tunnel with a shell account?

Printable View

December 13th, 2004, 03:38 PM
phishphreek

tunnel with a shell account?

Here is what I'm looking to do:

I want to login to a remote Linux ssh shell and use some utility (I'm thinking netcat) to open a port on the remote machine. Call this port X. When someone (I) connects to port X on the remote shell, I want it to forward all the traffic to another remote machine at port Y.

box1 --> Linux ssh shell (box2) to open port X which will forward to box3 port Y
box1 --> box2 port X --> box3 port Y

I want to do this because box1 is blocked via firewall to box3, but box2 is not

I am admin/root on box1 and box3 but not on box2

I know I can just open box3's firewall to allow box1, but box1 will always have a different IP
box2 and box3 will always have the same IP address.

Can I accomplish this with netcat?

If not, what utility can I use to accomplish this?

box1 will almost always be a XP Pro box. box3 is either 2K Server or XP Pro
box2 will always be a Linux box.

My other option is to just open up a vpn on box3 and allow from two ISPs netblocks.
However, box1 will not always have vpn client software on it...

Thanks for any insight!
December 13th, 2004, 04:05 PM
Shrekkie

What is it exactly that you want phish ? If its only ssh you need then you can solve that by making a script in the .bashrc of the shellaccount on box2 which automatically automates a new connection to box3 when ssh-ing to box2 from box1.

Otherwise you might make a dyndns account for box1 which you can auto-update via a dyn-dnsclient-proggie on box1. Then let the firewall or box3 do a reverse lookup on the dyndns-account and if that ones ip matches the incoming ip you can let it pass to box3 directly. You would need to allow the dyndns in your firewall though.

This should be do-able imho,

Great challenge though :p
December 13th, 2004, 04:10 PM
cacosapo

a ssh tunnel thru putty?
http://martybugs.net/smoothwall/puttyvnc.cgi
December 13th, 2004, 04:27 PM
Striek

Tunnelling with a shell account may not be possibe. Many providers block this capability specifically because they don't want thier servers being used to circumvent firewalls, perhaps by limiting raw socket access to root (the default I believe).

Check to see if you can run tools like ping/tracert/netcat before assuming that the more complex stuff will be possible.

Does that help?
December 13th, 2004, 04:45 PM
phishphreek

Basically, what I'm trying to do is get remote access to my home computers by forwarding the traffic through a school shell account. I allow connections from my school shell.

Shrekkie: I was thinking about doing the reverse lookup, but doesn't that put a huge overhead on the router because it has to reverse lookup EVERY ip that tries to connect to that port? I've thought about doing that in the past, but was told not to. I'm sure I was told that here. I just let it go after that point and opened up the whole netblock. But, if it would work (without too much overhead), thats a great idea.

Striek: yes, I can use ping, tracert, and netcat. I am just limited to which ports I can open connections on. However, it would seem that it the shell itself is firewalled so even if I do open a port, I can't connect to it. darn...

So, it looks like vpn is going to be the way to go. I just won't have vpn client software from every machine that I will be on. But I will have remote desktop. So, I was just going to use RDP. I know that its not encrypted... but I won't be doing anything that must be kept secret.

Ah yes. Here is the thread that I was wondering about they dynamic ACLs for practically the same issue. I guess its time for the funnel and pot of coffee... I just forgot all about the two dynamic dns addresses. One pointing to the other. That will work for this case too! Sweet! http://www.antionline.com/showthread...hreadid=261366
December 13th, 2004, 06:04 PM
Shrekkie

phishphreek,

Every router where access-lists (since i know you have a cisco :p) will do a lookup to get the ip. It's just a matter of putting a good access-list. I know you can even allow certain dns'es so that would solve your probs for sure.
And besides I don't think you would notice the difference with or without the router doing lookups.

I would surely at least try it for a week or so, since you are always able to reset to your old values. This really seems the easiest and the cleanest way to do, so surely worth a shot.

Besides just read your edit, Have it a go and if you need me you know where to find me on irc.

Cheers
December 13th, 2004, 07:41 PM
Maestr0

Phish,
you can apply the same technique from the link provided by cacosapo to tunnel your RDP through Putty. All you need is a sshd listening on your home border. Once you establish a tunnel between where you are, and the sshd at home, you can tunnel RDP through it to machines accessible from the sshd server,. Then you get RDP and its encrypted. :)

-Maestr0
December 13th, 2004, 07:44 PM
hogfly

Re: tunnel with a shell account?

Quote:

Originally posted here by phishphreek80
Here is what I'm looking to do:

I want to login to a remote Linux ssh shell and use some utility (I'm thinking netcat) to open a port on the remote machine. Call this port X. When someone (I) connects to port X on the remote shell, I want it to forward all the traffic to another remote machine at port Y.

box1 --> Linux ssh shell (box2) to open port X which will forward to box3 port Y
box1 --> box2 port X --> box3 port Y

I want to do this because box1 is blocked via firewall to box3, but box2 is not

I am admin/root on box1 and box3 but not on box2

I know I can just open box3's firewall to allow box1, but box1 will always have a different IP
box2 and box3 will always have the same IP address.

Can I accomplish this with netcat?

I am not quite sure I understand this... you want to log in to a remote machine via ssh and have it automatically forward your connection to box 3 on an unknown port? How can you not know what port Y is?

ssh -N -f -L 3389:box3:3389 user@box2 is what you want to use to forward a connection. You can use this to tunnel RDP through ssh btw.

This lets you configure a tunnel between your box1 and your box3 using your account on Box2..

I'd consider looking in to configuring an ssh-agent for your user account.

Quote:

If not, what utility can I use to accomplish this?

Certainly don't use netcat for this..although it would work..

Quote:

box1 will almost always be a XP Pro box. box3 is either 2K Server or XP Pro
box2 will always be a Linux box.

My other option is to just open up a vpn on box3 and allow from two ISPs netblocks.
However, box1 will not always have vpn client software on it...

XP pro has built in VPN client software albeit to a lesser degree.

You can also open your sshd at home and try to set up a reverse shell with the -R flag. Given that I don't know your current situation all that well...I don't know if it would work.

Quote:

Thanks for any insight!
December 14th, 2004, 10:40 AM
i2c

Theres an article on NewOrder. about 3 weeks ago that describes doing such a thing, you might find it interesting, its quite well written if a little brief,

i2c
December 17th, 2004, 05:14 PM
vvuiverine

Try setting up a local forward via ssh from box1 to box2. Finally use redir or fport to forward from box2 to box3 once the local forward has been connection has been established

box1 ------local forward----->box2-----redir forward------->box3

Hope that helps.