ssh tunnel problems

Rick Bilonick rab at nauticom.net
Sat Jun 21 23:51:57 UTC 2008 

On Sat, 2008-06-21 at 19:34 -0400, Rick Bilonick wrote:
> On Sun, 2008-06-22 at 02:55 +0930, Tim wrote:
> > On Sat, 2008-06-21 at 10:22 -0400, Rick Bilonick wrote:
> > > [chippy at localhost ~]$ ssh server at localhost -p 5000 -v
> > > OpenSSH_4.7p1, OpenSSL 0.9.8b 04 May 2006
> > > debug1: Reading configuration data /etc/ssh/ssh_config
> > > debug1: Applying options for *
> > > debug1: Connecting to localhost [127.0.0.1] port 5000.
> > > debug1: connect to address 127.0.0.1 port 5000: Connection refused
> > > ssh: connect to host localhost port 5000: Connection refused
> > > 
> > > I'm using "localhost" because I was following an example. I guess I
> > > could substitute an IP for localhost. Isn't "localhost" just another
> > > name for the local computer? So on the first use of ssh, localhost
> > > refers to the server and on the second use of ssh, it refers to the
> > > home computer. At least, that's what I believe.
> > 
> > "localhost" is how a computer refers to itself.  Just the same as a
> > group of people in a room will all think of themselves as "myself" or
> > "I".  While correct, they could only ever converse about themselves, not
> > anyone else in the room.  Trying to network between different computers
> > all going by the same hostname is going to twist your brain around in
> > circles.
> > 
> > If you do try "ssh server at localhost" you're going to try and connect to
> > the SSH daemon on the same machine that you're typing on, which may or
> > may not actually connect.  But you're certainly not going to connect to
> > another machine, using that address.
> > 
> > If you don't have unique hostnames that are resolveable on your LAN
> > (i.e. everyone knows the name and IP of *all* hosts on the LAN), then
> > use numerical IP addresses.
> > 
> > Again, don't fall down the "looking in the mirror" trap by trying to
> > connect to 127.0.0.1.  That's the numerical address for a machine to
> > refer to itself.
> > 
> > You're playing with the local loopback device.  127.0.0.1 is the
> > traditional IP address for it, and localhost is the traditional hostname
> > for it.
> > 
> > -- 
> > [tim at localhost ~]$ uname -r
> > 2.6.25.6-55.fc9.i686
> > 
> > Don't send private replies to my address, the mailbox is ignored.  I
> > read messages from the public lists.
> > 
> 
> OK, apparently the example I followed from a website was not completely
> correct.
> 
> So after trying a bunch of things, I did get this to work from my home
> computer to my ISP's server. Here is what I did:
> 
> > ssh -R 4022:home:22 myaccnt at my.isp.net
> 
> where "home" is actually the IP of my home network (instead of using
> "localhost" which definitely does NOT work). This asked me for my
> password and it connected.
> 
> To see if the port was set up, I then did (on my.isp.net):
> 
> > netstat -an | grep 4022
> 
> and it shows that it is listening on port 4022.
> 
> So then from my.isp.net I did:
> 
> > ssh -p 4022 me at localhost
> 
> where "me" is the user on my home computer. Note that "localhost" must
> be used here so I can use the port that I set up. This asks me for my
> password and I connect and see files on my home computer (from being
> logged in on the isp's server).
> 
> So I know that in principle this can work.
> 
> So I went back to my office and set up a connection from work to my home
> computer:
> 
> > ssh -R 3022:work:22 me at home
> 
> where "work" is my work server's IP and "home" is my home computer's IP.
> This asks me for my password and I connect and can see files, etc. I did
> the "netstat -an | grep 3022" and it shows that it's listening on port
> 3022.
> 
> So then from my home computer I do:
> 
> > ssh -v -p 3022 abc at localhost
> 
> where "abc" is my user account on the work server and get:
> 
> OpenSSH_4.7p1, OpenSSL 0.9.8b 04 May 2006
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to localhost [127.0.0.1] port 3022.
> debug1: Connection established.
> debug1: identity file /home/me/.ssh/identity type -1
> debug1: identity file /home/me/.ssh/id_rsa type -1
> debug1: identity file /home/me/.ssh/id_dsa type -1
> ssh_exchange_identification: Connection closed by remote host
> 
> It never asks for my password.
> 
> So it works from home to isp, but for some reason does NOT work from
> work to home.
> 
> What on the work server could be preventing the reverse tunnel from
> working? On the server I do use hosts.allow to only allow ssh from my
> home computer. Could this possibly prevent the reverse tunnel from
> working? Or is the problem on my home computer?
> 
> Thanks to everyone who replied with suggestions and questions. At least
> I'm making some progress.
> 
> Rick B.
> 
> 
> 

My guess at the moment is that I either need to get rid of the entries
in hosts.allow on the server or add an entry for localhost and the
forwarded port.

Rick B.

More information about the users mailing list