Binding TCP ports

hi all,
using local ssh port forwarding as follows:

ssh -L [local_port]:[local_host]:[remote_port] [remote_machine]

I found the local port 'binded' to IP 127.0.0.1:

Example: local_port = 30999

# netstat -nlp | grep 30999
tcp 0 0 127.0.0.1:30999 0.0.0.0:* LISTEN 6977/
ssh
tcp 0 0 ::1:30999 :::* LISTEN 6977/ssh

For certain reasons it is supposed to be bound to the IP: 0.0.0.0, so
that my desired netstat should look like:

# netstat -nlp | grep 30999
tcp 0 0 0.0.0.0:30999 0.0.0.0:* LISTEN 6977/
ssh
....

any ideas how this could be achieved?
tx in advance!

Peter

On March 17, 2009 11:06, in comp.os.linux.networking, sokrates_sf
((E-Mail Removed)) wrote:

> hi all,
> using local ssh port forwarding as follows:
>
> ssh -L [local_port]:[local_host]:[remote_port] [remote_machine]
>
> I found the local port 'binded' to IP 127.0.0.1:

OK. That /might/ be expected, depending on the specific arguments you gave
ssh.

> Example: local_port = 30999
>
> # netstat -nlp | grep 30999
> tcp 0 0 127.0.0.1:30999 0.0.0.0:* LISTEN 6977/
> ssh
> tcp 0 0 ::1:30999 :::* LISTEN 6977/ssh
>
> For certain reasons it is supposed to be bound to the IP: 0.0.0.0, so
> that my desired netstat should look like:
>
> # netstat -nlp | grep 30999
> tcp 0 0 0.0.0.0:30999 0.0.0.0:* LISTEN 6977/
> ssh
> ...
>
> any ideas how this could be achieved?

First off, show us the /actual/ command (not the "prototype" you gave us
above) that results in your 127.0.0.1 netstat results. In fact, show us the
command, the stdout and syslog results it generates, /and/ the results
from "netstat -nlp | grep 'ssh'. Also, show us the contents of your
~/.ssh/config file and /etc/ssh/ssh_config file

Only by understanding /which/ ssh options you've selected and /how/ you
start your ssh client can we make appropriate recommendations on how you
can achieve your desired results.

--
Lew Pitcher

Master Codewright & JOAT-in-training | Registered Linux User #112576
http://pitcher.digitalfreehold.ca/ | GPG public key available by request
---------- Slackware - Because I know what I'm doing. ------

Lew Pitcher <(E-Mail Removed)> wrote:
> First off, show us the /actual/ command (not the "prototype" you gave us
> above) that results in your 127.0.0.1 netstat results [...]

Are you treating this as a "teach a man to fish..." exercise?

Curious,
Chris

Hi Lew,
thanks for your support! See missing data below:


> First off, show us the /actual/ command (not the "prototype" you gave us
> above) that results in your 127.0.0.1 netstat results. In fact, show us the
> command,

ssh -L 30999:localhost:8000 [destination_ip]

Instead of 'localhost' I also tried:
- internal IP address of machine
- 0.0.0.0
with same results.

> the stdout

I am asked for the PW, get the welcome message (Have a lot of fun...)
and see the prompt of the remote machine

> and syslog results it generates,

disabled

> /and/ the results from "netstat -nlp | grep 'ssh'.

# netstat -nlp | grep 'ssh'
tcp 0 0 127.0.0.1:30999 0.0.0.0:*
LISTEN 28595/ssh
tcp 0 0 :::22 :::*
LISTEN 5954/sshd
tcp 0 0 ::1:30999 :::*
LISTEN 28595/ssh


Also, show us the contents of your
> ~/.ssh/config file

<empty>

> and /etc/ssh/ssh_config file

# $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

Host *
# ForwardAgent no
# ForwardX11 no

# If you do not trust your remote host (or its administrator), you
# should not forward X11 connections to your local X11-display for
# security reasons: Someone stealing the authentification data on the
# remote side (the "spoofed" X-server by the remote sshd) can read
your
# keystrokes as you type, just like any other X11 client could do.
# Set this to "no" here for global effect or in your own ~/.ssh/config
# file if you want to have the remote X11 authentification data to
# expire after two minutes after remote login.
ForwardX11Trusted yes

# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-
cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no

# Set this to 'yes' to enable support for the deprecated 'gssapi'
authentication
# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is
included
# in this release. The use of 'gssapi' is deprecated due to the
presence of
# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not
susceptible to.
# GSSAPIEnableMITMAttack no

# This enables sending locale enviroment variables LC_* LANG, see
ssh_config(5).
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL


> Only by understanding /which/ ssh options you've selected and /how/ you
> start your ssh client can we make appropriate recommendations on how you
> can achieve your desired results.

understood - tx - hope that helps!
../p


> --
> Lew Pitcher
>
> Master Codewright & JOAT-in-training | Registered Linux User #112576http://pitcher.digitalfreehold.ca/ | GPG public key available by request
> ---------- Slackware - Because I know what I'm doing. ------

Hi Chris,

> Are you treating this as a "teach a man to fish..." exercise?

sorry - no idea what you are talking about. I am not a sysadmin-pro
and pretty much a linux newby (approx. 1 year)
Also I usually find my way around 'googling' and usually never ask for
support in forums. Please let me know if I violate
common rules and practices.

I have a couple of (AOL) web servers listening on different ports with
IP 0.0.0.0:

# netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 0.0.0.0:32768 0.0.0.0:*
LISTEN -
tcp 0 0 0.0.0.0:2401 0.0.0.0:*
LISTEN 5933/xinetd
tcp 0 0 0.0.0.0:30082 0.0.0.0:*
LISTEN 22255/nsd
tcp 0 0 0.0.0.0:30051 0.0.0.0:*
LISTEN 31253/nsd
....

All works well. Requests from the internet will be forwarded using
'pound' from machine (in DMZ) to the above server.
Only requests forward to the local port 30999 fail:

# netstat -nlp | grep 30999
tcp 0 0 127.0.0.1:30999 0.0.0.0:* LISTEN 6977/
ssh
tcp 0 0 ::1:30999 :::* LISTEN 6977/ssh

Looks to me that one really would need to understand besides ssh also
some underlying concepts of a loopback address and
tcp layers (Layer 2: MAC address / Layer 3: IP Address).

Tx for your help.
../p

On March 17, 2009 12:27, in comp.os.linux.networking, Chris Davies
(chris-(E-Mail Removed)) wrote:

> Lew Pitcher <(E-Mail Removed)> wrote:
>> First off, show us the /actual/ command (not the "prototype" you gave us
>> above) that results in your 127.0.0.1 netstat results [...]
>
> Are you treating this as a "teach a man to fish..." exercise?

No, but that's not a bad idea. I /had/ intended to gather enough information
to make an educated guess with. I'm not an ssh expert; I don't know if it
is entirely possible to turn of the 127.0.0.1 bind, but I /do/ know that it
is entirely possible to explicitly turn it on.

If the OP's setup explicitly turns on localhost binding (through the command
arguments, or through the configuration files), we'll see that in his
followup post. There may even be a way to help him.

--
Lew Pitcher

Master Codewright & JOAT-in-training | Registered Linux User #112576
http://pitcher.digitalfreehold.ca/ | GPG public key available by request
---------- Slackware - Because I know what I'm doing. ------

On March 17, 2009 12:43, in comp.os.linux.networking, sokrates_sf
((E-Mail Removed)) wrote:

> Hi Lew,
> thanks for your support! See missing data below:
>
>
>> First off, show us the /actual/ command (not the "prototype" you gave us
>> above) that results in your 127.0.0.1 netstat results. In fact, show us
>> the command,
>
> ssh -L 30999:localhost:8000 [destination_ip]

You /do/ realize that 'localhost' has the IP address 127.0.0.1, don't you?


> Instead of 'localhost' I also tried:
> - internal IP address of machine

Which I would expect to bind explicitly to that IP address

> - 0.0.0.0

After some experimentation, it looks like
ssh -L 0.0.0.0:30999:*:8000 <destination_IP>
will work properly.

When I try that format in one xterm
~ $ ssh -L 0.0.0.0:30999:*:8000 merlin.puter.lan
Enter passphrase for key '/home/lpitcher/.ssh/id_dsa':
Last login: Tue Mar 17 14:24:25 2009 from bitsie.puter.lan
Linux 2.6.21.5.
a check from another (local) xterm
~ $ netstat -nlp | grep ssh
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:30999 0.0.0.0:* LISTEN 6182/ssh
shows that ssh is listening like you expect it to

HTH
--
Lew Pitcher

Master Codewright & JOAT-in-training | Registered Linux User #112576
http://pitcher.digitalfreehold.ca/ | GPG public key available by request
---------- Slackware - Because I know what I'm doing. ------

looks we are getting there ... but see what I get if I use the same
syntax (CentOS):

# ssh -L 0.0.0.0:30999:*:8000 xxx.xxx.xxx.xxx
Bad forwarding specification '0.0.0.0:30999:*:8000'
usage: ssh [-1246AaCfghkMNnqsTtVvXxY] [-b bind_address] [-c
cipher_spec]
[-D port] [-e escape_char] [-F configfile] [-i
identity_file]
[-L port:host:hostport] [-l login_name] [-m mac_spec] [-o
option]
[-p port] [-R port:host:hostport] [-S ctl] [user@]hostname
[command]

any clues?
../p

Thanks again for your help! -g does the trick:

ssh -g -L 30999:*:8000 xxx.xxx.xxx.xxx

../p

>> Are you treating this as a "teach a man to fish..." exercise?

Lew Pitcher <(E-Mail Removed)> wrote:
> No, but that's not a bad idea. I /had/ intended to gather enough
> information to make an educated guess with.

Ah, ok.

As it happens, the man page for ssh explicitly describes how the default
value for the bind is derived, which is why I was curious about your
questions.

To the OP, I suggest you (re)read the man page for ssh:

-L [bind_address:]port:host:hostport

Specifies that the given port on the local (client) host is to
be forwarded to the given host and port on the remote side. [...] By
default, the local port is bound in accordance with the GatewayPorts
setting. However, an explicit bind_address may be used to bind
the connection to a specific address [...]


To me, the next step is to determine the GatewayPorts setting, so I
man ssh_config...

GatewayPorts

Specifies whether remote hosts are allowed to connect to local
forwarded ports. By default, ssh(1) binds local port forwardings
to the loopback address. [...]


So finally, I then check my own ssh_config file to see whether there's an
explicit entry defining the GatewayPorts. If not, I'll know the default
is to bind only to localhost.

Chris