regenerated the keys on one of my F14 systems. I am still able to
access systems which don't have the new public key in their
authorized_keys file. The one thing I did differently this time was that I
did an ssh-add after I regenerated the keys. I did the ssh-add because
putting the new public key into the authorized_keys files of my other
systems wasn't sufficient to give me access. After the ssh-add I could
access the other systems, however I could also access systems that don't
have the new authorized_keys file.
Does ssh-add keep the old keys in the authentication...ssh port forwarding
Please, explain me where I'm wrong.
I have two machines with linux and FreeBSD and I desire to have a
secure tunel for HTTP between them. So I make it in the following way:
linux@lunc:~$ ssh -2 -L 1234:localhost:6661 lunc@freebsd
and afer that I tried to make following HTTP request
"http://localhost:1234/" on my linux box by Firefox browser. However, I
saw by tcpdump that http wasn't tuneled:
linux@root# tcpdump -X -s 128 -v port 6661
19:47:07.980462 IP (tos 0x0, ttl 64, id 62776, offset 0, flags [DF],
proto: TCP (6), le...Port forwarding question
Are there any tools out there that will do the following? In a nutshell, I
would like one process that would listen on two ports on one machine, and
one that would initiate a connection on two ports on another machine,
allowing a server application to be on machine that initiates a connection
to the client machine. I know this is not very clear, so hear is an example:
On a webserver, I would run this tool to initiate a connection to port 80 on
localhost, and initate another connection to port 777 on a client machine.
On the client machine, I would run the tool to listen to port 777, as well
as port 80. Then, when I navigate to http://locahost on the client machine,
I get a page from the webserver, but the WEBSERVER MACHINE is the one who
initiated the TCP/IP connection.
I don't think this tool would be that difficult to make, but I figure
something like this is already out there?
Spam Tester wrote:
> Are there any tools out there that will do the following? In a nutshell, I
> would like one process that would listen on two ports on one machine, and
> one that would initiate a connection on two ports on another machine,
> allowing a server application to be on machine that initiates a connection
> to the client machine. I know this is not very clear, so hear is an example:
this is known as "port forwarding" (look at
http://en.wikipedia.org/wiki/Port_forwarding). Depending on which
platfor...some question about port forwarding(?)
i got a problem with somewhat port forwarding(?).
here's my situation
i'm in newtwork controled by some firewall. and it blocked all
connection to server A(xxx.xxx.xxx.xxx)
but i wanna connect server A, so i use ssh tunneling with my server
B(yyy.yyy.yyy.yyy) in outside of that network
assume the port is 80, then it shows
localhost:80 <-> B:80 <-> A:80
so i can connect A:80, using localhost:80
but this is only possible, when i can change servername
A(xxx.xxx.xxx.xxx) -> localhost
i mean, if servername A is just builtin thing in some application and
...Remote Port Forwarding
I've been trying the past few days now to set up remote port forwarding.
I've been seeing other people ask this question but never any solutions. My
scenerio that I am trying to accomplish is as follows:
Home Computer - Home FW - Internet - Work SSH Server <- VNC Viewer
Home Computer opens a plink ssh session to my Work ssh server and
establishes Port forwarding.
plink -l testuser -R 5900:localhost:5900 ip_of_remote_server
When I open VNC and attempt a connection to the Work SSH Server, the
connection fails. I try doing verbose mode for the ssh conection and I see
absolutely no traffic. I've also tried this in a test environment using
putty and plink to two redhat servers and I have yet to get the remote port
forwarding to work. Local works fine though, but it doesn't work for my
situation since I have a DSL and an unroutable IP on the modem.
Any thoughts or comments would be greatly appreciated. I apologize too if I
explained my problem badly. Thanks!
I would think that you forgot the -g option on the work ssh server command.
However just looking at plink it does not appear to offer the -g option that
an ssh command line would. Maybe someone else here knows more since I
haven't used plink much.
On an ssh command line like ssh -l user -g -R 5900:localhost:5900 sshserver
(hope I typed that right)
The -g to allow other hosts to connect to that port otherwise it only binds
to the local loopback adapter. ...SSH Port forwarding
I am running an application over telnet interface on port say 5566
So I generally connect telnet <hostname> 5566.
How to connect to the application via ssh (using ssh portforwarding.)
Thanks and Regards,
> Hi All,
> I am running an application over telnet interface on port say 5566
> So I generally connect telnet <hostname> 5566.
> How to connect to the application via ssh (using ssh portforwarding.)
> Thanks and Regards,
ssh -L 5566:localhost:5566 userid@remotehost
telnet localhost 5566
Thanks. It works.
But what happens is it directly logged into the remotehost which I
don't want. I want the user to get only the info through the port 5566
Thanks in advance,
> Jc wrote:
> > Hi All,
> > I am running an application over telnet interface on port say 5566
> > So I generally connect telnet <hostname> 5566.
> > How to connect to the application via ssh (using ssh portforwarding.)
> > Thanks and Regards,
> > Jc
> ssh -L 5566:localhost:5566 userid@remotehost
> telnet localhost 5566
On 9 Jan 2007 23:38:46 -0800
"Jc" <firstname.lastname@example.org> wrote:
> Thanks. It works.
> But what happens is it directly logged into the remotehost which I
> don't want. I want the user to get only the info through the port 5566