Ubuntu9.1 to CentOS5 port forwarding tunnel fails

Posted on 2010-01-13
Medium Priority
Last Modified: 2013-11-15
I want to connect securely to Webmin running on a remote server.
I use port forwarding from 10005 local to 10000 remote.
After some previous EE assistance this now works fine with a public/private key combo.
My only remaining concern is that, although the connection works, the tunnel appears to fail.

My local OS is Ubuntu9.10 and the remote server uses CentOS5.
Remote ssh_config file has
PermitTunnel yes
and local ssh_config has
Tunnel yes
TunnelDevice any:any

This is what I get in the shell (with remoteIP address and local details concealed).
chris@ubuntu:~$ sudo ssh -v -L 10005:localhost:10000 root@remote_IPaddress -F ~/.ssh/ssh_config -i ~/.ssh/myfile_rsa
OpenSSH_5.1p1 Debian-6ubuntu2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data ~/.ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to remote_IPaddress [remote_IPaddress] port remote_port.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file ~/myfile_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '[remote_IPaddress]:remote_port' is known and matches the RSA host key.
debug1: Found key in remote_location/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering public key: ~/.ssh/myfile_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '~/.ssh/myfile_rsa':
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: Local connections to LOCALHOST:10005 forwarded to remote address localhost:10000
debug1: Local forwarding listening on ::1 port 10005.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on port 10005.
debug1: channel 1: new [port listener]
debug1: Requesting tun unit 2147483647 in mode 1
debug1: sys_tun_open: tunnel mode 1 fd 6
debug1: channel 2: new [tun]
debug1: channel 3: new [client-session]
debug1: Entering interactive session.
debug1: Remote: Server has rejected tunnel device forwarding
channel 2: open failed: administratively prohibited: open failed
debug1: channel 2: free: tun, nchannels 4
debug1: Sending environment.
debug1: Sending env LANG = C
Last login: Wed Jan 13 09:55:31 2010 from my_identity
[root@remote_server_name ~]#

It looks like there is some configuration not set correctly but I have tried for days and I haven't quite worked it out yet.
Question by:chrismarshall1
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 16

Expert Comment

ID: 26303673
Please check that IP forwarding is enabled on Ubuntu:

sysctl net.ipv4.ip_forward
sysctl net.ipv4.ip_nonlocal_bind

If valuues are 0, set them to 1:

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.ip_nonlocal_bind=1

Author Comment

ID: 26304080
No, sorry medvedd. Both of those parameters are definitely set to 1 in Ubuntu (my laptop).
Actually, it seems to be the server which is rejecting tunnel device forwarding.
It permits the connection and the forwarding - just not the tunnelling.
LVL 16

Expert Comment

ID: 26307271
Oops, if you're trying to forward local 10005 to remote 10000, it should be

ssh -v -L 10005:remote_IP:10000 .......
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.


Author Comment

ID: 26307886
Nope. I replaced localhost with the remote IP address and got exactly the same result - word for word, character for character.
Clearly there's something wrong because, I would have thought, we should have experienced some change from swapping localhost with the remote IP.
The more I look at this the more I suspect the key to it might centre on;
 "Remote: Server has rejected tunnel device forwarding"
I can't see anything to suggest that my laptop is complaining about anything - it all seems to be from the CentOS Server.
Could I be causing us to bark up the wrong tree here?
Should we be focussing on the CentOS Server settings?
LVL 16

Expert Comment

ID: 26307982
Your remote CentOS server shouldn't tunnel anything - you're just connecting to its port 10000.
Why you can't connect directly to remote port 10000 - are you running webmin on your local machine too?

Author Comment

ID: 26308093
Sorry, I didn't make it clear.
I maintain 11 remote machines using putty and pageant from a Windows laptop.
I am trying to do the maintenance from my Linux laptop instead and remote machine number 5 is the first experiment for me.
If this works then I will do the maintenance of all machines from the Linux laptop and allocate a different local port for each machine.

Expert Comment

ID: 26405798
Don't you need to use the '-g' option : "Allows remote hosts  to  connect to local forwarded ports" ?

So your command should be:

chris@ubuntu:~$ sudo ssh -g -v -L 10005:localhost:10000 root@remote_IPaddress -F ~/.ssh/ssh_config -i ~/.ssh/myfile_rsa

Accepted Solution

chrismarshall1 earned 0 total points
ID: 26405868
I am most extremely sorry, I got the answer on the Ubuntu forums and forgot to update this thread.
Server-side I needed AllowTcpForwarding yes as well as PermitTunnel yes.
When I set those it all worked.
I take your point about the -g option but it is all working without that and given my considerable ignorance I think I will leave it alone in the meantime.
Many thanks to you both and I think I will terminate this thread now.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure Shell (SSH) is a network protocol for secure data communication, mainly used to administer remote Unix / Linux servers via command line. But it also allows the user to open a secure tunnel between a client and a server where he can send any k…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month8 days, left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question