SSH Port Forwarding Not working

Issues related to configuring your network
Post Reply
dprofi2017
Posts: 7
Joined: 2017/06/13 18:07:36

SSH Port Forwarding Not working

Post by dprofi2017 » 2017/07/11 20:57:15

I'm trying to use putty to port forward 443 to another system via a remote port forwarding through a Centos 6.9 box. I've done this a million times and it's worked without issue until now. I've disabled iptables for my test and communication of over VPN so we are using internal addressing on both sides.

(Win2k12 - 192.168.88.191 -L port 8887) -----------> (CentosTest - 10.1.111.111 -R port 8887) ---------FWD-------->(Server01 - 10.1.111.217 port 443)

I'm connecting locally on the Win2k12 via browser to local port 8887 which I've configured putty to forward it to the destination server 10.1.111.217 which is on the same network.

When I look in my var log messages I get the below error message. I have an /etc/hosts entry to resolve the server to IP.

Jul 11 13:23:12 localhost sshd[10266]: error: connect_to Server01:443: unknown host (Name or service not known)
Jul 11 13:23:12 localhost sshd[10266]: error: connect_to Server01:443: unknown host (Name or service not known)
Jul 11 13:23:13 localhost sshd[10266]: error: connect_to Server01:443: unknown host (Name or service not known)
Jul 11 13:23:13 localhost sshd[10266]: error: connect_to Server01:443: unknown host (Name or service not known)

Lastly when I do a "netstat -a | grep 8887" on the Centos box I get nothin, but I do see that port 8887 is listening on the Win2k12 box.


Below is some information to help get this figured out.

[root@CentosTest ~]# rpm -qa | grep ssh
openssh-6.2p1-1.x86_64
libssh2-1.4.2-2.el6_7.1.x86_64
openssh-clients-6.2p1-1.x86_64
openssh-server-6.2p1-1.x86_64


[root@CentosTest ~]# ssh -V
OpenSSH_6.2p1, OpenSSL 1.0.0-fips 29 Mar 2010

--------------------------------

[root@CentosTest ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

---------------------------------
[root@CentosTest ~]# netstat -ar
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.1.111.0 * 255.255.255.0 U 0 0 0 eth0
link-local * 255.255.0.0 U 0 0 0 eth0
default 10.1.111.1 0.0.0.0 UG 0 0 0 eth0

---------------------------------------



Any help would be appreciated. I did hit the Google machine before I decided to post but at this point I'm stuck.

Your help would be greatly appreciated.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: SSH Port Forwarding Not working

Post by jlehtone » 2017/07/11 21:56:28

dprofi2017 wrote:Server01:443: unknown host (Name or service not known)
Who is this 'Server01' that the CentOS box does not know?
In other words, does that name resolve?

dprofi2017
Posts: 7
Joined: 2017/06/13 18:07:36

Re: SSH Port Forwarding Not working

Post by dprofi2017 » 2017/07/12 01:28:06

jlehtone thanks for the response.

I have added an entry in the /etc/hosts table to resolve the ip address, but I got the same error when I used just an IP address as well.

Code: Select all

[root@CentosTest ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6


#Web Test Devices
10.1.111.217 Server01

Thanks again, let me know if you have any ideas or need any other information.

dprofi2017
Posts: 7
Joined: 2017/06/13 18:07:36

Re: SSH Port Forwarding Not working

Post by dprofi2017 » 2017/07/12 01:41:17

I can also ping the Server01 from my CentosTest box.

[root@CentosTest ~]# ping Server01
PING Server01 (10.1.111.217) 56(84) bytes of data.
64 bytes from Server01 (10.1.111.217): icmp_seq=1 ttl=64 time=0.258 ms
64 bytes from Server01 (10.1.111.217): icmp_seq=2 ttl=64 time=0.494 ms
64 bytes from Server01 (10.1.111.217): icmp_seq=3 ttl=64 time=0.203 ms
64 bytes from Server01 (10.1.111.217): icmp_seq=4 ttl=64 time=0.268 ms
64 bytes from Server01 (10.1.111.217): icmp_seq=5 ttl=64 time=0.398 ms
64 bytes from Server01 (10.1.111.217): icmp_seq=6 ttl=64 time=0.324 ms

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: SSH Port Forwarding Not working

Post by jlehtone » 2017/07/12 10:26:20

dprofi2017 wrote:(Win2k12 - 192.168.88.191 -L port 8887) -----------> (CentosTest - 10.1.111.111 -R port 8887) ---------FWD-------->(Server01 - 10.1.111.217 port 443)

I'm connecting locally on the Win2k12 via browser to local port 8887 which I've configured putty to forward it to the destination server 10.1.111.217 which is on the same network.
What do you mean by "on the same network"? 192.168.88.191 is not part of 10.1.111.*, is it?

Port on CentosTest should be free for the sshd to choose. Just like your browser on Win2k12, the sshd is "just a (proxy) client" and client neither listens nor is bound to specific (outgoing) port.

If client had openssh, I would:

Code: Select all

Win2k12# ssh -L 8887:Server01:443 CentosTest
(One can install "Ubuntu bash" from Microsoft into Windows 10 and thus get openssh.)

When does the "error: connect_to" occur? On creation of the ssh connection, or when you browse localhost:8887?

Have you observed, with say 'tcpdump' what traffic occurs on CentosTest interfaces when you reach localhost:8887?

How about selinux? Is it enforcing?

There should be no routing, forwarding, nor NAT, for it is the sshd@CentosTest that should connect to Server01:443.


PS.
'netstat' seems to be deprecated.

Code: Select all

ss -tpnl
ss -tpn
ip ad
ip -4 ad
ip ro
ip -s li

dprofi2017
Posts: 7
Joined: 2017/06/13 18:07:36

Re: SSH Port Forwarding Not working

Post by dprofi2017 » 2017/07/12 16:50:30

Thanks jlehtone for your response again.

CentosTest and Server01 are on the same network and you are correct the Win2k12 system is not. I'm port forwarding 443/https request through the SSH tunnel between CentosTest and Win2k12 to access the web service on Server01. Sorry if I didn't make that clear up front.

Unfortunately we have some restrictions on what software can be installed on the Win2k12 system and I've never had a problem accomplishing this same type of connectivity using putty previously.

Also to answer your question the "error: connect_to" occurs upon establishing the ssh session from the Win2k12 to the CentosTest system.

I haven't checked what the tcpdump looks like when connecting to port 8887, I assumed it would be a waste of time since I can see CentosTest is not listening on that port.

Selinux has been disabled while I troubleshoot this issue.

Thanks for the advise on the using netstat. I know it's a bit oldschool, but so am I. I've made note of the commands you mentioned and have started using them. They are very useful so thank you again.

I'm still digging into this but hoping I could get some additional pointers here.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: SSH Port Forwarding Not working

Post by jlehtone » 2017/07/12 17:24:39

dprofi2017 wrote:Also to answer your question the "error: connect_to" occurs upon establishing the ssh session from the Win2k12 to the CentosTest system.

I haven't checked what the tcpdump looks like when connecting to port 8887, I assumed it would be a waste of time since I can see CentosTest is not listening on that port.
First, what on CentosTest should listen on 8887? Nothing.

Putty listens 8887 on Win2k12. sshd listens 22 on CentosTest. Apache(?) listens 443 on Server01.
Your browser connects to localhost:8887. putty connects to sshd. sshd (as a client) connects to Apache.
Nothing will connect to CentosTest:8887.


"occurs upon establishing the ssh session"
Interesting. There is no reason for anything to connect Server01 at that time.

You should need just one tunnel on putty:

Code: Select all

L8887 10.1.111.217:443
That is what you have?


You don't, by any chance, have a second tunnel:

Code: Select all

R8887 10.1.111.217:443
That could explain the error.
That tunnel would listen on 10.1.111.111:8887. If something connects to that port, then putty on Win2k12
has to establish connection to 10.1.111.217:443. I'm quite sure that Win2k12 has no idea where
10.1.111.217 is, nor could reach it. Slightly odd, if sshd on CentosTest whines about such SEP.

dprofi2017
Posts: 7
Joined: 2017/06/13 18:07:36

Re: SSH Port Forwarding Not working

Post by dprofi2017 » 2017/07/12 18:54:41

jlehtone not sure why I thought 8887 would need to be open on both ends. You are right and I think you mentioned before CentosTest doesn't need to listen on 8887 for anything since there are no inbound connections to the system on that port, so I wouldn't see that port open.

As an update, I was able to get the port forwarding to work by hopping through another Centos 6.9 system on the same network using putty. There is definitely something going on with CentosTest that I will need to investigate further, or I may just have them redeploy that system.

Thanks for your help

Post Reply