# SSH tunneling issues

## aztech

I want to setup a SSH-tunnel from my computer at work, to my server at home and be able to use it as a proxy for ex Firefox.

What I've done is ....

Put up an iptables rule that forwards port 8080 to 22 if the source ip is from my work.

In Putty I've added a source port of 2222 and put it to dynamic.

In firefox added http-proxy to 127.0.0.1:2222.

This _should_ work and does so for my friend, but not for my self.

For me, all that seam to work is the actual SSH-connection because I get to the shell,

but the tunnelling part of it all, isn't working.

Have I forgot something, or is it completely wrong ?

Also, I've set up putty to use my companys http-proxy, to even get out to internet.

Any idéas ?

// Andreas

----------

## depontius

I'm not quite sure what you're doing.  I also have an ssh tunnel from work to home, but I'm doing both more and less than you.  I have 2 layers of firewall, an appliance hooked directly to my ISP and a bastion host.  (home server/firewall)  Both firewalls will accept connections on port 22 from my employer's IPs - the appliance forwards them to the bastion host, and the latter lets ssh see them.  At work I run ssh with appropriate port-forwarding options to get to my imap server and ssh for any/all of my home machines.  I make up forwarding ports, so the first 2 digits are the 4th number of my internal IP and the next 2 or 3 digits are the native port numbers.  In my .ssh/config I have aliases set up for all of my home machines so I can ssh to them by shortname.  I also have forwards for my imap and smtp servers, so I can access my home mail from work.

I don't attempt anything like the "transparent proxy" for all web transactions that you're doing.  Since you mentioned "putty" I also presume that you're doing this from a Windows machine.  I've used putty to get from Windows to Linux, but never tried any port forwarding with it.

Yesterday over on Linuxtoday.com there was an article on ssh tricks.  One specific trick is that ssh can act as a socks proxy, which is at least one kind of server that I know web browsers respect.  I'm not sure how well web browsers will respect a simple forwarding proxy as you've set up.  Now that I think a little more, I don't think what you're trying to do will work at all.  Normally for ssh port forwarding you give a specific destination host and port, and in this case you don't really have the former.  I really believe that you need to read the openssh documentation on its socks capability, and see if putty can do that, too.  From "man ssh" :

```
     -D [bind_address:]port

             Specifies a local ``dynamic'' application-level port forwarding.  This works by allocating

             a socket to listen to port on the local side, optionally bound to the specified

             bind_address.  Whenever a connection is made to this port, the connection is forwarded over

             the secure channel, and the application protocol is then used to determine where to connect

             to from the remote machine.  Currently the SOCKS4 and SOCKS5 protocols are supported, and

             ssh will act as a SOCKS server.  Only root can forward privileged ports.  Dynamic port for-

             wardings can also be specified in the configuration file.
```

----------

## Hu

If possible, please reproduce your setup using only OpenSSH components on both ends.  This will help us separate configuration problems caused by mistranslation of OpenSSH options to/from PuTTY options versus configuration problems that are fundamentally wrong (i.e. requesting the wrong type of port forwarding).

If this is not possible, or if it works as intended, then please provide exact instructions on how one could configure PuTTY from a blank state to the configuration you are using.  Specify which dialogs to visit, which fields to fill, which buttons to press, and so on.

----------

## aztech

Well ... yes it's SOCKS-proxying I want to do, sorry for saying http-proxy.

It's not possible to test this with OpenSSH as client, since only Windows is avalible at work.

- sshd_config

```

Port 22

Protocol 2

SyslogFacility AUTH

PermitRootLogin no

PasswordAuthentication no

UsePAM yes

AllowTcpForwarding yes

PrintMotd no

PrintLastLog no

Subsystem   sftp   /usr/lib64/misc/sftp-server

```

This is the iptable rule that redirects the port

```

iptables -t nat -A PREROUTING -p TCP --dport 8080 -i ${UPLINK} -s XXX.XXX.XXX.XXX -j DNAT --to XXX.XXX.XXX.XXX:22

```

It's in swedish, but this is the settings my friends used, when connecting to my server, from his work.

http://i.imgur.com/ybArJ.jpg

I've done the same, but no go =(

----------

## Hu

Since you get a shell, we are past the iptables phase.  The picture shown uses port 8888, but your first post says port 2222.  Are you sure you used the same port consistently?  After logging in with PuTTY, what is shown when you open a cmd window and run netstat -an?

----------

