"Henning, Brian" <[EMAIL PROTECTED]> wrote: > > hello- > > I am using echowall on dachstein LRP. I have a windows 2k pro machine that i > can ssh into from the outside. i am also running an http server on my w2k > machine. I am port forwarding ssh through my router/firewall. My problem is > I am not sure how to tunnel the http to the *outside world*. I am not sure > if it is possible. Any thoughts or suggestions? > > thanks > > brian >
Charles gave you the answer to this before, but if you are coming from a windows world it may not make sense. I attached his original post at the end of this message. Here's what I'll presume about you. You are on a windows client at work or somewhere else connecting to your LEAF box. As you described you have a Windows 2000 box with a web page you want to see. There are allot of things to keep straight in ones mind when you start playing with port forwarding and SSH. In short, you are not trying to "tunnel the http to the *outside world*" but you tell your clients how to tunnel to the service. First off think of your LEAF box as just a patch cord. You have taken a cord and plugged it into a receptacle named 22 available to the rest of the world. The other end of the cord has been plugged into 22 on your W2K box. That's all port forwarding does in LEAF. LEAF is completely out of the picture now. All that is is is a pipe for data to flow over. You have successfully done that as you describe above. Now let's talk about the magic of SSH. SSH is one protocol. It allows a person to setup an encrypted link between two computers. Typically, a telnet like feature is used within the SSH suite to talk to another server and run commands on it. Ahhhh but there are a few more tricks up SSH's sleeve. SSH allows you to build other pipes within the port 22 pipe. This is normally referred to as tunneling. Within the port 22 pipe you can create multiple tunnels. For example I have both regular SSH and web tunneled to a windows machine. I created these tunnels to try and explain what you'll need to do. If I wanted to ftp through SSH, then you could add this too. Name a protocol and try it. You are really just redirecting a port that the protocol normally uses on your localhost to the desired port on your server. There are several SSH packages for Windows. I'll describe putty. You will need version 0.52. My prior version, 0.51, did not have the features to perform the tasks you're asking for. (And yes I upgraded today to try it out. :) ) "A.8.8 How do I pronounce PuTTY? "Exactly like the normal word "putty". Just like the stuff you put on window frames. (One of the reasons it's called PuTTY is because it makes Windows usable. :-) http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html Download the executables from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. You will want plink.exe especially. plink is short for putty link. You will want to setup your private key on the windows client computer that attaches to LEAF. plink.exe takes the SSH part and simplifies building tunnels within the port 22 pipe on a Windows PC. I have a Samba Server on a Linux box that acts like your W2K box. I used a windows PC with putty and plink to connect to it. Here's the command I used where myLEAFipAddress is the address to LEAF performing port forwarding. myuser is the userid on the W2K box. myW2kboxIPorName is the ip or name of your W2k box. You would need to add the name in c:\windows\host file for a server name to work. plink -L 80:myLEAFipAddress:80 myuser@myW2kboxIPorName This establishes the tunnel. I do not have a web server on my windows PC. However, when I use http://localhost/ in the web browser, I see my what my Apache server is providing me. Remember port 80 is the default port used by browsers i.e. http://localhost/ is the same as http://localhost:80/. SSH through plink is creating a tunnel to my local machine or a secure patch cord. plink forwards whatever connects on my local windows box at port 80 to the other server on port 80. You have to just believe this until it makes sense. Also note the localhost is the name for ip address 127.0.0.1. Every networking host has this available to it. Perhaps the -L 80:myLEAFipAddress:80 is confusing because the command is using the same port numbers on both ends of the pipe or tunnel. Let's try this since I am putting off filling out my 1040 tax forms >:} plink -L 1040:myLEAFipAddress:80 myuser@myW2kboxIPorName Now use http://localhost:1040/ in the web browser. Once again I see the pages Apache is serving up to me. If you will, plink makes a web server available on your client windows PC. Without plink forwarding the web server over SSH to the windows client, you would receive the typical 404 http error message. Note that SSH is a server process in this configuration. If you need two way communication that is where both ends of the tunnel need to perform peer tasks, then you will want to investigate CIPE. CIPE specializes in the tunneling that SSH does and sometimes has problems doing http://sites.inka.de/~bigred/devel/tcp-tcp.html. The main CIPE site is at http://sites.inka.de/~bigred/devel/cipe.html. I hope this helps. I had fun exploring it for you and others that may need this technique. I have not had the need to do this yet but it was interesting exploring it. Regards, Greg Morgan This information may be helpful even though it talks about using the putty client and not plink. http://www.chiark.greenend.org.uk/~sgtatham/putty/0.52/puttydoc.txt 3.5 Using port forwarding in SSH The SSH protocol has the ability to forward arbitrary network connections over your encrypted SSH connection, to avoid the network traffic being sent in clear. For example, you could use this to connect from your home computer to a POP-3 server on a remote machine without your POP-3 password being visible to network sniffers. In order to use port forwarding to connect from your local machine to a port on a remote server, you need to: - Choose a port number on your local machine where PuTTY should listen for incoming connections. There are likely to be plenty of unused port numbers above 3000. - Now, before you start your SSH connection, go to the Tunnels panel (see section 4.17.2). Make sure the `Local' radio button is set. Enter the local port number into the `Source port' box. Enter the destination host name and port number into the `Destination' box, separated by a colon (for example, `popserver.example.com:110' to connect to a POP-3 server). - Now click the `Add' button. The details of your port forwarding should appear in the list box. Now start your session and log in. (Port forwarding will not be enabled until after you have logged in; otherwise it would be easy to perform completely anonymous network attacks, and gain access to anyone's virtual private network). To check that PuTTY has set up the port forwarding correctly, you can look at the PuTTY Event Log (see section 3.1.3.1). It should say something like this: 2001-12-05 17:22:10 Local port 3110 forwarding to popserver.example.com:110 Now if you connect to the source port number on your local PC, you should find that it answers you exactly as if it were the service running on the destination machine. So in this example, you could then configure an e-mail client to use `localhost:3110' as a POP- 3 server instead of `popserver.example.com:110'. (Of course, the forwarding will stop happening when your PuTTY session closes down.) You can also forward ports in the other direction: arrange for a particular port number on the _server_ machine to be forwarded back to your PC as a connection to a service on your PC or near it. To do this, just select the `Remote' radio button instead of the `Local' one. The `Source port' box will now specify a port number on the _server_ (note that most servers will not allow you to use port numbers under 1024 for this purpose). The source port for a forwarded connection usually does not accept connections from any machine except the SSH client or server machine itself (for local and remote forwardings respectively). There are controls in the Tunnels panel to change this: - The `Local ports accept connections from other hosts' option allows you to set up local-to-remote port forwardings in such a way that machines other than your client PC can connect to the forwarded port. - The `Remote ports do the same' option does the same thing for remote-to-local port forwardings (so that machines other than the SSH server machine can connect to the forwarded port.) Note that this feature is only available in the SSH 2 protocol, and not all SSH 2 servers support it (OpenSSH 3.0 does not, for example). >> This might seem like a silly question but, here it goes anyway. Is it >> possible to tunnel http through ssh on port 22 and access a website from >> outside the local network? > >Absolutely! Run something like the following on your local system (use >cygwin on a windows box) > >ssh -L 80:<remote IP or domain>:80 <remote system> -l <remote-user-name> > >This will connect your local port 80 to port 80 on <remote IP or domain> via >an ssh connection to <remote system>. > >To access the remote website, just go to http://localhost , or >http://127.0.0.1 > >Charles Steinkuehler >http://lrp.steinkuehler.net >http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
