Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Huh? | 11 comments | Create New Account
Click here to return to the 'Huh?' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Huh?
Authored by: johnpg on Sep 09, '02 08:36:35PM

>OK, let me set up this situation:
>-home computer, publicly accessible IP address, 128.128.128.128, domain name
>provided by ISP (ugly but it works)
>-work computer, behind firewall, NAT IP address, 192.168.1.1, no domain name at
>all

>What I understand from your article, is that I can open an SSH connection FROM
>my work computer TO my home computer, and can then go the "other way" in the SSH
> tunnel to access data on my work computer.

That's correct. I do it all the time.

From a unix (of any kind, or even a windows box with an ssh client) on the 192.168.1.x network (your work in this example):

ssh -NR 2200:192.168.1.1:22 root@128.128.128.128

It's important, I forgot to mention in my first post, that you'll need to make the initial tunnel to your mac as root, so as to allow binding to ports >1024.

Then from your mac (128.128.128.128) you can:

Get a shell on 192.168.1.1 (if it's os x or unix):

You'll want to alias some other name to localhost to make ssh happy, like I suggested above, but we'll use localhost in these examples. At home I use isdlocal, which is aliased to 127.0.0.1.

ssh -p 2200 you@localhost

Basically at this point you can do any ssh command and feature, including the other hints described, to the 192.168.1.1 box (or network in the case of forwarding) as if it were on your lan, just by adding in the -p 2200 which tells ssh to use port 2200 instead of 22.



A vnc connection:
Let's say 192.168.1.2 on your intranet is a pc with a vnc server running

ssh -NL 5900:192.168.1.2:5900 you@localhost -p 2200

Then open up vncthing or whatever, and connect to localhost and it will connect you through the tunnels to 192.168.1.2 port 5900 on your office/intranet lan, even though it's behind a firewall.

Terminal services:

ssh -NL 3389:192.168.1.3:3389 you@localhost -p 2200

Same thing, start up remote desktop client and connect to localhost.

It's a bit confusing at first, but it's not so bad once you figure it out. What's more, it's pretty easy to just write shell scripts to do it so you don't have to remember the exact syntax. Luckily I had just finalized how to make this all work about a week ago so it's fresh in my mind.

John



[ Reply to This | # ]
Re: Huh?
Authored by: Anonymous on Sep 09, '02 09:38:29PM

Thanks, that clarifies things a lot.

Now this tunnel lasts for as long as the initial ssh connection, right?

That is, as long as this ssh connection
ssh -NR 2200:192.168.1.1:22 root@128.128.128.128
is open, I can connect, but once that connection dies, the tunnel is broken?

Hmm... I'd really rather not use root. Yes it's ssh and it should be secure and all, but why bother taking the risk. Can I do something nifty instead, by using more ssh tunnels on work computer to tunnel low port numbers into low ones, so connecting to work:8000 tunnels to work:80? Would I do that with ssh tunnel on the work computer or home computer?

Thanks much for your help, this is exactly what I've been looking for for quite a while! Well... it's not perfect as you can't connect from any given computer anywhere in the world (my Holy Grail of worldwide connectivity), but it's very useful anyway =)



[ Reply to This | # ]
Re: Huh?
Authored by: david-bo on Sep 12, '02 12:11:46PM

You don't connect as root, you just opens the tunnel as root. You are not allowed to open tunnels over ports <1023 as regular user. This restriction is similar to using sudo to edit system setting files.



[ Reply to This | # ]