Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Use an SSH go-between to connect two firewalled Macs Desktop
I had a problem at work that I solved through trial and error. The problem was that I regularly have to Timbuktu into a remote user's machine from behind my company's firewall to give that user support. The remote machine is shielded behind both an Airport using NAT, and the firewall of the parent company. To complicate things, I do not have the administrator's help on the remote end (ie I can't reconfigure either Airport or remote firewall).

The solution involved using an exposed third computer with an ssh server as a go-between. We have a linux FTP server on our DMZ. For this to work, the remote user must have a login to the go-between ssh server.

On the remote end, open Terminal and enter the following command:
 % ssh -C goBetweenIP_Address -R 10407:localhost:407 -l username
On the local end, open Terminal and enter:
 % ssh -C goBetweenIP_Address -L 10407:localhost:10407 -l username
On Timbuktu, connect to localhost:10407.

The '-C' command enables compression, which speeds up the connection. The '-R' command on the remote end forwards port 407 from the remote machine to port 10407 on the go-between. 407 is the Timbuktu port, but any service can be forwarded like this if you know the proper port number. The '-L' command on the local end tells the go-between to forward its traffic on port 10407 to your local machines's port 10407. Finally, you tell Timbuktu to connect to the port on your machine that is being forwared the traffic. Use '-l username' if the username at your command prompt is not the same as the name of the account on the go-between server.

Both ends use an ssh tunnel to the go-between server, which acts as a switchboard operator, forwarding ports from one session to the other. The network ugliness on both ends is circumvented.

If anyone has a better suggestion on how to do this, I'd love to hear it...
    •    
  • Currently 2.60 / 5
  You rated: 1 / 5 (5 votes cast)
 
[13,244 views]  

Use an SSH go-between to connect two firewalled Macs | 12 comments | Create New Account
Click here to return to the 'Use an SSH go-between to connect two firewalled Macs' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
SSH forwarding
Authored by: JohnnyMnemonic on Jan 30, '03 11:42:14AM
For a more comprehensive SSH forwarding writeup, take a look at AFP548's article on this subject.

And if the topic interests you, look around at some of their other offerings. :)

[ Reply to This | # ]
GUI for ssh tunneling
Authored by: MD7A on Jan 30, '03 12:49:44PM

Fugu offers a convenient GUI for the ssh tunnel commands. I use it to tunnel smb shares from a secure server. See http://rsug.itd.umich.edu/software/fugu/



[ Reply to This | # ]
GUI for ssh tunneling
Authored by: raider on Jan 24, '04 01:27:22PM
All steps may not be required....
Authored by: Brock Lee on Jan 30, '03 06:01:04PM
I wonder whether the second invocation of ssh is necessary.

After the first invocation of

    % ssh -C goBetweenIP_Address -R 10407:localhost:407 -l username


wouldn't one be able to invoke Timbuktu with goBetweenIP_Address:10407?


[ Reply to This | # ]
re: All steps may not be required....
Authored by: mac_scott on Jan 31, '03 01:36:18AM

Thanks for the suggestion. I tried, and it doesn't seem to work for me,but I'll play with the idea though and see what I come up with.

However, the great thing about the suggestion as I wrote it is, it doesn't matter where you are relative to the server. From any two points in the world that have internet access, a tunnel can be set up that circumvents firewalls, NATting and routing.

I understand that what you suggest might make the connection easier from my end ? within the company, but if I were making the same connection from home, behind my Airport, through the go-between, to another remote location, I would want both ends of the connection to pass through an ssh tunnel.



[ Reply to This | # ]
SMTP
Authored by: quentinsf on Jan 30, '03 06:49:27PM
I find it useful to forward SMTP ports to my home base when travelling. See here for more info.

I forward port 8025 via a home machine to port 25 (the normal SMTP port) on my normal SMTP server, and then tell Mail to use localhost as the SMTP server (you can specify port 8025 under the Advanced options).

(NB. If you want to use port 25 on your local machine, you'll need to use sudo.)

[ Reply to This | # ]
See also STunnel
Authored by: nishiwan on Jan 30, '03 08:29:27PM
This sounds a lot like what STunnel does behind the scenes. I first started using STunnel between FreeBSD machines for SMTP, CVS, and MySQL, and continue now between OS X and FreeBSD.

The advantage of STunnel over the above solution is that all connections can be placed in a single configuration file rather than manually starting up a number of SSH sessions.

[ Reply to This | # ]

Thanks for the suggestions about ssh tunnel utilities
Authored by: mac_scott on Jan 31, '03 01:58:48AM

I've used SSHTunnelManager, Vapor (from the good guys at AFP548.com), and now, Fugu (thanks MD7A, great little utility). They are all great at hiding the command line complexities. I actually used Vapor on the remote end to make it easier for the person I am supporting to start the connection.

Though I may be misreading your comments, some of you seem to be implying that these utilities can take care of the whole connection for me. If you try the same scenerio yourself, you'll find that there is no way to do this without initiating a connection from both ends.



[ Reply to This | # ]
Firewalls, etc.
Authored by: legacyb4 on Jan 31, '03 09:17:32PM

Actually, it is necessary to open a tunnel from the remote client (private network) to the intermediary Linux host (DMZ) due to firewall policy.

Basically, traffic looks like this:

Remote client =outgoing tunnel=> Linux host <=incoming tunnel= local host

where traffic from the local host is being forwarded back through the \"outgoing tunnel\" from the remote client.

The primary reason being that in a properly set up firewalled network, NO traffic should ever be allowed in FROM the DMZ TO the private network... thus, requiring the need for the initial outgoing tunnel FROM the private network TO the DMZ.

If that wasn\'t there, traffic from the local client would travel over the tunnel to the Linux host, but would hit a dead end.

For a home network, you normally don\'t have a separate DMZ so a simple TCP tunnel over SSH direct to your home Mac is good enough.

ssh user@your.macosx.host -L 10407:127.0.0.1:407

If you also have an Windows XP Pro machine on your home network, you could access that as well with a simple port forward of port 3389 (RDC traffic) with:

ssh user@your.macosx.host -L 3389:xxx.xxx.xxx.xxx:3389 (where xxx.xxx.xxx.xxx is your XP\'s IP address on your home network)

Make sense?



[ Reply to This | # ]
Great tip - here is an extension.
Authored by: smorr on Feb 04, '03 10:19:33PM

For the longest time I was unable to access my work's pop account from home because of the firewall (the place I work encouraged us to use the webmail client - ick) but a slight modification of this tipped really helped out.

here is what I did -

As I am the webmaster and I have ssh access to the webserver so I ssh into the webserver from home and set up the loopback following tunnel.

ssh -C 127.0.0.1 -R 10110:email.server:110 -l myusername

This forwarded port 10110 of the webserver to port 110 smtp of the emailserver

then from my home computer I set up the following tunnel

ssh -C www.mywebserver.url -L 110:localhost:10110 -l myusername

This forwarded the smtp port of my computer to the webserver (which then gets forwarded via port 10110 to the email server at port 110)

Lastly I set up mail.app to access my work's email at localhost port 110 and I'm in like flynn.

Set a email off to the network admin just to cover my butt (but looks to be strong and secure)






[ Reply to This | # ]
Great tip - here is an extension.
Authored by: Brock Lee on Feb 05, '03 04:52:46PM
I think you've made this overly complicated with the loopback. Assume you have three hosts: home.host, web.work.host, mail.work.host .

From home.host, try the following command:

    ssh -C -l myworkuserid web.work.host -L 110:mail.work.host:110


and that should be sufficient. Please confirm or disconfirm. Thanks!

[ Reply to This | # ]
Great tip - here is an extension.
Authored by: Eponymous on Feb 06, '03 09:08:33PM
Yes, this indeed works fine in the terminal:
ssh -l USERNAME TUNNEL_HOST_IP -L LOCAL_PORT_NUMBER:REMOTE_SERVER:REMOTE_PORT_NUMBER
where username is your name on the tunnel machine, tunnel_host_ip is the ip address or name of the intermediate (tunneling) computer, local_port_number is the port number you'll use locally to connect to the remote_server at its remote_port_number. If you have the same username on your local and tunnel computers, then you don't need the "-l USERNAME" part; it'll just assume it. For example I connect to remote port 548 (appletalk) and put it at local port 1548. Then I use "Connect to server" to connect to afp://localhost:1548 and there's my remote machine, tunneled through my tunnel computer. (Actually I have the remote computer listed in my favorites, so that once I've established the tunnel, I can just get at it that way; without the tunnel, I get an error about the favorites alias.) So it goes: local computer at port 1548 tunnel computer remote computer at port 548 I'd love to do this with an applescript so I don't have to have the terminal running, but I always have trouble with getting shell scripts to work properly if they're at all complicated. (A good tutorial for this is needed.) Is there a way to give your password in the ssh command? I didn't find one in the man pages. Fugu also handles this pretty well, though it doesn't yet remember enough of the settings, nor is it apple-scriptable. You have to leave Fugu and Terminal running after you set up the tunnel, so I think I'll stick with the terminal, because I have it open usually anyway. I just put a line in aliases.mine to spare me typing out the whole damn thing each time. (PS You can also set your ssh server on the tunneling computer to use a different port (22 is the standard one), in case you have a firewall at work, as I do. Just add "-p TUNNEL_PORT_NUMBER" right after ssh in the command.)

[ Reply to This | # ]