Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Use SSH to access servers behind firewalls Network
I often want to access my office's intranet and Samba fileserver while at home. There's a firewall in the way of course. However SSH from my static DSL IP is allowed, so the solution is to forward local ports on the Mac to a box with sshd inside the firewall.

For example if you want to access an internal intranet, connect to an internal proxy from your office desktop via an ssh connection:
  % ssh -N -L 8888:proxy.xyz.com:3128 \
my.office.desktop.xyz.com
What is going on here is connections to your Mac's localhost port 8888 are tunneled to your office machine, which then forwards it to the office web proxy that is listening on port 3128. Then set your browser's proxy to localhost port 8888 and start browsing!

To access a Samba file server use something like this:
  % sudo ssh -v -l username -i ~username/.ssh/identity -N -L \
139:samba.xyz.com:139 my.office.desktop.xyz.com
The go to Finder -> Go -> Connect to Server -> Address, and input the folder you want, ie smb://localhost/Docs.

These examples assume your intranet servers are in the public DNS; if not, you'll have to add entries to your Mac's hosts file.
    •    
  • Currently 0.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (0 votes cast)
 
[23,364 views]  

Use SSH to access servers behind firewalls | 11 comments | Create New Account
Click here to return to the 'Use SSH to access servers behind firewalls' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Well, sort of...
Authored by: johnpg on Sep 09, '02 01:14:06PM

The examples in the hint assume that you can access your corporate machine via SSH in the first place. More often than not if you have a firewall you won't be able to access ANYTHING from home/internet. However there is a way around that too.

If you have a unix (or mac os x) machine, or even a windows machine with ssh you can open a REVERSE tunnel to your mac. This is how I did it.

On your intranet machine do:

ssh -fNR 2200:intranet.yourworkdomain.com:22 yourmacname@yourmacsipaddress

Change intranet.yourworkdomain.com to the name of your intranet machine that you're starting the tunnel on. yourmacname@yourmacsipaddress would be your short user name and your home computers IP.

You'll need to have ssh (remote access) running on your mac to make this work of course.

If the address intranet.yourworkdomain.com is NOT a publicly known name you'll want to either alias it in /etc/hosts to localhost, OR create a new name (localyourdomain) or whatever and alias that to localhost. The reason is that ssh gets confused when sometimes localhost is your mac, and other times it's your work network, depending only on the port. So if you use a unique name you're all set.

An example:

/etc/hosts

127.0.0.1 localhost yourcompanylocal

Now once you have that tunnel set up you can then ssh into your companies network, just by specifying a different port.

From your MAC at home:
ssh -p 2200 yourusername@yourcompanylocal

That will get you a shell, OR you can do things like:

ssh -p 2200 -NL 3389:internalNTservername:3389 yourusername@yourcompanylocal

That will set up a terminal services tunnel that will allow you to use your local terminal services client and access internal windows boxes.

ssh -p 2200 -NL 8888:yourproxy.yourcompany.com:5555 yourusername@yourcompanylocal

That will do the same as the orignal hint, allowing you to use your intranet's local proxy on your mac through the firewall. In other words you can do ANYTHING you can normally do through ssh, EVEN with the firewall closed, so long as you open up that ONE reverse tunnel from your company to your home machine. The possibilities are endless.

I have a script I wrote that runs on my companies internal machine that will automatically open up that remote tunnel to my home mac, then check it to make sure it's up every minute. If it goes down it re-opens it. This way I always have remote access into work. There are tons of possibilities here. Just don't let your boss know! :-)

P.S. I didn't check the exact syntax of all of these commands, since they're obviously examples. But I'm fairly certain they'll work as I suggested. Just let me know if you have any questions.



[ Reply to This | # ]
Vapor
Authored by: livi on Sep 09, '02 01:47:33PM

Try vapor to create such SSH tunnels easily with a nice GUI...

http://www.afp548.com/



[ Reply to This | # ]
Huh?
Authored by: Anonymous on Sep 09, '02 07:11:45PM

That was a bit too abstract for me. I -think- I see what's going on, but I'm lost as to how to apply my information to these commands.

OK, let me set up this situation:
-home computer, publicly accessible IP address, 128.128.128.128, domain name provided by ISP (ugly but it works)
-work computer, behind firewall, NAT IP address, 192.168.1.1, no domain name at all

I have unrestricted access to any and all ports on home computer (or can get it). I have zero access to anything on work computer from outside. I have zero access to any other computers inside the work firewall.

What I understand from your article, is that I can open an SSH connection FROM my work computer TO my home computer, and can then go the "other way" in the SSH tunnel to access data on my work computer.

Please repost those commands, with these IPs and names inserted in the proper places.

Thanks.



[ Reply to This | # ]
Huh?
Authored by: johnpg on Sep 09, '02 08:36:35PM

>OK, let me set up this situation:
>-home computer, publicly accessible IP address, 128.128.128.128, domain name
>provided by ISP (ugly but it works)
>-work computer, behind firewall, NAT IP address, 192.168.1.1, no domain name at
>all

>What I understand from your article, is that I can open an SSH connection FROM
>my work computer TO my home computer, and can then go the "other way" in the SSH
> tunnel to access data on my work computer.

That's correct. I do it all the time.

From a unix (of any kind, or even a windows box with an ssh client) on the 192.168.1.x network (your work in this example):

ssh -NR 2200:192.168.1.1:22 root@128.128.128.128

It's important, I forgot to mention in my first post, that you'll need to make the initial tunnel to your mac as root, so as to allow binding to ports >1024.

Then from your mac (128.128.128.128) you can:

Get a shell on 192.168.1.1 (if it's os x or unix):

You'll want to alias some other name to localhost to make ssh happy, like I suggested above, but we'll use localhost in these examples. At home I use isdlocal, which is aliased to 127.0.0.1.

ssh -p 2200 you@localhost

Basically at this point you can do any ssh command and feature, including the other hints described, to the 192.168.1.1 box (or network in the case of forwarding) as if it were on your lan, just by adding in the -p 2200 which tells ssh to use port 2200 instead of 22.



A vnc connection:
Let's say 192.168.1.2 on your intranet is a pc with a vnc server running

ssh -NL 5900:192.168.1.2:5900 you@localhost -p 2200

Then open up vncthing or whatever, and connect to localhost and it will connect you through the tunnels to 192.168.1.2 port 5900 on your office/intranet lan, even though it's behind a firewall.

Terminal services:

ssh -NL 3389:192.168.1.3:3389 you@localhost -p 2200

Same thing, start up remote desktop client and connect to localhost.

It's a bit confusing at first, but it's not so bad once you figure it out. What's more, it's pretty easy to just write shell scripts to do it so you don't have to remember the exact syntax. Luckily I had just finalized how to make this all work about a week ago so it's fresh in my mind.

John



[ Reply to This | # ]
Re: Huh?
Authored by: Anonymous on Sep 09, '02 09:38:29PM

Thanks, that clarifies things a lot.

Now this tunnel lasts for as long as the initial ssh connection, right?

That is, as long as this ssh connection
ssh -NR 2200:192.168.1.1:22 root@128.128.128.128
is open, I can connect, but once that connection dies, the tunnel is broken?

Hmm... I'd really rather not use root. Yes it's ssh and it should be secure and all, but why bother taking the risk. Can I do something nifty instead, by using more ssh tunnels on work computer to tunnel low port numbers into low ones, so connecting to work:8000 tunnels to work:80? Would I do that with ssh tunnel on the work computer or home computer?

Thanks much for your help, this is exactly what I've been looking for for quite a while! Well... it's not perfect as you can't connect from any given computer anywhere in the world (my Holy Grail of worldwide connectivity), but it's very useful anyway =)



[ Reply to This | # ]
Re: Huh?
Authored by: david-bo on Sep 12, '02 12:11:46PM

You don't connect as root, you just opens the tunnel as root. You are not allowed to open tunnels over ports <1023 as regular user. This restriction is similar to using sudo to edit system setting files.



[ Reply to This | # ]
Caveat user
Authored by: eaganj on Sep 09, '02 02:32:30PM

A few warnings are in order for the SMB tunnel listed above:

First of all, there are reasons that the system requires you to use the superuser account to set up a tunnel (or do anything) with port numbers < 1024. For one, in you're already running an SMB server (e.g. if you offer SMB services to windows users), port 139 will already be in use, so you won't be able to start up the tunnel!

What's most scary about that method, though, is that you have to start up the tunnel using sudo, causing ssh to run as the superuser. At minimum a warning about the dangers of running programs as root is necessary.

Now if only we could get the cmd-K dialog to let us override the Samba port to a non-privileged port....



[ Reply to This | # ]
Caveat user
Authored by: johnpg on Sep 09, '02 04:56:29PM

This guy is 100% right about this. What we're telling people to do is basically bypass your companies firewall security. It's dangerous on many levels, so it should be done only by folks who know what they're doing and/or are willing to take responsibility for their actions.



[ Reply to This | # ]
Caveat user
Authored by: tunesmith on Jan 26, '04 05:58:51PM

Is this really not possible in Panther? Why the heck not? There's got to be a way... anyone know?



[ Reply to This | # ]
Caveat user
Authored by: robophilosopher on Jan 26, '04 06:09:51PM

This is possible in Panther, as it is in any UNIX-based system.



[ Reply to This | # ]
shame
Authored by: Greenfruit on Nov 11, '02 06:29:09PM

i take it theres no way of doing this by 'jumping' from the office proxy to the desired internal office machine without setting up the connection from the office machine to the outside 'client' first then?

im a *nix newbie, so forgive me please.

i want to go to my office xserve from my home ibook, via our office isa server. only ssh in the terminal so i can run softwareupdate etc.



[ Reply to This | # ]