[lug] Remote assistance tunneling

Tue Jan 25 16:08:11 MST 2005

>>>I have written a small script to keep a tunnel up all the time as well if anyone has a use for it.

I take it this means that the machine behind the firewall (which you can't get to) constantly has a line which it has opened to your server, so you can get on that server and fix stuff at any time.  Hey - I could use that.  How many beers for a license?  ;-)

>>>I want to ssh in to her machine, but obviously all incoming ports are blocked and we don't have access to the firewall.

>From what you describe, it sounds like she might be working off of a DSL line and it is just "non-addressable" - no firewall there.

>>>This is important for me because I'm helping my sister (who's out of state)

I'm trying to help several people - all in various states of remote.  This should work for a server with a non-addressable DSL line, right? 
ie - I can't possibly talk to it.  But it can phone home, open the session, and then I can tunnel through that.  If the session is always up - I can always get on and see what's wrong.

>>>Did you realize you can run servers on a machine behind a firewall with
a single SSH command, changing nothing on the firewall? 

So if there are 3 applications on the remote server, listening each on 8010, 8011, 8012, respectively.  Can I use this, and then from my server, talk to those 3 applications?

>>>She understands the ... privacy risks of doing this, by the way.

Does this open any risks other than just your machine users getting to her machine?
>>>>>>>>>>>>>>>>>>>>>>
>>Daniel Webb <lists at danielwebb.us>
Subject: [lug] Tunneling TCP

Did you realize you can run servers on a machine behind a firewall with
a single SSH command, changing nothing on the firewall?  Suppose host
pib is behind a firewall and host fuzzy is a host you have an account
on.

pib$ ssh -n -N -R2222:localhost:22 some_fuzzy_user at fuzzy &

will allow you to ssh in to pib by doing:

$ ssh -p2222 -oStrictHostKeyChecking=no some_pib_user at fuzzy

from any machine with internet access.

The assumptions here are:
 - all incoming ports on pib's firewall are blocked
 - fuzzy doesn't firewall incoming port 2222
 - pib's firewall doesn't block outgoing port 22

This is important for me because I'm helping my sister (who's out of
state) with her computer, and she's getting internet access by plugging
in her wireless card and associating with an unknown access point in her
apartment building.  I want to ssh in to her machine, but obviously all
incoming ports are blocked and we don't have access to the firewall.
She understands the potential ethical and privacy risks of doing this,
by the way.  

SSH is a wicked tool.  If you need full IP forwarding, not just TCP
forwarding, you can set up a PPP tunnel over a single SSH session that
will do that too, but it's way more complicated.  If you're interested
in that, check out the vpn-pppssh mini-howto.

Sorry if all of you knew this already, but I thought it was too good to
not share.  I have written a small script to keep a tunnel up all the
time as well if anyone has a use for it.
Daniel
-- 
Gordon Golding
aka Golding the Younger DH70
gordongoldin at netscape.net
http://cslr.colorado.edu/beginweb/cgi-bin/gen_page.php?user=goldingg&&group=STF
303-494-5730

__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp