# Tunnel Through SSH

## Lasitus

I am trying to forward a port through ssh, in effect creating a VPN.  I get an error when connecting saying the server refused remote port forwarding.  How would I allow this?  I tried it without the firewall.  eg:

```

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

```

It still says refused remote port.

I also did this:

```

/bin/echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects

/bin/echo "1" > /proc/sys/net/ipv4/conf/all/accept_source_route

```

This doesn't work...

Any Ideas?

----------

## Naan Yaar

It would be helpful to post the exact error message.  However, it sounds like tcp forwarding has been disabled on the server.  sshd has this option:

```

    AllowTcpForwarding

             Specifies whether TCP forwarding is permitted.  The default is ``yes''.  Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.

```

It may have been disabled on your ssh server.

----------

## cdunham

...and the command you are using to establish the ports...

----------

## Lasitus

Thanks for the reply, I tried to enable AllowTcpForwarding and that didn't to the trick.  I didn't see any AllowTcpForwarding in my sshd_config file so I added:  AllowTcpForwarding yes.  I then realized I probably don't want to use the -R option anyway and was mearly trying that cause -L wasn't working.

Let me get into more of what I am trying to do.  I want to ability to mount drives from remote servers.  I have a server at home that has samba shares on it.  I tried forwarding port 139 by doing:

```

ssh -L 139:localhost:139 user@myserver.com

```

Initially it complained about samba running alread when trying to forward the port, so I shut samba down on the local machine.  After that, it acts like there is no samba running.

I ran:

```

mount -t smbfs //localhost/ShareOnRemoteServer /mnt/LocalMountPoint -o username=user,password=password

```

 *Quote:*   

> 
> 
> 3782: session request to LOCALHOST failed (Call returned zero bytes (EOF))
> 
> 3782: session request to *SMBSERVER failed (Call returend zero bytes (EOF))
> ...

 

----------

## Naan Yaar

I tried this and it works fine... Couple more things to check.  If you do:

```

netstat -Ainet -lp -ne|grep 139

```

after launching your ssh session on your client, do you see the port open and owned by ssh?  Additionally, you may want to throw in -g on the ssh command line to eliminate one more potential connection issue (though it should not apply in your case).

You can also run ssh with the -v option to dump more verbose error messages on the screen.  This may provide more hints.

----------

## revenant

Have you enabled IP forwarding in the /proc filesystem?

----------

## Lasitus

 *Quote:*   

> Have you enabled IP forwarding in the /proc filesystem?

 

yes, this is the server, do I have to enable it on the client side?

```
#!/sbin/runscript

depend() {

 before *

}

start() {

 ebegin "Setting /proc options."

 /bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all

 /bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

 /bin/echo "1" > /proc/sys/net/ipv4/conf/all/accept_source_route

 /bin/echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects

 /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

 for i in /proc/sys/net/ipv4/conf/*; do

   /bin/echo "1" > $i/rp_filter

 done

 /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

 /bin/echo "1" > /proc/sys/net/ipv4/ip_forward

 eend 0

}

```

 *Quote:*   

> I tried this and it works fine... Couple more things to check. If you do: 
> 
> Code: 
> 
> netstat -Ainet -lp -ne|grep 139 
> ...

 

ok, I will try that next.  A few questions though.  

1.  Does this port forwarding work on any logon.  (could be same user, just a different instance of putty)

2.  Is there a way to run this in the background, so I can go back to my computer without loging off?  & doesn't work, because I have to enter a password afterwards.

3.  Is there a way to forward this port to the whole internal network so this could work as a VPN?

----------

## Naan Yaar

You should not need any IP forwarding enabled in the kernel on the client/server.  In this case, forwarding is done by ssh and not the kernel.

 *Lasitus wrote:*   

>  *Quote:*   Have you enabled IP forwarding in the /proc filesystem? 
> 
> yes, this is the server, do I have to enable it on the client side?
> 
> 

 

1. I am not sure why you refer to putty below?  Is your client a windows box?  From the command line you referred to earlier, it looked like you were trying to connect from a Linux/Unix client.  Once the port is opened and hooked up properly on the client end, anyone who is authorised to do so will be able to the talk to it.

2.  You can use the "-f" option in ssh to make it go the background, e.g., ssh -L139:... -f <server_name> "sleep 3600".

3. You can look at dynamic forwarding and the "-D" option.

 *Quote:*   

> 
> 
> ok, I will try that next.  A few questions though.  
> 
> 1.  Does this port forwarding work on any logon.  (could be same user, just a different instance of putty)
> ...

 

----------

## Lasitus

Update:  I got port 81 to forward ok.  I have a website on my server that is listening on port 81.  http://localhost:81 worked, but https://localhost didnt... I dunno why, but no matter.

```
tcp        0      0 127.0.0.1:139           0.0.0.0:*               LISTEN 0          426219     12823/ssh
```

This is what I got after running netstat for smb.  I couldn't get samba to forward correctly though.

As for me being on a linux client, that depends on where I am.  I have a laptop that is XP and a linux box here at work.  I have a linux server at home, an XP desktop and the same laptop.

----------

## Lasitus

Well, just tried it with a 127.0.0.1:139 and received this:

```
21388: Connection to 127.0.0.1:139 failed

SMB connection failed
```

----------

## jrmann1999

Can you post a more detailed explanation about what you're trying to do ?  I read earlier about the mounting remote drives, but where?  The way I read it  is as follows:

You are at local machines, whether they be win98, win2000, linux boxes, and you want to mount these shares on a central server located elsewhere.   You want to do this securely(obviously) so you use ssh tunnels.  

If *my* description is correct, then -L forwarding won't work for this case.  You need -R(reverse) forwarding so that the server can read the remote shares.  However you'll run into obvious issues after you tunnel one machine due to port 139 being in use on the server(as you've seen before).  

Just as a small explanation, -L forwarding redirect client machines to a server(or beyond).   -R forwarding directs the server to redirect itself through the ssh connection(really usefull for thinks like secure remote X sessions).

----------

## Lasitus

Close but not quite.  I want to mount shares on my server from anywhere.  So the client will have shares like the server.  This will work like a VPN of sorts, forwarding the ports I need.  I am already using IPSec for a VPN but would like an easier option for users that either don't have linux servers at their location or places that don't need to be connected all the time.  I have been able to forward some services successfully, but samba is not being quite as nice.

----------

## cdunham

Perhaps there is a language issue here. Your use of the term "mount shares on my server" is ambiguous.

mount (shares on my server) - you want to access data on the server

mount shares (on my server) - you want the server to access your data

Likewise, the term "client will have shares like the server" doesn't parse, unless the shares you want are from a third server somewhere, and you are saying that you want the client and the server to mount the same shares.

Please clarify...

----------

## jrmann1999

Then you need to rethink how you'll be doing this.  If you want to mount remote shares on your server using ssh tunnels, you won't be able to do more than 1 at a time.  The first tunnel you create will lock port 139 down.  One tunnel, one share....

----------

## cdunham

Check this out:

http://www.ibiblio.org/gferg/ldp/Samba-with-SSH/Samba-with-SSH.html

It seems to imply that your mount command should look like:

```
mount -t smbfs //RemoteServerNetbiosName/ShareOnRemoteServer /mnt/LocalMountPoint -o username=user,password=password,ip=127.0.0.1
```

But I haven't tried it.

----------

## Naan Yaar

What Lasitus has above makes perfect sense.  His mount syntax is OK too.  I have verified that it works correctly on my machine with exactly the same forwarding as he has.  Something else seems to be going on here...

----------

## Lasitus

 *cdunham wrote:*   

> Perhaps there is a language issue here. Your use of the term "mount shares on my server" is ambiguous.
> 
> mount (shares on my server) - you want to access data on the server
> 
> mount shares (on my server) - you want the server to access your data
> ...

 

ok... lemme try to word this differently.

I have a server at home.  It is running Gentoo.  It has Samba installed and has samba shares on it.  I want to access this server from a client outside my firewall.  The client has no shares on it that I am concerned with.  So, if my server has a share, I want my client to be able to access or map that share from a remote location and would like for other computers on the network with the client machine to be able to access the shares like they are on the client machine.  (but they are really on the server which is elsewhere)...  In other words a vpn, where the client machine connects securly with an easier method other than ipsec.

----------

## Naan Yaar

Lasitus,

Can you please run ssh with "-v -v" in addition to the other flags and report what happens when the samba mount fails on the client?  This may be helpful.  Also, the contents of the log files pertinent to ssh on the server end will also shed some light (probably).

----------

## Lasitus

 *cdunham wrote:*   

> Check this out:
> 
> http://www.ibiblio.org/gferg/ldp/Samba-with-SSH/Samba-with-SSH.html
> 
> It seems to imply that your mount command should look like:
> ...

 

Thanks for the link.  I have read a bit of it and followed the instructions layed out.  I basicly just added ip=127.0.0.1 to it and put the server name instead of the IP.  It still isn't working.  I used the ssh line as given by the tutorial.

```
/

[root@IMIS_LinuxTest1] smbmount "\\\awserver\Audio" /mnt/Share/ -o username=user,password=password,ip=127.0.0.1

3601: session request to AWSERVER failed (Call returned zero bytes (EOF)

)

3601: session request to *SMBSERVER failed (Call returned zero bytes (EOF)

)

SMB connection failed
```

----------

## Lasitus

 *Naan Yaar wrote:*   

> Lasitus,
> 
> Can you please run ssh with "-v -v" in addition to the other flags and report what happens when the samba mount fails on the client?  This may be helpful.  Also, the contents of the log files pertinent to ssh on the server end will also shed some light (probably).

 

Ok, I ran ssh with the -v -v option.  Here is what I found that I consider pertinent:

```
debug1: Connections to local port 139 forwarded to remote address localhost:139

debug1: Local forwarding listening on 0.0.0.0 port 139.

debug1: fd 4 setting O_NONBLOCK

debug2: fd 4 is O_NONBLOCK

debug1: channel 0: new [port listener]

debug1: channel 1: new [client-session]

debug2: channel 1: send open

debug1: Entering interactive session.

debug2: callback start

debug2: ssh_session2_setup: id 1

debug1: channel 1: request pty-req

debug1: channel 1: request shell

debug2: callback done

debug1: channel 1: open confirm rwindow 0 rmax 32768

debug2: channel 1: rcvd adjust 131072

```

```
debug2: fd 8 setting TCP_NODELAY

debug1: fd 8 setting O_NONBLOCK

debug2: fd 8 is O_NONBLOCK

debug1: channel 2: new [direct-tcpip]

channel 2: open failed: connect failed: Connection refused

debug1: channel_free: channel 2: direct-tcpip: listening port 139 for localhost port 139, connect from 127.0.0.1 port 32824, nchannels 3

debug1: Connection to port 139 forwarding to localhost port 139 requested.

debug2: fd 8 setting TCP_NODELAY

debug1: fd 8 setting O_NONBLOCK

debug2: fd 8 is O_NONBLOCK

debug1: channel 2: new [direct-tcpip]

channel 2: open failed: connect failed: Connection refused

debug1: channel_free: channel 2: direct-tcpip: listening port 139 for localhost port 139, connect from 127.0.0.1 port 32825, nchannels 3

```

My new ssh line:

```
ssh -2 -v -v -g -L 139:localhost:139 root@serverdomain.com
```

I also tried:

```
ssh -2 -v -v -g -L 139:serverdomain.com:139 root@serverdomain.com
```

This didn't work either but the messages looke a bit more right...  I also tried the netbios name in between the colons and that didn't work.  I thought I understood the syntax, but the tutorial kindof showed me otherwise.  I thought the computer named in between the ports was the computer being forwarded to and the second computer named was the one you are remotely connecting to.  Am I right on this?

----------

## jrmann1999

 *Quote:*   

> ssh -2 -v -v -g -L 139:localhost:139 root@serverdomain.com

 

You might try

```
ssh -2 -v -v -g -L 139:127.0.0.1:139 root@serverdomain.com
```

I remember in an earlier post you had trouble using http://localhost in your port 81 forward, could be a resolving issue.

----------

## Lasitus

 *jrmann1999 wrote:*   

>  *Quote:*   ssh -2 -v -v -g -L 139:localhost:139 root@serverdomain.com 
> 
> You might try
> 
> ```
> ...

 

Tried that too, same response.

```
11982: session request to 127.0.0.1 failed (Call returned zero bytes (EOF)

)

11982: session request to 127 failed (Call returned zero bytes (EOF)

)

11982: session request to *SMBSERVER failed (Call returned zero bytes (EOF)

)

SMB connection failed

```

```
debug1: Connection to port 139 forwarding to 127.0.0.1 port 139 requested.

debug2: fd 8 setting TCP_NODELAY

debug1: fd 8 setting O_NONBLOCK

debug2: fd 8 is O_NONBLOCK

debug1: channel 2: new [direct-tcpip]

channel 2: open failed: connect failed: Connection refused

debug1: channel_free: channel 2: direct-tcpip: listening port 139 for 127.0.0.1 port 139, connect from 127.0.0.1 port 32853, nchannels 3

```

----------

## jrmann1999

You do have samba running on the server correct?

----------

## Naan Yaar

On the server, if you do:

```

telnet localhost 139

```

do you get a connection or a message saying something like "connection refused".  The message seems to indicate that nothing is listening to this port...

----------

## Lasitus

 *Naan Yaar wrote:*   

> On the server, if you do:
> 
> ```
> 
> telnet localhost 139
> ...

 

hmm, it says connection refused... for any port on localhost.  I disabled my firewall with the same results.  I also retried the ssh forwarding without the firewall, same result...

and yes, samba is running

----------

## Naan Yaar

OK.  Looks like we may be getting somewhere.  If you do:

```

netstat -Ainet -lpne|grep 139

```

on the server as root, do you see smbd bound to this port.  What does this line say?  Do you have samba configured to listen on specific interfaces?  Also, when telnetting to localhost, does it try connecting to 127.0.0.1?

EDIT: Also, what does ifconfig on the server tell you?

----------

## Lasitus

Yes, like I said samba is running.  It is port 139

```
tcp        0      0 192.168.3.1:139         0.0.0.0:*               LISTEN      0          4107       1719/smbd

```

I know the networking is go, because I am logging in through ssh from work to do these commands.

----------

## jrmann1999

 *Quote:*   

> tcp        0      0 192.168.3.1:139         0.0.0.0:*               LISTEN      0          4107       1719/smbd

 

Your smbd daemon is only listening on 192.168.3.1, not on 127.0.0.1.  Hence the reason you can't connect

-L 139:192.168.3.1:139 should solve your ssh problem

----------

## Naan Yaar

The problem is that you have samba listening to only the interface on 192.168.3.1 and not 127.0.0.1.  You can either change your samba configuration file to correct this or change the -L option to -L139:192.168.3.1:139.  It should then work.

You may have turned the "bind interfaces only" option in smb.conf and turned on 192.168.3.1 in the "interfaces" option.  man smb.conf for more details.

 *Lasitus wrote:*   

> Yes, like I said samba is running.  It is port 139
> 
> ```
> tcp        0      0 192.168.3.1:139         0.0.0.0:*               LISTEN      0          4107       1719/smbd
> 
> ...

 

----------

## Lasitus

Well, that did the trick.  I just thought it naturally would be listening on 127.0.0.1 as well..    :Embarassed: 

Thanks for all the help you have given me in figuring this one out.  I would have been at a loss otherwise.

Lasitus

----------

## Naan Yaar

Great to hear that it is finally resolved!  Cheers.

 *Lasitus wrote:*   

> Well, that did the trick.  I just thought it naturally would be 
> 
> listening on 127.0.0.1 as well..   
> 
> Thanks for all the help you have given me in figuring this one out.  I would have been at a loss otherwise.
> ...

 

----------

## chrispy

Sorry to revive the thread, but I'm trying to do the same thing, except that the client is a windows xp workstation. I'm using Putty to establish the ssh connection, i already tunnel a couple of other services and it works, but i have yet to be able to do that with samba.

I followed everything on that thread, and the output of netstat -Ainet -lpne|grep 139 gives me

```
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      0          395562     23924/smbd
```

so i guess I'm in business...

the ssh tunnel is, I believe, the same as in this thread (except that I use 127.0.0.1 since the service listens on 0.0.0.0 i.e. on every interface)

Putty doesn't allow to edit freely the connection parameters, and I find the "tunnels configuration" dialog to be unclear and clumsy at most...

and yet I simply cannot see or force a connection from the XP box, it just tells me that it cannot find the share.

what I do on the xp box, to try to open the share is just typing in explorer :

```
\\localhost\share_name
```

 which is correct, I believe...

anybody successfully connected to samba from a windows box ??

cheers

----------

## Krin

trying to do the same thing myself, crispy.

using gentoo with samba, and want to be able to browse the shares on my samba box via winXP.  I know samba is working correctly because I can get to my shares without going through putty.  I would like to be able to browse my shares remotely and still be secure.  I have sucessfully setup tightvnc to use this same type of ssh port forwarding but I have yet to get XP to work with samba over ssh.

----------

## mimo

i cant get xp to work either.

server root # netstat -Ainet -lpne | grep 139

gives me that

tcp 0  0 0.0.0.0:139  0.0.0.0:*  LISTEN   0   2016761   16247/smbd

i'm able to connect to port 139 with telnet on the xp client, do it like this..

telnet localhost 139

if i run netstat -tn | grep 139 while the telnet session is running i ret this 

server root # netstat -tn | grep 139

tcp        0      0 127.0.0.1:139           127.0.0.1:1104          TIME_WAIT

tcp        0      0 10.0.0.1:139            10.0.0.78:1134          ESTABLISHED

tcp    20752   1092 172.17.30.25:1043       80.139.58.198:4662      ESTABLISHED

tcp        0      0 127.0.0.1:139           127.0.0.1:1116          ESTABLISHED

tcp        0      0 127.0.0.1:1116          127.0.0.1:139           ESTABLISHED

server root #

so as u can see there is a connect..

buts then i try this 

net view \\localhost i just get an error :/

can someone help

----------

## bonbons

I'm wondering if it's possible to allow port forwarding just for specific users...

I'm thinking of running a single SSH server for CVS access and access to the server (+portforwarding) for remote acces.

CVS should be accessible to some friends, but port-forwarding just for me!

Does SSHd have a feature for such user-specific configuration for such features? If not, what extra tool can I use for port-forwarding, knowing that only I am allowed to have Shell acces?

----------

