SSH Tunnel inside SSH Tunnel

I have three servers, A, B and C. There is an SSH tunnel between A and B. Now I want a second SSH tunnel between A and C passing through B, so that B can hide A's IP and show its own to C instead.

How can it be done?

Thanks
Jay
jiiins2Asked:
Who is Participating?
 
arnoldConnect With a Mentor Commented:
The 1245 port should be listening on serverA. the 1245 is to connect from A to C.
Both commands I referenced have to be run from server A.
ssh -L 1245:serverc:22 user@serverb
ssh user@localhost -p 1245
The second command executed on serverA will get the connection to server C through the connection between server A and server B.


0
 
giltjrCommented:
Umm, can I ask why?

Just SSH from A to B, then from B ssh to A.
0
 
jiiins2Author Commented:
What about C?

The reason is that B should not see any communication between A and C in clear, and C should not see A's IP address.

Thanks!
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
giltjrCommented:
Opps, that should have been ssh from A to B then ssh from B to C.

0
 
jiiins2Author Commented:
I thought so, but unfortunately it doesn't solve my problem, as B would still see the data in clear.
0
 
arnoldCommented:
ssh -L 1245:serverc:22 user@serverb

On serverA
ssh user@localhost -p 1245 will land you on server C by way of server B.
0
 
jiiins2Author Commented:
And serverB won't be able to see in clear the traffic between A and C?
0
 
arnoldCommented:
There is no clear traffic since you are using ssh to connect to C.
B can capture the packets, but it will take realllllllly high powered computer and a long time for the packets to be deciphered/reconstructed.
0
 
jiiins2Author Commented:
Great! And I assume C won't be able to see A's IP address, correct?

0
 
arnoldCommented:
An IP is included in the connection that would be revealed when the TCP packet is read on C after packet capture. The application (SSH) on C will only see the overlaying IP from the connection which will be B's. B will act as a NAT for the traffic from A to the specified port in the example.
0
 
jiiins2Author Commented:
Sorry my incompetence... the first sentence means that in that case A's IP could be revealed? Or not?
0
 
arnoldCommented:
What is the concern you get access from A to C through a tunnel between A and B where B is seen by C as the source of the connection.

An IP is always present in Communication. An IP from the ssh user@localhost -p 1245 is included.

There are several ways to identify given the SSH connection includes an SSL Key exchange to setup the connection and then the session.
try it and then run:
last  user
to see what is being reflected for the connection.
0
 
jiiins2Author Commented:
I can't connect to B on port 1245... I keep on getting "connection refused". As you can see below, it seems like port 1245 on B il listening correctly.

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:10101           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:1245          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 ::1:1245                :::*                    LISTEN

Open in new window


The is no firewall and nothing else installed on the server. I also opened the port on iptables just in case...
iptables -A INPUT -p tcp -d 0/0 -s 0/0 --dport 1245 -j ACCEPT

Any ideas?
0
 
giltjrCommented:
O.K., Unless I am missing something SSH tunneling implies a single protocol/type of traffic.

So what are you tunneling between A and B?  

What to you want to tunnel between A and C?
0
 
jiiins2Author Commented:
Ah, now it makes more sense... but if I get "connection refused" when executing the second ssh, from which server is it coming from?
0
 
arnoldConnect With a Mentor Commented:
Does B's SSHD configured to allow tunneling?
PermitTunnel yes? If Server B does not permit tunneling, you can not do what you want.
0
 
jiiins2Author Commented:
Thanks a lot!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.