-1

I want to forward the http traffic from an external server linnode to server in a private network which only allows outgoing connections using NAT. I am very new in this area, so I randomly tried socat and ssh tunnel but with no luck. One key problem here is I have no control of this private network, including firewall and gateway and therefore I cannot setup anything on gateway to redirect traffic from there.

I know how to setup a reverse ssh to that private server but that's a different thing. I don't know how would that help.

[add my try of ssh tunnel]

Let's see my linnode server is A with known ip. my private server is B and clearly with a unknown external ip address. The goal is to redirect traffic from A to B, so I run this in B:

ssh -N -f -R 8000:localhost:80 user@[A's ip]

This should built a tunnel from A:8000 to B:80. but when I use netcat to check, no connection is been built on A.

qqibrow
  • 2,942
  • 1
  • 24
  • 40
  • an ssh tunnel should be able to give what you are looking for. Would you mind sharing your tries so far, so that we can work out together how to get this working? Basically you connect from the internal server to the linnode system via ssh and instruct the setup of an additional tunnel. That works, _if_ you can connect to linnode like that. – arkascha Mar 14 '15 at 16:14
  • I added my try. Please check. Thanks. @arkascha – qqibrow Mar 14 '15 at 16:28
  • I just checked again, that works for me. There are a few things to keep in mind, however: 1. only root can forward privileged ports like 80. So you have to use the `sudo` utility. 2. in that case you probably have to specify the ssh key too using the `-i` flag, since you switch user. 3. take care that the ssh server on A really uses the default port or specify the port using the `-p` flag. Since you are using the `-N` flag you will not see connection issues. It is a good idea to watch the system log file on the remote node. – arkascha Mar 14 '15 at 16:42
  • @arkascha 1. how u verify that works? 2. how to check system log file? – qqibrow Mar 14 '15 at 16:45
  • Well, I verified by connecting to the remote port, which worked and delivered the result as if connecting to the local systems open port. About checking the log file: you are using things like ssh and do not know how to look into a log file? Hm... Anyways: something like `tail -f /var/log/messages` or similar, depending on the linux distribution. – arkascha Mar 14 '15 at 16:46
  • @arkascha yeah. u are correct. that works. what I lack before is a server on linnode which forward connection from a public listening port to localhost:8000, which could be easily achieved by a `socat` command: `socat TCP4-LISTEN:80,fork TCP:localhost:8000`. But anyway, nothing wrong with that ssh command. Thank you for your help! – qqibrow Mar 14 '15 at 20:09
  • What? No! You are doing that wrong! You do _not_ need such an additional server! The idea of tunneling a port is that you do _not_ have a server on the forwarding system. You only open the tunnel from there to the server which must be located on the inner system. – arkascha Mar 14 '15 at 20:11
  • The problem I want to overcome is when I run `wget localhost:8000` on that linnode, it worked. but it failed in my browser when I try "[linnode ip address]:8000". That's why I setup that `socat` server. any ideas? – qqibrow Mar 14 '15 at 20:29
  • This smells of a firewall blocking access to port 8000 from outside, whilst not intervening access from within the system. Have a try using a cli browser from within the linnode system, that should work (`links` or `lynx` or similar). But anyways that is not the issue here. I do not see how `socat` can help here. You can have only one process listening on that port, either the tunnel or the socat relay. And as said: the tunnel is working. – arkascha Mar 14 '15 at 20:38
  • I found this question is exactly the problem I have. However, the first answer there doesn't work for me. http://superuser.com/questions/588591/how-to-make-ssh-tunnel-open-to-public – qqibrow Mar 14 '15 at 21:44
  • IT WORKS FINALLY! I need to restart the ssh service after i update the configuration. – qqibrow Mar 14 '15 at 21:49
  • That certainly is true. Great you solved your issue! Congratulations! – arkascha Mar 14 '15 at 22:01

1 Answers1

0

I'm not sure if this helps you but software like skype faces the same problems that server or devices on the "outside" of the private networt need to contact a computer on the inside, for example when someone calls. They use this hole-trick so the firewall recognizes the arriving packages origin (the linode-server in your case) and lets them pass:

http://www.candlepowerforums.com/vb/showthread.php?144842-The-hole-trick-How-Skype-amp-Co-get-round-firewalls

Maybe you can manage to do that since you know where your traffic comes from.

codepearlex
  • 544
  • 4
  • 20