Reverse SSH (or other tunnel/VPN)

Wed Dec 22 09:36:15 PST 2004

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Did that answer your questions?
The VI is in there because I had the darnedest time having the shell
stay active when scripting this.  vi took and executes on the other
machine and keeps the tunnel open.  Hacked, but works.

If I am using this for consistent tunneling (as in my email
transmissions), I have a cronjob which kicks to make sure it stays up.
The firewalls at certain borders will time out my tunnel (perhaps I
should use "top" instead of "vi"  :)

I use Key-based authentication (let me know if you need help on that
one), and the script looks something like this (remember, this is to
tunnel from the  localhost to the other server, thus the -L command):

/usr/sbin/mailtunnel.mail1
- --------------------------
#!/bin/bash

TUNNELUP=`/bin/netstat -ln |grep ":1235" | wc --lines |cut -d" " -f7`

if [ $TUNNELUP -eq 0 ] ; then
~        echo "Starting POP3 encrypted tunnel to siglavy.eisgr.com"
~        ssh -f -L 1235:mail1.eisgr.com:110 mail1.eisgr.com vi </dev/null
|>/var/log/mailtunnel 2>&1 &
fi
- ---------------------------

Michael Hipp wrote:
| Net Llama! wrote:
|
|> On the box behind the NAT, (we'll call it localhost) issue this command.
|> Your random remote, internet facing box will be called foo.bar.com:
|> ssh -R 3500:localhost:22 foo.bar.com
|>
|> The above command assumes that you have the same username on both boxes.
|> If not, adjust to include a '-l' option for foo.bar.com.  Once you issue
|> that command and are ssh'd onto foo.bar.com, issue this command:
|>
|> ssh -p3500 localhost
|>
|> The above command assumes that you have the same username on both boxes.
|> If not, adjust to include a '-l' option for your NAT'd box (localhost).
|> Once you do that, you'll be ssh'd onto the NAT'd box (localhost).
|>
|> I usually run the first command inside a screen session so that its
|> out of
|> the way, and semi-transparently maintains the connection.  Now as long as
|> you don't log out from the first command, you can ssh into foo.bar.com
|> and
|> issue that 2nd command and get into your NAT'd (localhost) box from
|> anywhere.
|
|
| Thanks, Lonni.
|
| Looks like it might be worth using 'autossh' to make sure the first
| tunnel never dies since I have no direct way of restarting it. The host
| will be on satellite Internet which is anything but reliable.
|
| Michael
|
| _______________________________________________
| Linux-users mailing list
| Linux-users at linux-sxs.org
| http://mail.linux-sxs.org/cgi-bin/mailman/listinfo/linux-users
|
| Need to chat further on this subject? Check out #linux-users on
| irc.linux-sxs.org !
|
|
|

- --
Matthew Carpenter
matt at eisgr.com                          http://www.eisgr.com/

Enterprise Information Systems
* Network Server Appliances
* Security Consulting, Incident Handling & Forensics
* Network Consulting, Integration & Support
* Web Integration and E-Business
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFByYWTso9lqh4MragRAiMxAJ4tRV3uMxrPk3eJsdfe445KZh/i/QCfXnjH
ADmmfnU9pxdpfpsPBrVWMk8=
=W5cr
-----END PGP SIGNATURE-----