Trying to make a SSH Tunel

Question

I configurated a bastion server on AWS on my public subnet. I can make direct ssh to the ec2 instance inside the private subnet, using the bastion host.

I can connect to the bastion host and check if the 7474 port on the private ec2 istance is opened.

nc -v -z -w 5 10.0.3.102 7474; echo $?
Connection to 10.0.3.102 7474 port [tcp/*] succeeded!
0

I want to ssh tunnel from a localhost (my home machine) to a ec2 instance on private network.

ssh -v -C -N -L 9000:PRIVATE_MDM:7474 BASTION

But i getting:

open failed: administratively prohibited: open failed

Authenticated to 52.32.240.40 ([52.32.240.40]:22).
debug1: Local connections to LOCALHOST:9000 forwarded to remote address PRIVATE_MDM:7474
debug1: Local forwarding listening on ::1 port 9000.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 9000.
debug1: channel 1: new [port listener]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Connection to port 9000 forwarding to PRIVATE_MDM port 7474 requested.
debug1: channel 2: new [direct-tcpip]
debug1: Connection to port 9000 forwarding to PRIVATE_MDM port 7474 requested.
debug1: channel 3: new [direct-tcpip]
channel 2: open failed: administratively prohibited: open failed
channel 3: open failed: administratively prohibited: open failed
debug1: channel 2: free: direct-tcpip: listening port 9000 for PRIVATE_MDM port 7474, connect from 127.0.0.1 port 42685 to 127.0.0.1 port 9000, nchannels 4
debug1: channel 3: free: direct-tcpip: listening port 9000 for PRIVATE_MDM port 7474, connect from 127.0.0.1 port 42686 to 127.0.0.1 port 9000, nchannels 3
debug1: Connection to port 9000 forwarding to PRIVATE_MDM port 7474 requested.
debug1: channel 2: new [direct-tcpip]
channel 2: open failed: administratively prohibited: open failed
debug1: channel 2: free: direct-tcpip: listening port 9000 for PRIVATE_MDM port 7474, connect from 127.0.0.1 port 42687 to 127.0.0.1 port 9000, nchannels 3

If it does not help, try to search for the reasons in the server log or try to run server in debug mode. It should tell you more precise reasons. — Jakuje, Dec 21 '15 at 19:26

Jakuje · Accepted Answer · 2015-12-21T20:33:16.610

2

BASTION machine has forbidden to create port forwarding by option AllowTcpForwarding. If you want to have port-forwarding working, you need to allow this option on this machine.

EDIT: Now I see the flaw there. Can you add description what are you trying to achieve? Forwarding your non-used local port to non-used remote port does not make sense. You either forward existing service on remote side to your local port (then use -L -- local port forwarding) or the other way round, your local service to remote port (then you use -R -- remote port forwarding). Without this, you can't proceed further.

SOLUTION: Difference between nc and ssh command in examples is in usage of direct IP address and hostname. The BASTION was not able to resolve PRIVATE_MDM which caused the problem.

edited Dec 21 '15 at 20:33

answered Dec 21 '15 at 19:16

Jakuje

24,773
12
69
75

I already set: (on file etc/ssh/sshd_config) PermitTunnel yes AllowTCPForwarding yes – p.magalhaes Dec 21 '15 at 19:22
Did you restart your `sshd` after that? `PermitTunel` is unrelated. – Jakuje Dec 21 '15 at 19:23
Yep. service ssh restart – p.magalhaes Dec 21 '15 at 19:29
I am trying to connect to a service on port 7474 on a ec2 instance inside a private subnet. So I create a bastion server. I want to connect to the bastion server and redirect the traffic to the 7474 on the private server. – p.magalhaes Dec 21 '15 at 20:14
yes. My service is running on 7474 port on PRIVATE_MDM. I can connect to the bastion and then connect to the PRIVATE_MDM (nc -v -z -w 5 10.0.3.102 7474; echo $?). I can make an ssh from my client machine direct to the PRIVATE_MDM. – p.magalhaes Dec 21 '15 at 20:17
Yes, i can! It is a web app running on 7474 port. I just make this command nc -v -z -w 5 10.0.3.102 7474; echo $? from the bastion server, and get 'Connection to 10.0.3.102 7474 port [tcp/*] succeeded!' – p.magalhaes Dec 21 '15 at 20:24
1

I found the problem! The bastion server could not resolve PRIVATE_MDM! Thanks mann!!! – p.magalhaes Dec 21 '15 at 20:27
Yes. That was the only difference between the `nc` and `ssh` command. – Jakuje Dec 21 '15 at 20:28
Update the question with my response. I will accept your answer – p.magalhaes Dec 21 '15 at 20:31
Updated according to problem. Glad to help. – Jakuje Dec 21 '15 at 20:34

Trying to make a SSH Tunel

1 Answers1