0

I am trying to do some remote port forwarding via a ssh tunnel on my NAS (NAS4Free running FreeBSD), which is behind a firewall. I have added gateway_enable="YES" in /etc/rc.conf and also net.inet.ip.forwarding=1 in /etc/sysctl.conf.

Tunneling seems to be working via the following command:

ssh -R 0.0.0.0:49153:localhost:8080 username@a.b.c.d -p 16

And this is the log, if I use -v in my ssh command up to the point I gain access:

OpenSSH_7.2p1, OpenSSL 1.0.1p-freebsd 9 Jul 2015
debug1: Connecting to a.b.c.d [a.b.c.d] port 16.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2-hpn14v5
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6 pat OpenSSH_6.6.1* compat 0x04000000
debug1: Remote is NON-HPN aware
debug1: Authenticating to a.b.c.d:16 as 'username'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: <secret content>
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: <secret content> SHA256:<secret content>
debug1: skipped DNS lookup for numerical hostname
debug1: Host '[a.b.c.d]:16' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Next authentication method: password
username@a.b.c.d's password:
debug1: Authentication succeeded (password).
Authenticated to a.b.c.d ([a.b.c.d]:16).
debug1: Remote connections from 0.0.0.0:49153 forwarded to local address localhost:8080
debug1: HPN to Non-HPN Connection
debug1: Final hpn_buffer_size = 2097152
debug1: HPN Disabled: 0, HPN Buffer Size: 2097152
debug1: channel 0: new [client-session]
debug1: Enabled Dynamic Window Scaling
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: remote forward success for: listen 0.0.0.0:49153, connect localhost:8080
debug1: All remote forwarding requests processed
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-85-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Wed Apr 27 19:53:40 UTC 2016

  System load:  0.01              Processes:           250
  Usage of /:   7.0% of 27.05GB   Users logged in:     0
  Memory usage: 37%               IP address for eth0: a.b.c.d
  Swap usage:   0%                IP address for tun0: 10.8.0.1

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Last login: Wed Apr 27 19:53:41 2016 from <secret content>
username@localhost:~$

However, when I try to login to access the website running on my NAS on https://a.b.c.d:49153/ I get ERR_CONNECTION_REFUSED on my browser and I also get the following log from my ssh session:

debug1: client_input_channel_open: ctype forwarded-tcpip rchan 3 win 2097152 max 32768
debug1: client_request_forwarded_tcpip: listen 0.0.0.0 port 49153, originator <secret content> port 12010
debug1: connect_next: host localhost ([127.0.0.1]:8080): Connection refused
debug1: connect_next: host localhost ([::1]:8080): Connection refused
connect to localhost port 8080 failed: Connection refused
debug1: failure forwarded-tcpip
Bahador
  • 21
  • 8
  • For accessing a server port (like a website) use -L not -R, for example: ssh -L 8080:a.b.c.d:49153 – Some Linux Nerd Apr 27 '16 at 21:03
  • Actually they might both work but I always use -L – Some Linux Nerd Apr 27 '16 at 21:03
  • Additionally, ssh tunnels do not require any kernel configuration, so ip.forwarding is not needed. Try with -L. Just to check, you want port 49153 to appear as 8080 on your local machine right? – Some Linux Nerd Apr 27 '16 at 21:16
  • Lastly, the first thing you put is 0.0.0.0:8080 - as you know this means the forwarded port should appear as port 8080 on all interfaces on your machine. This sometimes requires the configuration statement "GatewayPorts yes" in the machine's sshd_config. – Some Linux Nerd Apr 27 '16 at 21:18
  • I need remote port forwarding. I can't forward local ports. My NAS is behind a firewall, that's why I'm doing remote port forwarding via a ssh tunnel. – Bahador Apr 27 '16 at 21:19
  • Sorry, so you want people to connect to port 49153 on your firewall to be forwarded to port 8080 locally? Is your firewall the machine you're sshing to? – Some Linux Nerd Apr 27 '16 at 21:21
  • @SomeLinuxNerd No, adding 0.0.0.0: or *: means that the remote server will not only listen to loopback interface for port forwarding. – Bahador Apr 27 '16 at 21:21
  • @SomeLinuxNerd Yes. The firewall is my ISP. – Bahador Apr 27 '16 at 21:23
  • Possibly a stupid question, but from having just run the exact same command pretty much (ssh -R 0.0.0.0:80:127.0.0.1:1998 user@server), did you remember to unblock port 49153 on your firewall? I was lazy and just did iptables -F. – Some Linux Nerd Apr 27 '16 at 21:28
  • Oooh maybe your firewall is stopping sshd from connecting to the local port 8080 – Some Linux Nerd Apr 27 '16 at 21:29
  • I bet its the latter – Some Linux Nerd Apr 27 '16 at 21:29
  • Also I've used haproxy to create perminant tunnels, it has a raw tcp connection mode that works fairly well. rtunnel has a memory leak as of around 2004. – Some Linux Nerd Apr 27 '16 at 21:31
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/38984/discussion-between-bahador-and-some-linux-nerd). – Bahador Apr 27 '16 at 21:39

0 Answers0