• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 780
  • Last Modified:

SSH Tunnel inside SSH Tunnel

I have three servers, A, B and C. There is an SSH tunnel between A and B. Now I want a second SSH tunnel between A and C passing through B, so that B can hide A's IP and show its own to C instead.

How can it be done?

Thanks
Jay
0
jiiins2
Asked:
jiiins2
  • 8
  • 6
  • 3
2 Solutions
 
giltjrCommented:
Umm, can I ask why?

Just SSH from A to B, then from B ssh to A.
0
 
jiiins2Author Commented:
What about C?

The reason is that B should not see any communication between A and C in clear, and C should not see A's IP address.

Thanks!
0
 
giltjrCommented:
Opps, that should have been ssh from A to B then ssh from B to C.

0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
jiiins2Author Commented:
I thought so, but unfortunately it doesn't solve my problem, as B would still see the data in clear.
0
 
arnoldCommented:
ssh -L 1245:serverc:22 user@serverb

On serverA
ssh user@localhost -p 1245 will land you on server C by way of server B.
0
 
jiiins2Author Commented:
And serverB won't be able to see in clear the traffic between A and C?
0
 
arnoldCommented:
There is no clear traffic since you are using ssh to connect to C.
B can capture the packets, but it will take realllllllly high powered computer and a long time for the packets to be deciphered/reconstructed.
0
 
jiiins2Author Commented:
Great! And I assume C won't be able to see A's IP address, correct?

0
 
arnoldCommented:
An IP is included in the connection that would be revealed when the TCP packet is read on C after packet capture. The application (SSH) on C will only see the overlaying IP from the connection which will be B's. B will act as a NAT for the traffic from A to the specified port in the example.
0
 
jiiins2Author Commented:
Sorry my incompetence... the first sentence means that in that case A's IP could be revealed? Or not?
0
 
arnoldCommented:
What is the concern you get access from A to C through a tunnel between A and B where B is seen by C as the source of the connection.

An IP is always present in Communication. An IP from the ssh user@localhost -p 1245 is included.

There are several ways to identify given the SSH connection includes an SSL Key exchange to setup the connection and then the session.
try it and then run:
last  user
to see what is being reflected for the connection.
0
 
jiiins2Author Commented:
I can't connect to B on port 1245... I keep on getting "connection refused". As you can see below, it seems like port 1245 on B il listening correctly.

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:10101           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:1245          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 ::1:1245                :::*                    LISTEN

Open in new window


The is no firewall and nothing else installed on the server. I also opened the port on iptables just in case...
iptables -A INPUT -p tcp -d 0/0 -s 0/0 --dport 1245 -j ACCEPT

Any ideas?
0
 
giltjrCommented:
O.K., Unless I am missing something SSH tunneling implies a single protocol/type of traffic.

So what are you tunneling between A and B?  

What to you want to tunnel between A and C?
0
 
arnoldCommented:
The 1245 port should be listening on serverA. the 1245 is to connect from A to C.
Both commands I referenced have to be run from server A.
ssh -L 1245:serverc:22 user@serverb
ssh user@localhost -p 1245
The second command executed on serverA will get the connection to server C through the connection between server A and server B.


0
 
jiiins2Author Commented:
Ah, now it makes more sense... but if I get "connection refused" when executing the second ssh, from which server is it coming from?
0
 
arnoldCommented:
Does B's SSHD configured to allow tunneling?
PermitTunnel yes? If Server B does not permit tunneling, you can not do what you want.
0
 
jiiins2Author Commented:
Thanks a lot!
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

  • 8
  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now