Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Users
Reverse port forwarding (-R) seems not working
Vincenzo.Romano at notorand
Nov 10, 2009, 2:17 PM
Post #1 of 7 (5364 views)
Permalink
Hi all.
I need to create a number of different reverse port forwarding (RPF)
with the -R option.
On the remote system I have set up a number of different dummy local
interfaces (dummy0=127.0.1.1 to dummy9=127.0.1.10).
A single RPF should look like this:

ssh -N -n -R 127.0.1.1:139:somelocalhost:139 user@remotehost.net

(it's actually for SAMBA printers reachability).
What happens instead is that, upon ssh connection on the remotehost I
see a listening socket on the interface 127.0.0.1!
That's the lo (loopback) and not the dummy0.
In an attempt to troubleshoot this problem I've changed the sshd
configuration in order to have it listening on every single interface
(as poosed to the default "one catches them all" setup). No luck.

Now I see two options:
either I'm missing something important
or this is a bug.

I hope for the first option so I can hope in a simple solution.

Any hint on this?

--
Vincenzo Romano
NON QVIETIS MARIBVS NAVTA PERITVS
Re: Reverse port forwarding (-R) seems not working [ In reply to ]
joseph85750 at yahoo
Nov 10, 2009, 7:38 PM
Post #2 of 7 (5248 views)
Permalink
--- On Tue, 11/10/09, Vincenzo Romano <Vincenzo.Romano@notorand.it> wrote:


> On the remote system I have set up a number of different
> dummy local
> interfaces (dummy0=127.0.1.1 to dummy9=127.0.1.10).
> A single RPF should look like this:
>
> ssh -N -n -R 127.0.1.1:139:somelocalhost:139 user@remotehost.net
>
> (it's actually for SAMBA printers reachability).
> What happens instead is that, upon ssh connection on the
> remotehost I
> see a listening socket on the interface 127.0.0.1!

I'm not very clear on what your goal is, but anything beginning with 127 (127.x.y.z) is going to be treated the same-- localhost. You can address all 16 million possibilities any way you want, but they all will appear the same localhost to the system.

What is your specific goal?

Also, your -R needs 1 argument: RemotePort:Ip-relative-to-Target:Port-on-relative-Target IP-of-Target
Re: Reverse port forwarding (-R) seems not working [ In reply to ]
dtucker at zip
Nov 10, 2009, 8:40 PM
Post #3 of 7 (5247 views)
Permalink
Vincenzo Romano wrote:
> Hi all.
> I need to create a number of different reverse port forwarding (RPF)
> with the -R option.
> On the remote system I have set up a number of different dummy local
> interfaces (dummy0=127.0.1.1 to dummy9=127.0.1.10).
> A single RPF should look like this:
>
> ssh -N -n -R 127.0.1.1:139:somelocalhost:139 user@remotehost.net
>
> (it's actually for SAMBA printers reachability).
> What happens instead is that, upon ssh connection on the remotehost I
> see a listening socket on the interface 127.0.0.1!
> That's the lo (loopback) and not the dummy0.
> In an attempt to troubleshoot this problem I've changed the sshd
> configuration in order to have it listening on every single interface
> (as poosed to the default "one catches them all" setup). No luck.

If you're using OpenSSH then you need to set "GatewayPorts
clientspecified" in sshd_config and restart sshd. If your sshd doesn't
understand "clientspecified" then it also doesn't have the code to
handle this case and you'll need a newer version.

quoth ssh_config(5):

GatewayPorts
Specifies whether remote hosts are allowed to con-
nect to ports forwarded for the client. By
default, sshd(8) binds remote port forwardings to
the loopback address. This prevents other remote
hosts from connecting to forwarded ports.
GatewayPorts can be used to specify that sshd
should allow remote port forwardings to bind to
non-loopback addresses, thus allowing other hosts
to connect. The argument may be "no" to force
remote port forwardings to be available to the
local host only, "yes" to force remote port for-
wardings to bind to the wildcard address, or
"clientspecified" to allow the client to select the
address to which the forwarding is bound. The
default is "no".

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Re: Reverse port forwarding (-R) seems not working [ In reply to ]
Vincenzo.Romano at notorand
Nov 10, 2009, 9:49 PM
Post #4 of 7 (5242 views)
Permalink
Great!
Isn't mine a FAQ?
Thanks.

2009/11/11 Darren Tucker <dtucker@zip.com.au>:
> Vincenzo Romano wrote:
>>
>> Hi all.
>> I need to create a number of different reverse port forwarding (RPF)
>> with the -R option.
>> On the remote system I have set up a number of different dummy local
>> interfaces (dummy0=127.0.1.1 to dummy9=127.0.1.10).
>> A single RPF should look like this:
>>
>> ssh -N -n -R 127.0.1.1:139:somelocalhost:139 user@remotehost.net
>>
>> (it's actually for SAMBA printers reachability).
>> What happens instead is that, upon ssh connection on the remotehost I
>> see a listening socket on the interface 127.0.0.1!
>> That's the lo (loopback) and not the dummy0.
>> In an attempt to troubleshoot this problem I've changed the sshd
>> configuration in order to have it listening on every single interface
>> (as poosed to the default "one catches them all" setup). No luck.
>
> If you're using OpenSSH then you need to set "GatewayPorts clientspecified"
> in sshd_config and restart sshd.  If your sshd doesn't understand
> "clientspecified" then it also doesn't have the code to handle this case and
> you'll need a newer version.
>
> quoth ssh_config(5):
>
>     GatewayPorts
>             Specifies whether remote hosts are allowed to con-
>             nect to ports forwarded for the client.  By
>             default, sshd(8) binds remote port forwardings to
>             the loopback address.  This prevents other remote
>             hosts from connecting to forwarded ports.
>             GatewayPorts can be used to specify that sshd
>             should allow remote port forwardings to bind to
>             non-loopback addresses, thus allowing other hosts
>             to connect.  The argument may be "no" to force
>             remote port forwardings to be available to the
>             local host only, "yes" to force remote port for-
>             wardings to bind to the wildcard address, or
>             "clientspecified" to allow the client to select the
>             address to which the forwarding is bound.  The
>             default is "no".
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>    Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>



--
Vincenzo Romano
NotOrAnd Information Technologies
cel. +39 339 8083886 | gtalk. vr@notorand.it
fix. +39 0823 454163 | skype. notorand.it
fax. +39 02 700506964 | msn. notorand.it
--
NON QVIETIS MARIBVS NAVTA PERITVS
Re: Reverse port forwarding (-R) seems not working [ In reply to ]
Vincenzo.Romano at notorand
Nov 11, 2009, 2:01 AM
Post #5 of 7 (5261 views)
Permalink
It's not yet working though.

If I enable the GatewayPorts on the sshd_config (not ssh_config), then
no RPF works anymore on the dummy interfaces or the loopback.
They all fail with:
Warning: remote port forwarding failed for listen port 139, despite
there's no process listening on that interface and that port.

The client is:
OpenSSH_4.4p1, OpenSSL 0.9.8d 28 Sep 2006
The server is:
OpenSSH_4.1p1, OpenSSL 0.9.7g 11 Apr 2005
and I won't be able to update them.

What could be the next hint?

Thanks.


2009/11/11 Darren Tucker <dtucker@zip.com.au>:
> Vincenzo Romano wrote:
>>
>> Hi all.
>> I need to create a number of different reverse port forwarding (RPF)
>> with the -R option.
>> On the remote system I have set up a number of different dummy local
>> interfaces (dummy0=127.0.1.1 to dummy9=127.0.1.10).
>> A single RPF should look like this:
>>
>> ssh -N -n -R 127.0.1.1:139:somelocalhost:139 user@remotehost.net
>>
>> (it's actually for SAMBA printers reachability).
>> What happens instead is that, upon ssh connection on the remotehost I
>> see a listening socket on the interface 127.0.0.1!
>> That's the lo (loopback) and not the dummy0.
>> In an attempt to troubleshoot this problem I've changed the sshd
>> configuration in order to have it listening on every single interface
>> (as poosed to the default "one catches them all" setup). No luck.
>
> If you're using OpenSSH then you need to set "GatewayPorts clientspecified"
> in sshd_config and restart sshd.  If your sshd doesn't understand
> "clientspecified" then it also doesn't have the code to handle this case and
> you'll need a newer version.
>
> quoth ssh_config(5):
>
>     GatewayPorts
>             Specifies whether remote hosts are allowed to con-
>             nect to ports forwarded for the client.  By
>             default, sshd(8) binds remote port forwardings to
>             the loopback address.  This prevents other remote
>             hosts from connecting to forwarded ports.
>             GatewayPorts can be used to specify that sshd
>             should allow remote port forwardings to bind to
>             non-loopback addresses, thus allowing other hosts
>             to connect.  The argument may be "no" to force
>             remote port forwardings to be available to the
>             local host only, "yes" to force remote port for-
>             wardings to bind to the wildcard address, or
>             "clientspecified" to allow the client to select the
>             address to which the forwarding is bound.  The
>             default is "no".
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>    Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>



--
Vincenzo Romano
NotOrAnd Information Technologies
cel. +39 339 8083886 | gtalk. vr@notorand.it
fix. +39 0823 454163 | skype. notorand.it
fax. +39 02 700506964 | msn. notorand.it
--
NON QVIETIS MARIBVS NAVTA PERITVS
Re: Reverse port forwarding (-R) seems not working [ In reply to ]
wooledg at eeg
Nov 11, 2009, 5:10 AM
Post #6 of 7 (5245 views)
Permalink
On Tue, Nov 10, 2009 at 11:17:58PM +0100, Vincenzo Romano wrote:
> ssh -N -n -R 127.0.1.1:139:somelocalhost:139 user@remotehost.net

> What happens instead is that, upon ssh connection on the remotehost I
> see a listening socket on the interface 127.0.0.1!

-R [bind_address:]port:host:hostport
...
By default, the listening socket on the server will be bound to
the loopback interface only. This may be overridden by specify-
ing a bind_address. An empty bind_address, or the address `*',
indicates that the remote socket should listen on all interfaces.
Specifying a remote bind_address will only succeed if the serv-
er's GatewayPorts option is enabled (see sshd_config(5)).
Re: Reverse port forwarding (-R) seems not working [ In reply to ]
dtucker at zip
Nov 11, 2009, 10:34 AM
Post #7 of 7 (5247 views)
Permalink
On Wed, Nov 11, 2009 at 11:01:28AM +0100, Vincenzo Romano wrote:
> It's not yet working though.
>
> If I enable the GatewayPorts on the sshd_config (not ssh_config), then
> no RPF works anymore on the dummy interfaces or the loopback.
> They all fail with:
> Warning: remote port forwarding failed for listen port 139, despite
> there's no process listening on that interface and that port.

In your original example you had "user@remotehost.net". If "user" is
not root then you probably don't have permissions to bind to
low-numbered ports (with or without sshd).

If that's not it, I suggest running the server in debug mode
(eg /path/to/sshd -ddde -p222 to run it on port 222), point your client
at it and see what the reason given for the bind failure is.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal