jiiins2
asked on
SSH Port Forwarding & Firefox
I use 127.0.0.1 port 3000 as SOCKS proxy in Firefox. If I run this command:
ssh -L2000:server2:9999 -D 3000 user@server1
is it the same as is if I run these two commands in sequence?
ssh -L2000:server2:9999 user@server1
ssh -D 3000 -p 2000 user@localhost
Thanks!
Jay
ssh -L2000:server2:9999 -D 3000 user@server1
is it the same as is if I run these two commands in sequence?
ssh -L2000:server2:9999 user@server1
ssh -D 3000 -p 2000 user@localhost
Thanks!
Jay
Furthermore in the single line version:
- You have port forwarding 2000:server2:9999 over server1 port 22
- Enabling Socks through localhost:30000 which will be tunelled to the server1 over port 22
These two are separate entities.
In the second version you have:
- Port forwarding 2000:server2:9999 over server1 port 22
- Enabling socks on localhost:3000 but it will be tunelled through localhost 2000. Then it will be tunelled over the port forwarding. So for the second command to connect you'll need to run an SSH server at server2:9999. Otherwise it won't even connect.
- You have port forwarding 2000:server2:9999 over server1 port 22
- Enabling Socks through localhost:30000 which will be tunelled to the server1 over port 22
These two are separate entities.
In the second version you have:
- Port forwarding 2000:server2:9999 over server1 port 22
- Enabling socks on localhost:3000 but it will be tunelled through localhost 2000. Then it will be tunelled over the port forwarding. So for the second command to connect you'll need to run an SSH server at server2:9999. Otherwise it won't even connect.
ASKER
Ok. Please correct me if I'm wrong: if I use the single line version (ssh -L2000:server2:9999 -D 3000 user@server1) and in FireFox I set localhost:3000 as SOCKS proxy , the result will be that FireFox's http requests will end up on server2:9999 passing encrypted through server1:22. Right?
Thanks!
Thanks!
It is incorrect. It is enough that you have this for socks to operate:
ssh -D 3000 user@server1
the -L2000:server2:9999 part is another redirection and irrelevant for socks to operate. So the above command will work as it is without need of the other port redirection.
Cheers,
K.
ssh -D 3000 user@server1
the -L2000:server2:9999 part is another redirection and irrelevant for socks to operate. So the above command will work as it is without need of the other port redirection.
Cheers,
K.
ASKER
But what I want to achieve is for FireFox traffic to end up on server2:9999 passing through server1 encrypted. Would "ssh -L2000:server2:9999 -D 3000 user@server1" be the best way to achieve this?
Ok here my version.
If you have a socks proxy you do not specify a destination port (this is what a socks server will find out by himself)
the only thing for a socks server to work is a listening port (the number after the -D switch) and a destination host (without port mumber)
Look again at the commands:
ssh -L2000:server2:9999 user@server1
ssh -D 3000 -p 2000 user@localhost
The first commands listens on localhost 2000 and forwards this port to server2 (port 9999)
the second command performs an ssh connection to localhost:2000 and thus (previuous command port forwarding) to server2:9999 so it seems server 2 has an ssh server listening on port 9999.
Additionally it acts as SOCKS server listening on localhost port 3000 and initiating traffic from there to it's destination host
If (and only if) you were able to access server2 from localhost (I assume you aren't) then the equivalent command would be)
ssh -p 9999 -D 3000 user@server2
you connect to the ssh server on server2 listening on port 9999 you connect as user user
and you have a socks server listening on localhost port 3000
The command that you wrote would do something completely different:
ssh -L2000:server2:9999 -D 3000 user@server1
it tries to connect to server1 and creates a socksproxy on localhost port 3000, which would thus forward all traffic from server1
additionally (but not really related to the socks server) you would forward any traffic from localhost port 2000 to server2 99999)
So if your two command version is the working one and if server 2 cannot be directly accessed from server1, then you cannot replace it with another command.
Hope that explains.
If you have a socks proxy you do not specify a destination port (this is what a socks server will find out by himself)
the only thing for a socks server to work is a listening port (the number after the -D switch) and a destination host (without port mumber)
Look again at the commands:
ssh -L2000:server2:9999 user@server1
ssh -D 3000 -p 2000 user@localhost
The first commands listens on localhost 2000 and forwards this port to server2 (port 9999)
the second command performs an ssh connection to localhost:2000 and thus (previuous command port forwarding) to server2:9999 so it seems server 2 has an ssh server listening on port 9999.
Additionally it acts as SOCKS server listening on localhost port 3000 and initiating traffic from there to it's destination host
If (and only if) you were able to access server2 from localhost (I assume you aren't) then the equivalent command would be)
ssh -p 9999 -D 3000 user@server2
you connect to the ssh server on server2 listening on port 9999 you connect as user user
and you have a socks server listening on localhost port 3000
The command that you wrote would do something completely different:
ssh -L2000:server2:9999 -D 3000 user@server1
it tries to connect to server1 and creates a socksproxy on localhost port 3000, which would thus forward all traffic from server1
additionally (but not really related to the socks server) you would forward any traffic from localhost port 2000 to server2 99999)
So if your two command version is the working one and if server 2 cannot be directly accessed from server1, then you cannot replace it with another command.
Hope that explains.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Kerem E is rigth:
if you have a socks server listening on server2:9999 then
ssh -L2000:server2:9999 -D 3000 user@server1 should do the job
if you have an ssh server listening on server2:999 and server2 is not directly accessible then just use the two initial commands:
ssh -L2000:server2:9999 user@server1
ssh -D 3000 -p 2000 user@localhost
if server2 is directly accessible and it listens to the ssh protocol on port 9999, then use
ssh -p 9999 -D 3000 user@server2
if you have a socks server listening on server2:9999 then
ssh -L2000:server2:9999 -D 3000 user@server1 should do the job
if you have an ssh server listening on server2:999 and server2 is not directly accessible then just use the two initial commands:
ssh -L2000:server2:9999 user@server1
ssh -D 3000 -p 2000 user@localhost
if server2 is directly accessible and it listens to the ssh protocol on port 9999, then use
ssh -p 9999 -D 3000 user@server2
correction:
if you have a socks server listening on server2:9999 then
ssh -L2000:server2:9999 -D 3000 user@server1 should do the job
should have been:
if you have a socks server listening on server2:9999 and it is not directly accessable, then
ssh -L2000:server2:9999 user@server1 should do the job
if you have a socks server listening on server2:9999 then
ssh -L2000:server2:9999 -D 3000 user@server1 should do the job
should have been:
if you have a socks server listening on server2:9999 and it is not directly accessable, then
ssh -L2000:server2:9999 user@server1 should do the job
In the two statement version
-L2000:server2:9999 means redirect localhost:2000 to server2:9999
-D 3000 means your ssh server will act as a socks proxy at locallhost:3000
-p 2000 means you use the SSH connection made to port 2000 of your localhost..
But clearly in the first version the SSH connects to the default port (-p 22) so the two statements are definetly not the same !!!
Cheers,
K.