Why don't U use FreeSwan Ipsec...I just woke up hehe Upnet Joe
----- Original Message ----- From: "Greg Morgan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; "Henning, Brian" <[EMAIL PROTECTED]> Sent: Saturday, March 30, 2002 1:57 AM Subject: Re: [Leaf-user] ssh firewall > "Henning, Brian" <[EMAIL PROTECTED]> wrote: > > > > hello- > > > > I am using echowall on dachstein LRP. I have a windows 2k pro machine that i > > can ssh into from the outside. i am also running an http server on my w2k > > machine. I am port forwarding ssh through my router/firewall. My problem is > > I am not sure how to tunnel the http to the *outside world*. I am not sure > > if it is possible. Any thoughts or suggestions? > > > > thanks > > > > brian > > > > Charles gave you the answer to this before, but if you are coming from a > windows world it may not make sense. I attached his original post at the > end of this message. Here's what I'll presume about you. You are on a > windows client at work or somewhere else connecting to your LEAF box. > As you described you have a Windows 2000 box with a web page you want to > see. There are allot of things to keep straight in ones mind when you > start playing with port forwarding and SSH. In short, you are not > trying to "tunnel the http to the *outside world*" but you tell your > clients how to tunnel to the service. > > First off think of your LEAF box as just a patch cord. You have taken a > cord and plugged it into a receptacle named 22 available to the rest of > the world. The other end of the cord has been plugged into 22 on your > W2K box. That's all port forwarding does in LEAF. LEAF is completely > out of the picture now. All that is is is a pipe for data to flow > over. You have successfully done that as you describe above. > > Now let's talk about the magic of SSH. SSH is one protocol. It allows > a person to setup an encrypted link between two computers. Typically, a > telnet like feature is used within the SSH suite to talk to another > server and run commands on it. Ahhhh but there are a few more tricks up > SSH's sleeve. SSH allows you to build other pipes within the port 22 > pipe. This is normally referred to as tunneling. Within the port 22 > pipe you can create multiple tunnels. For example I have both regular > SSH and web tunneled to a windows machine. I created these tunnels to > try and explain what you'll need to do. If I wanted to ftp through SSH, > then you could add this too. Name a protocol and try it. You are > really just redirecting a port that the protocol normally uses on your > localhost to the desired port on your server. > > There are several SSH packages for Windows. I'll describe putty. You > will need version 0.52. My prior version, 0.51, did not have the > features to perform the tasks you're asking for. (And yes I upgraded > today to try it out. :) ) > "A.8.8 How do I pronounce PuTTY? > "Exactly like the normal word "putty". Just like the stuff you put on > window frames. (One of the reasons it's called PuTTY is because it makes > Windows usable. :-) > http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html > > Download the executables from > http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. You > will want plink.exe especially. plink is short for putty link. You > will want to setup your private key on the windows client computer that > attaches to LEAF. > > plink.exe takes the SSH part and simplifies building tunnels within the > port 22 pipe on a Windows PC. I have a Samba Server on a Linux box that > acts like your W2K box. I used a windows PC with putty and plink to > connect to it. Here's the command I used where > > myLEAFipAddress is the address to LEAF performing port forwarding. > myuser is the userid on the W2K box. > myW2kboxIPorName is the ip or name of your W2k box. You would need > to add the name in c:\windows\host > file for a server name to work. > > plink -L 80:myLEAFipAddress:80 myuser@myW2kboxIPorName > > This establishes the tunnel. I do not have a web server on my windows > PC. However, when I use > > http://localhost/ > > in the web browser, I see my what my Apache server is providing me. > Remember port 80 is the default port used by browsers i.e. > http://localhost/ is the same as http://localhost:80/. SSH through > plink is creating a tunnel to my local machine or a secure patch cord. > plink forwards whatever connects on my local windows box at port 80 to > the other server on port 80. You have to just believe this until it > makes sense. Also note the localhost is the name for ip address > 127.0.0.1. Every networking host has this available to it. > > Perhaps the -L 80:myLEAFipAddress:80 is confusing because the command is > using the same port numbers on both ends of the pipe or tunnel. Let's > try this since I am putting off filling out my 1040 tax forms >:} > > plink -L 1040:myLEAFipAddress:80 myuser@myW2kboxIPorName > > Now use > > http://localhost:1040/ > > in the web browser. Once again I see the pages Apache is serving up to > me. If you will, plink makes a web server available on your client > windows PC. Without plink forwarding the web server over SSH to the > windows client, you would receive the typical 404 http error message. > > Note that SSH is a server process in this configuration. If you need > two way communication that is where both ends of the tunnel need to > perform peer tasks, then you will want to investigate CIPE. CIPE > specializes in the tunneling that SSH does and sometimes has problems > doing http://sites.inka.de/~bigred/devel/tcp-tcp.html. > The main CIPE site is at http://sites.inka.de/~bigred/devel/cipe.html. > > I hope this helps. I had fun exploring it for you and others that may > need this technique. I have not had the need to do this yet but it was > interesting exploring it. > > Regards, > Greg Morgan > > This information may be helpful even though it talks about using the > putty client and not plink. > > http://www.chiark.greenend.org.uk/~sgtatham/putty/0.52/puttydoc.txt > > 3.5 Using port forwarding in SSH > > The SSH protocol has the ability to forward arbitrary network > connections over your encrypted SSH connection, to avoid the > network traffic being sent in clear. For example, you could use > this to connect from your home computer to a POP-3 server on a > remote machine without your POP-3 password being visible to > network > sniffers. > > In order to use port forwarding to connect from your local > machine > to a port on a remote server, you need to: > > - Choose a port number on your local machine where PuTTY should > listen > for incoming connections. There are likely to be plenty of > unused > port numbers above 3000. > > - Now, before you start your SSH connection, go to the Tunnels > panel > (see section 4.17.2). Make sure the `Local' radio button is > set. > Enter the local port number into the `Source port' box. Enter > the > destination host name and port number into the `Destination' > box, > separated by a colon (for example, > `popserver.example.com:110' to > connect to a POP-3 server). > > - Now click the `Add' button. The details of your port > forwarding > should appear in the list box. > > Now start your session and log in. (Port forwarding will not be > enabled until after you have logged in; otherwise it would be > easy > to perform completely anonymous network attacks, and gain access > to > anyone's virtual private network). To check that PuTTY has set up > the port forwarding correctly, you can look at the PuTTY Event > Log > (see section 3.1.3.1). It should say something like this: > > 2001-12-05 17:22:10 Local port 3110 forwarding to > popserver.example.com:110 > > Now if you connect to the source port number on your local PC, > you > should find that it answers you exactly as if it were the service > running on the destination machine. So in this example, you could > then configure an e-mail client to use `localhost:3110' as a POP- > 3 server instead of `popserver.example.com:110'. (Of course, the > forwarding will stop happening when your PuTTY session closes > down.) > > You can also forward ports in the other direction: arrange for a > particular port number on the _server_ machine to be forwarded > back > to your PC as a connection to a service on your PC or near it. To > do > this, just select the `Remote' radio button instead of the > `Local' > one. The `Source port' box will now specify a port number on the > _server_ (note that most servers will not allow you to use port > numbers under 1024 for this purpose). > > The source port for a forwarded connection usually does not > accept > connections from any machine except the SSH client or server > machine > itself (for local and remote forwardings respectively). There are > controls in the Tunnels panel to change this: > > - The `Local ports accept connections from other hosts' option > allows > you to set up local-to-remote port forwardings in such a way > that > machines other than your client PC can connect to the > forwarded > port. > > - The `Remote ports do the same' option does the same thing for > remote-to-local port forwardings (so that machines other than > the > SSH server machine can connect to the forwarded port.) Note > that > this feature is only available in the SSH 2 protocol, and not > all > SSH 2 servers support it (OpenSSH 3.0 does not, for example). > > > >> This might seem like a silly question but, here it goes anyway. Is it > >> possible to tunnel http through ssh on port 22 and access a website from > >> outside the local network? > > > >Absolutely! Run something like the following on your local system (use > >cygwin on a windows box) > > > >ssh -L 80:<remote IP or domain>:80 <remote system> -l <remote-user-name> > > > >This will connect your local port 80 to port 80 on <remote IP or domain> via > >an ssh connection to <remote system>. > > > >To access the remote website, just go to http://localhost , or > >http://127.0.0.1 > > > >Charles Steinkuehler > >http://lrp.steinkuehler.net > >http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user