SSH Port Forwarding & Firefox

jiiins2
jiiins2 used Ask the Experts™
on
I use 127.0.0.1 port 3000 as SOCKS proxy in Firefox. If I run this command:
ssh -L2000:server2:9999 -D 3000 user@server1

is it the same as is if I run these two commands in sequence?
ssh -L2000:server2:9999 user@server1
ssh -D 3000 -p 2000 user@localhost

Thanks!
Jay
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Kerem ERSOYPresident

Commented:
Lets see:

In the two statement version

-L2000:server2:9999   means redirect localhost:2000 to server2:9999

-D 3000   means your ssh server will act as a socks proxy at locallhost:3000

-p 2000 means you use the SSH connection made to port 2000 of your localhost..

But clearly in the first version the SSH connects to the default port (-p 22) so the two  statements are definetly not the same !!!

Cheers,
K.
Kerem ERSOYPresident

Commented:
Furthermore in the single line version:
- You have port forwarding 2000:server2:9999 over server1 port 22
- Enabling Socks through localhost:30000 which will be tunelled to the server1 over port 22
 These two are separate entities.

In the second version you have:
- Port forwarding 2000:server2:9999 over server1 port 22
- Enabling socks on localhost:3000 but it will be tunelled through localhost 2000. Then it will be tunelled over the port forwarding. So for the second command to connect you'll need to run an SSH server at server2:9999. Otherwise it won't even connect.

Author

Commented:
Ok. Please correct me if I'm wrong: if I use the single line version (ssh -L2000:server2:9999 -D 3000 user@server1) and in FireFox I set localhost:3000 as SOCKS proxy , the result will be that FireFox's http requests will end up on server2:9999 passing encrypted through server1:22. Right?

Thanks!
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

Kerem ERSOYPresident

Commented:
It is incorrect. It is enough that you have this for socks to operate:

ssh -D 3000 user@server1

the -L2000:server2:9999 part is another redirection and irrelevant for socks to operate. So the above command will work as it is without need of the other port redirection.

Cheers,
K.

Author

Commented:
But what I want to achieve is for FireFox traffic to end up on server2:9999 passing through server1 encrypted. Would "ssh -L2000:server2:9999 -D 3000 user@server1" be the best way to achieve this?
Ok here my version.

If you have a socks proxy you do not specify a destination port (this is what a socks server will find out by himself)
the only thing for a socks server to work is a listening port (the number after the -D switch) and a destination host (without port mumber)

Look again at the commands:
ssh -L2000:server2:9999 user@server1
ssh -D 3000 -p 2000 user@localhost

The first commands listens on localhost 2000 and forwards this port to server2 (port 9999)

the second command performs an ssh connection to localhost:2000 and thus (previuous command port forwarding) to server2:9999 so it seems server 2 has an ssh server listening on port 9999.

Additionally it acts as SOCKS server listening on localhost port 3000 and initiating traffic from there to  it's destination host


If  (and only if) you were able to access server2 from localhost (I assume you aren't) then the equivalent command would be)

ssh -p 9999 -D 3000 user@server2

you connect to the ssh server on server2 listening on port 9999 you connect as user user
and you have a socks server listening on localhost port 3000


The command that you wrote would do something completely different:
ssh -L2000:server2:9999 -D 3000 user@server1

it tries to connect to server1 and creates a socksproxy on localhost port 3000, which would thus forward all traffic from server1
additionally (but not really related to the socks server) you would forward any traffic from localhost port 2000 to server2 99999)


So if your two command version is the working one and if server 2 cannot be directly accessed from server1,  then you cannot replace it with another command.

Hope that explains.
President
Commented:
> But what I want to achieve is for FireFox traffic to end up on server2:9999 passing through server1
> encrypted. Would "ssh -L2000:server2:9999 -D 3000 user@server1" be the best way to achieve this?

- SSH uses port 22 to connect to the server by default.
- All ssh traffic is already encrypted.
- The -D 3000 causes the ssh client to listen traffic at the specified port.
- If you have a SOCKS server running at server2:9999 you dont need -D 3000 port. All you need is:
  the -L2000:server:9999 switch.
- Then you point your firefox at localhost:2000 as socks server.
- This will take your socks traffic, tunnel through server1 and connect you to the Socks server at port 9999 of server2.
- If you enable the socks listener in the SSH with -D switch you don't need the -L2000 parameter since it will not obviously be used.

Cheers,
K
 
Kerem E is rigth:


if you have a socks server listening on server2:9999 then
ssh -L2000:server2:9999 -D 3000 user@server1 should do the job

if you have an ssh server listening on server2:999 and server2 is not directly accessible then just use the two initial commands:
ssh -L2000:server2:9999 user@server1
ssh -D 3000 -p 2000 user@localhost

if server2 is directly accessible and it listens to the ssh protocol on port 9999, then use
ssh -p 9999 -D 3000 user@server2



correction:
if you have a socks server listening on server2:9999 then
ssh -L2000:server2:9999 -D 3000 user@server1 should do the job

should have been:
if you have a socks server listening on server2:9999 and it is not directly accessable, then
ssh -L2000:server2:9999 user@server1 should do the job

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial