* ssh tunnels and iptables
@ 2017-01-29 15:27 deva seetharam
2017-01-29 17:05 ` Mark Coetser
0 siblings, 1 reply; 4+ messages in thread
From: deva seetharam @ 2017-01-29 15:27 UTC (permalink / raw)
To: netfilter
I have setup a reverse ssh tunnel using the following command between
a Linux laptop and a remote server:
ssh -4nNT -R 2222:localhost:22 somehost.com
That is, the laptop, which is behind a firewall, can be accessed over
ssh using the following command:
ssh -p 2222 -l joe somehost.com
on sshd_config of somehost.com, i have enabled Gatewayports=yes.
I am glad to say all these work fine. However, one thing beats me:
there is an `iptables` running on somehost.com that does NOT have the
port 2222 opened. In spite of this tunnel works, how is that possible?
how does iptables handle gateway ports of ssh? could anyone kindly
explain? thanks in advance.
here is the output of iptables -L:
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere
icmp time-exceeded
ACCEPT icmp -- anywhere anywhere
icmp echo-request
ACCEPT icmp -- anywhere anywhere
icmp echo-reply
DROP tcp -f anywhere anywhere
DROP tcp -- anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere
tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere
tcp flags:FIN,ACK/FIN
DROP tcp -- anywhere anywhere
tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
DROP udp -- anywhere anywhere
udp spt:bootps dpt:bootpc
DROP tcp -- anywhere anywhere
tcp dpt:kazaa
DROP udp -- anywhere anywhere
udp dpt:kazaa
LOG tcp -- anywhere somehost.com tcp
dpt:ssh state NEW LOG level warning tcp-options ip-options prefix
"firewall-> ssh1: "
ACCEPT tcp -- anywhere somehost.com tcp dpt:ssh
LOG tcp -- anywhere somehost.com tcp
dpt:2023 state NEW LOG level warning tcp-options ip-options prefix
"firewall-> Check: "
ACCEPT tcp -- anywhere somehost.com tcp dpt:2023
LOG tcp -- anywhere somehost.com tcp
dpt:http state NEW LOG level warning tcp-options ip-options prefix
"firewall-> HTTP: "
ACCEPT tcp -- anywhere somehost.com tcp dpt:http
LOG tcp -- anywhere somehost.com tcp
dpt:https state NEW LOG level warning tcp-options ip-options prefix
"firewall-> HTTPS: "
ACCEPT tcp -- anywhere somehost.com tcp dpt:https
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:http
--
best regards,
Deva P. Seetharam
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ssh tunnels and iptables
2017-01-29 15:27 ssh tunnels and iptables deva seetharam
@ 2017-01-29 17:05 ` Mark Coetser
2017-01-30 0:33 ` deva seetharam
0 siblings, 1 reply; 4+ messages in thread
From: Mark Coetser @ 2017-01-29 17:05 UTC (permalink / raw)
To: deva seetharam, netfilter
Your ssh tunnel is from Port 2222 to 22 so iptables with port 22 is valid.
Thank you,
Mark Adrian Coetser
mark@pkfnet.co.za
On 29 January 2017 5:35:08 PM deva seetharam <deva.seetharam@gmail.com> wrote:
> I have setup a reverse ssh tunnel using the following command between
> a Linux laptop and a remote server:
>
> ssh -4nNT -R 2222:localhost:22 somehost.com
> That is, the laptop, which is behind a firewall, can be accessed over
> ssh using the following command:
>
> ssh -p 2222 -l joe somehost.com
>
> on sshd_config of somehost.com, i have enabled Gatewayports=yes.
>
> I am glad to say all these work fine. However, one thing beats me:
> there is an `iptables` running on somehost.com that does NOT have the
> port 2222 opened. In spite of this tunnel works, how is that possible?
> how does iptables handle gateway ports of ssh? could anyone kindly
> explain? thanks in advance.
>
> here is the output of iptables -L:
>
> target prot opt source destination
>
> ACCEPT icmp -- anywhere anywhere
> icmp destination-unreachable
> ACCEPT icmp -- anywhere anywhere
> icmp time-exceeded
> ACCEPT icmp -- anywhere anywhere
> icmp echo-request
> ACCEPT icmp -- anywhere anywhere
> icmp echo-reply
> DROP tcp -f anywhere anywhere
> DROP tcp -- anywhere anywhere
> tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
> DROP tcp -- anywhere anywhere
> tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
> DROP tcp -- anywhere anywhere
> tcp flags:FIN,SYN/FIN,SYN
> DROP tcp -- anywhere anywhere
> tcp flags:FIN,ACK/FIN
> DROP tcp -- anywhere anywhere
> tcp flags:SYN,RST/SYN,RST
> DROP tcp -- anywhere anywhere
> tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
> DROP udp -- anywhere anywhere
> udp spt:bootps dpt:bootpc
> DROP tcp -- anywhere anywhere
> tcp dpt:kazaa
> DROP udp -- anywhere anywhere
> udp dpt:kazaa
> LOG tcp -- anywhere somehost.com tcp
> dpt:ssh state NEW LOG level warning tcp-options ip-options prefix
> "firewall-> ssh1: "
> ACCEPT tcp -- anywhere somehost.com tcp dpt:ssh
> LOG tcp -- anywhere somehost.com tcp
> dpt:2023 state NEW LOG level warning tcp-options ip-options prefix
> "firewall-> Check: "
> ACCEPT tcp -- anywhere somehost.com tcp dpt:2023
> LOG tcp -- anywhere somehost.com tcp
> dpt:http state NEW LOG level warning tcp-options ip-options prefix
> "firewall-> HTTP: "
> ACCEPT tcp -- anywhere somehost.com tcp dpt:http
> LOG tcp -- anywhere somehost.com tcp
> dpt:https state NEW LOG level warning tcp-options ip-options prefix
> "firewall-> HTTPS: "
> ACCEPT tcp -- anywhere somehost.com tcp dpt:https
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere tcp spt:http
>
>
> --
> best regards,
> Deva P. Seetharam
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ssh tunnels and iptables
2017-01-29 17:05 ` Mark Coetser
@ 2017-01-30 0:33 ` deva seetharam
2017-01-30 0:54 ` Neal P. Murphy
0 siblings, 1 reply; 4+ messages in thread
From: deva seetharam @ 2017-01-30 0:33 UTC (permalink / raw)
To: Mark Coetser; +Cc: netfilter
sorry, it does not make sense because it is a reverse tunnel. that is,
the server that is running the firewall gets the connection requests
on that port (2222). i see that the port opens (can see it using nmap)
up as soon as the tunnel is up. however, IPTABLES does not have that
port open. that is what is confusing.
On Sun, Jan 29, 2017 at 10:35 PM, Mark Coetser <mark@pkfnet.co.za> wrote:
> Your ssh tunnel is from Port 2222 to 22 so iptables with port 22 is valid.
>
> Thank you,
>
> Mark Adrian Coetser
> mark@pkfnet.co.za
>
>
>
>
> On 29 January 2017 5:35:08 PM deva seetharam <deva.seetharam@gmail.com>
> wrote:
>
>> I have setup a reverse ssh tunnel using the following command between
>> a Linux laptop and a remote server:
>>
>> ssh -4nNT -R 2222:localhost:22 somehost.com
>> That is, the laptop, which is behind a firewall, can be accessed over
>> ssh using the following command:
>>
>> ssh -p 2222 -l joe somehost.com
>>
>> on sshd_config of somehost.com, i have enabled Gatewayports=yes.
>>
>> I am glad to say all these work fine. However, one thing beats me:
>> there is an `iptables` running on somehost.com that does NOT have the
>> port 2222 opened. In spite of this tunnel works, how is that possible?
>> how does iptables handle gateway ports of ssh? could anyone kindly
>> explain? thanks in advance.
>>
>> here is the output of iptables -L:
>>
>> target prot opt source destination
>>
>> ACCEPT icmp -- anywhere anywhere
>> icmp destination-unreachable
>> ACCEPT icmp -- anywhere anywhere
>> icmp time-exceeded
>> ACCEPT icmp -- anywhere anywhere
>> icmp echo-request
>> ACCEPT icmp -- anywhere anywhere
>> icmp echo-reply
>> DROP tcp -f anywhere anywhere
>> DROP tcp -- anywhere anywhere
>> tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
>> DROP tcp -- anywhere anywhere
>> tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
>> DROP tcp -- anywhere anywhere
>> tcp flags:FIN,SYN/FIN,SYN
>> DROP tcp -- anywhere anywhere
>> tcp flags:FIN,ACK/FIN
>> DROP tcp -- anywhere anywhere
>> tcp flags:SYN,RST/SYN,RST
>> DROP tcp -- anywhere anywhere
>> tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
>> DROP udp -- anywhere anywhere
>> udp spt:bootps dpt:bootpc
>> DROP tcp -- anywhere anywhere
>> tcp dpt:kazaa
>> DROP udp -- anywhere anywhere
>> udp dpt:kazaa
>> LOG tcp -- anywhere somehost.com tcp
>> dpt:ssh state NEW LOG level warning tcp-options ip-options prefix
>> "firewall-> ssh1: "
>> ACCEPT tcp -- anywhere somehost.com tcp dpt:ssh
>> LOG tcp -- anywhere somehost.com tcp
>> dpt:2023 state NEW LOG level warning tcp-options ip-options prefix
>> "firewall-> Check: "
>> ACCEPT tcp -- anywhere somehost.com tcp dpt:2023
>> LOG tcp -- anywhere somehost.com tcp
>> dpt:http state NEW LOG level warning tcp-options ip-options prefix
>> "firewall-> HTTP: "
>> ACCEPT tcp -- anywhere somehost.com tcp dpt:http
>> LOG tcp -- anywhere somehost.com tcp
>> dpt:https state NEW LOG level warning tcp-options ip-options prefix
>> "firewall-> HTTPS: "
>> ACCEPT tcp -- anywhere somehost.com tcp dpt:https
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>> ACCEPT tcp -- anywhere anywhere tcp
>> spt:http
>>
>>
>> --
>> best regards,
>> Deva P. Seetharam
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
>
--
best regards,
Deva P. Seetharam
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ssh tunnels and iptables
2017-01-30 0:33 ` deva seetharam
@ 2017-01-30 0:54 ` Neal P. Murphy
0 siblings, 0 replies; 4+ messages in thread
From: Neal P. Murphy @ 2017-01-30 0:54 UTC (permalink / raw)
Cc: netfilter
On Mon, 30 Jan 2017 06:03:08 +0530
deva seetharam <deva.seetharam@gmail.com> wrote:
> sorry, it does not make sense because it is a reverse tunnel. that is,
> the server that is running the firewall gets the connection requests
> on that port (2222). i see that the port opens (can see it using nmap)
> up as soon as the tunnel is up. however, IPTABLES does not have that
> port open. that is what is confusing.
That's because the 'reverse' tunnel flows across the encrypted SSH connection. The server's firewall never sees the traffic; it only sees packets flowing across the existing connection.
When a program on the server connects to localhost:2222 (or to remotehost.com:2222), SSH itself listens on that socket and communicates with the SSH instance running on the laptop to connect to the host:port specified in the '-R' option. The traffic for that connection flows across (is tunneled through) the encrypted SSH connection.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-01-30 0:54 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-29 15:27 ssh tunnels and iptables deva seetharam
2017-01-29 17:05 ` Mark Coetser
2017-01-30 0:33 ` deva seetharam
2017-01-30 0:54 ` Neal P. Murphy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.