IP tunnelling: ssh vs native

[Philip Brown]

On Thu, 31 Jul 2003 03:37:13 GMT, [email]ultrasparc3@hotmail.com[/email] wrote:

>In <bf505c49.0307281143.2f651663@posting.google.com > [email]phil.googlenews@bolthole.com[/email] (Philip Brown) writes:

>>If there was some way to make ssh bind to *:1234 on my local box, I

>
>ssh will bind forwarded ports to INADDR_ANY instead of localhost if you
>use the gateway ports option on the command line or in the config file.

thanks... I knew there was something like that.
erm... I dont see it in the sshd_config or manpage, though....?



--
[url]http://www.blastwave.org/[/url] for solaris pre-packaged binaries with pkg-get
Organized by the author of pkg-get
[Trim the no-bots from my address to reply to me by email!]
S.1618 [url]http://thomas.loc.gov/cgi-bin/bdquery/z?d105:SN01618:@@@D[/url]
[url]http://www.spamlaws.com/state/ca1.html[/url]

[Philip Brown]

On 28 Jul 2003 12:43:47 -0700, [email]phil.googlenews@bolthole.com[/email] wrote:

>...
>I tried setting up IP tunnelling, via ip.tun0, but I couldnt get it to
>actually send the packets. The route showed up appropriately, but no
>actual packets got sent :-(

My own stupid fault... turns out I also had sunscreen installed on the box.
Which, while having an ALMOST wide open policy... wasnt wide enough :-}

For the record, it is possible to use ip tunelling without any encryption
just fine. So, I can now reach the "private" interface of a server using IP
tunnelling.

The trick is apparently that you have to use a throwaway IP address on your
local endpoint. Or some address other than the one you use to talk
directly to the server, at any rate.
You need to have a pair of addresses for the tunnel "endpoints",
and then a DIFFERENT pair of addresses for the traffic inside the tunnel.



--- Sample configuration ----------------------------------------



server
10.1.1.1, 192.168.1.1

client machine
10.4.6.8


throwaway endpoint addr, that I just made up:
192.168.50.50

on client machine:

ifconfig ip.tun0 plumb
ifconfig ip.tun0 192.168.50.50 192.168.1.1 tsrc 10.4.6.8 tdst 10.1.1.1 up

on server:

ifconfig ip.tun0 plumb
ifconfig ip.tun0 192.168.1.1 192.168.50.50 tsrc 10.1.1.1 tdst 10.4.6.8 up



--
[url]http://www.blastwave.org/[/url] for solaris pre-packaged binaries with pkg-get
Organized by the author of pkg-get
[Trim the no-bots from my address to reply to me by email!]
S.1618 [url]http://thomas.loc.gov/cgi-bin/bdquery/z?d105:SN01618:@@@D[/url]
[url]http://www.spamlaws.com/state/ca1.html[/url]

[ultrasparc3@hotmail.com]

In <slrnbiigjt.144n.phil+s3@bolthole.com> phil+s3@bolthole.no-bots.com (Philip Brown) writes:

>>ssh will bind forwarded ports to INADDR_ANY instead of localhost if you
>>use the gateway ports option on the command line or in the config file.

>
>thanks... I knew there was something like that.
>erm... I dont see it in the sshd_config or manpage, though....?

depends on your version of SSH.

ssh(1):

-g Allows remote hosts to connect to local forwarded
ports.

ssh_config(5):

GatewayPorts
Specifies whether remote hosts are allowed to connect
to local forwarded ports. By default, ssh binds local
port forwardings to the loopback address. This
prevents other remote hosts from connecting to for-
warded ports. GatewayPorts can be used to specify that
ssh should bind local port forwardings to the wildcard
address, thus allowing remote hosts to connect to for-
warded ports. The argument must be ``yes'' or ``no''.
The default is ``no''.