Re: ssh tunneling
From: Vineet Kumar (debian-user_at_virtual.doorstop.net)
Date: 08/25/03
- Previous message: Steve Lamb: "Re: ssh tunneling"
- In reply to: P. Kallakuri: "ssh tunneling"
- Next in thread: Paul Dersey: "Re: ssh tunneling"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 25 Aug 2003 14:13:58 -0700 To: debian-user@lists.debian.org
* P. Kallakuri (praveen@unlserve.unl.edu) [030825 13:55]:
> [...] when i ssh to the
> gateway from localhost@some-internet-domain with the -L
> 5903:vncserver:5903 option and forward from the gateway to the vncserver
> using another ssh -L ..., i am not able to connect to the vncserver at
> port 5903 on localhost. with a RealVNC viewer, i get an error like
> "channel 2 or 4: administratively prohibited" and with TightVNC, i get
> just a connection failure. [...]
> why isn't the gateway/firewall allowing vnc ports to be forwarded to the
> vncserver? or isn't that the problem? [...]
No, that's not the problem. An ssh tunnel means that the traffic is all
tunneled through the existing ssh connection. No, the gateway will not
open up any new ports, and no, iptables won't need to allow any new
ports.
The gateway is listening on port 22, and vncserver is listening on port
5903. That's all that matters.
Say you're connected from your laptop to the gateway:
laptop$ ssh gateway
Then there's one connection: from the laptop to the gateway's port 22
(ssh). You can use netstat to confirm this.
Let's say you then open up a tunnel:
~C
ssh> -L5903:vncserver:5903
Forwarding port.
There's still only one connection active. The only thing that has
changed is that now your laptop is also listening on localhost:5903.
When a connection is made to localhost:5903, the ssh tunnel kicks in,
tunneling packets from the local vnc client to the vncserver on the
other side of the gateway. No new connections are made to the gateway.
All the traffic between the laptop and the gateway is just through the
same, already open ssh connection.
The vncserver will see a connection coming from the gateway. I don't
know what sort of host-based access control the vnc server uses, but
make sure it allows connections from the gateway's internal address.
good times,
Vineet
-- http://www.doorstop.net/ -- --Nick Moffitt A: No. Q: Should I include quotations after my reply?
-- To UNSUBSCRIBE, email to debian-user-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
- application/pgp-signature attachment: stored
- Previous message: Steve Lamb: "Re: ssh tunneling"
- In reply to: P. Kallakuri: "ssh tunneling"
- Next in thread: Paul Dersey: "Re: ssh tunneling"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
