15 February 2012

68. Reverse ssh tunnel to access server behind firewall

This isn't so much a post to show how to do it as it is a post describing a specific example of it in use. I basically spent two minutes looking at http://www.howtoforge.com/reverse-ssh-tunneling and was up and running in no time. It's that simple.

The sitation:
I have a computer at work. Opening up a port to allow for remote access is a headache and a half, since it involves getting signatures from a range of people and drawing up an IT security plan etc. As an academic during grant season I don't have that kind of time. Nor do I want to put up with all that BS. I also  understand that opening up ports willy-nilly can leads to security threats.

Anyway, I have iinet at home and they leave port 22 open by default. I have a Linksys WRT54 running Tomato and I allow key-based ssh external access.

My IP address is not static but changes perhaps once per month at most.
On my main desktop at home I run  this as a cron job:


#!/bin/bash
ipaddr=`wget http://automation.whatismyip.com/n09230945.asp -O - -o /dev/null`
when=`date +%a' '%d' '%b' '%Y' '%H':'%M`
echo $when $ipaddr >>/home/me/Dropbox/currentip.dat
exit 0

That way I can easily look up the latest ip address in my dropbox folder.

I run debian testing on all boxes.
Connecting via ssh to my home router works flawlessly. The other way doesn't work at all.

The solution:
We'll pretend that my home ip is 124.54.34.23 and my work ip is 169.23.54.6

At work
While at work, I connect to my home router using
ssh -R 19999:localhost:22 root@124.54.34.23

This logs me in to my Tomato router. Once in, start
top -d 600

This will keep top running, updating every ten minutes. This is to prevent the connection from being dropped.

The alternative is of course to use autossh -- the basic usage is just to replace ssh.

Now, go home

At home
log in to your router from the local network, then connect to port 19999 on localhost:
me@niobium:~$ ssh root@192.168.2.1

Tomato v1.28.1816

BusyBox v1.14.4 (2010-06-27 20:11:16 PDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# ssh me@localhost -p 19999
me@localhost's password:

Linux beryllium 3.2.0-1-amd64 #1 SMP Sun Feb 5 15:17:15 UTC 2012 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Feb 15 18:55:45 2012 from localhost

me@beryllium:~$ 

Simple as that

No comments:

Post a Comment