Hello all, I''ve been googling around for the last couple of days and I can''t seem to find an answer to my question in regards to SSH and VNC tunneling. I have Shorewall installed at a location with a typical 2 interface setup. Eth0 DHCP public ip and Eth1 is a static private ip.. A customer (RemoteClient) out on the internet has an WinXp with SSH PuttY client and TightVNC installed. SSHD is listening on the ip assigned to the Shorewall internal nic. (eth1) Behind the Shorewall firewall/router are 3 WinXP machines that all have TightVNC servers listening on tcp 5900 (pc1) 5901 (pc2) and 5903 (pc3). If I install CygWin with SSHD on all WinXP boxes internally then I can setup firewall rules per normal and the (RemoteClient) can get to each machine just fine.. My noobian ssh question is, "Is there anyway for me to SSH to the Shorewall fw:eth1 ip, and then setup PuttY ssh on the remote client to forward vnc traffic to one of the internal (loc) WinXP machines through Shorewall Redirection rules after the vnc traffic becomes unencrypted? As far as I can tell the way SSH works is "Point to Point" and thats it.. Maybe I''m getting SSH confused with how I''m used to redirecting traffic on an IPSEC gateway box. Once the user is Authenticated and the ipsec tunnel comes up they have access to what ever they have access to via the private ip behind shorewall.. Thanks, JBanks
On 3 May 2004 at 16:18, Joshua Banks wrote:> SSHD is listening on the ip assigned to the Shorewall internal nic. > (eth1) Behind the Shorewall firewall/router are 3 WinXP machines that > all have TightVNC servers listening on tcp 5900 (pc1) 5901 (pc2) > and 5903 (pc3).There are two ways to do this. One way requires remote user to have a shell account on the firewall: Just set up each Winxp machine with Vnc on the normal port. SSH from remote machine to the firewall (where an account will be required), and have the outside machine forward its local port 5900 to the internal IP of the winXP machine thru the ssh connection. (you can use a Name instead of the internal IP as long as that Name appears in the firewall''s host file). This method does not require any specific changes to shorewall, nor does it require an account on ths WinXP boxes (because they have no sshd). (Many people miss the fact that ssh can forward a port thru the ssh tunnel to any machine that the remote host can "see", not JUST to the remote host itself). Method Two does not require an account on the firewall, but does require an account (and an sshd) on the WinXP boxes. Use a ssh daemon on the win2k boxes (Winsshd works for me). Use Shorewall to DNAT 3 arbitrary ports (say 3022, 3023,3033) one each to port 22 on each of the three machines. SSH directly to the firewall on port 3022 arrives on WinXp machine #1 on port 22. The rest of the vnc tunneling is up to you. I would get the vnc bit working before adding the ssh bit because it just adds a layer of confusion. -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
John S. Andersen wrote:> On 3 May 2004 at 16:18, Joshua Banks wrote: > > >>SSHD is listening on the ip assigned to the Shorewall internal nic. >>(eth1) Behind the Shorewall firewall/router are 3 WinXP machines that >>all have TightVNC servers listening on tcp 5900 (pc1) 5901 (pc2) >>and 5903 (pc3). > > > There are two ways to do this. One way requires remote > user to have a shell account on the firewall:Really.. this is awesome.. Have you successfully done Option 1 before? I''ve done Option 2 without issue. I thought for sure that I tested this and couldn''t get it to work. Do you have a windows machine with SSH putty installed and vnc viewer that you could do a quick test with?. I''ve setup a test network but my brother.. (which is the person that claims that Option 1 will not work because ssh wasn''t designed that way)... is suddenly not around to test with. If you could help with just trying to connect that would be all that I need. Thanks, JBanks
Thanks to John Anderson for providing usefull info and helping me talk to myself..heh.. heh... :D I have this silly issue resolved. It still doesn''t make sense that I tell ssh on the remote WinXp client to tunnel/forward port L5900 too Destination 192.168.2.46:5900, Once authenticated I connect with "vncviewer" I connect to "localhost:0". That really baffels me. Can anyone shed any light on that one. Remote WinXp client SSH''s to Shorewall.. authenticates and then opens vncviewer to "localhost:0" and connects to another WinXp box running vnc Server. I don''t get the localhost connection....at alll....... Thanks, JBanks
On 2004.05.04 21:54:31, Joshua Banks wrote:> Once authenticated I connect with "vncviewer" I connect to "localhost:0". That > really baffels me. Can anyone shed any light on that one.SSH can "tunnel" local ports to remote ones. What''s happening is that local port 5900 (VNC''s :0 screen) is getting forwarded by the SSH client through the encrypted connection to the SSH server, which connects it back to it''s own port 5900. The upshot is that you can securely connect to a remote VNC connection through your SSH connection. -- Dark "If you haven''t grown up by the time you''re 30, you don''t have to" R. "There are two tragedies in life. One is not getting what you want. The other is getting it." --Oscar Wilde