I would like to ask about the SSH tunneling:
I need to access app running on my machine through the internet and my own domain.
I tunnel it on to the server with:
# Local machine
ssh -N -R 7860:127.0.0.1:7860 root#138.xx.xx.xx
When I try it loggged on the server
# Server 138.xx.xx.xx
curl localhost:7860
<!DOCTYPE html>
<html lang="en" style="margin: 0; padding: 0; min-height: 100%"><head><meta charset="utf-8" />...
...It works
But from outside not:
# Local machine
curl 138.xx.xx.xx:7860
curl: (7) Failed to connect to 138.xx.xx.xx port 7860: Connection refused
Am I doing something wrong or I fundamentally not understand how SSH tunneling works?
Related
I'm trying to set up a CouchDB 2.0 instance up on my CentOS 7 server.
I've got it installed and running as a systemd service and it responses with its friendly hello world message when I access it from the server using 127.0.0.1 or 0.0.0.0
$ curl 127.0.0.1:5984
{"couchdb":"Welcome","version":"2.0.0","vendor":{"name":"The Apache Software Foundation"}}
$ curl 0.0.0.0:5984
{"couchdb":"Welcome","version":"2.0.0","vendor":{"name":"The Apache Software Foundation"}}
in my local.ini file I've configed the bind_address to 0.0.0.0
[httpd]
bind_address = 0.0.0.0
My understanding was that if I had this bind address I could connect to port 5984 from any ip address open in my firewall
I'm using firewalld for my firewall and I've configured it to open port 5984
This config is confirmed by listing the configuration of the public zone:
$ sudo firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: couchdb2 dhcpv6-client http https ssh
ports: 443/tcp 5984/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
I've also created a service called couchdb2 at /etc/firewalld/services/couchdb2.xml with XML:
<service>
<short>couchdb2</short>
<description>CouchDB 2.0 Instance</description>
<port protocol="tcp" port="5984"/>
</service>
From what I know about firewalld I should be able to receive connection on 5984 now
but when I curl from my laptop my connection is refused:
$ curl my-server:5984 --verbose
* Rebuilt URL to: my-server:5984/
* Trying <my-ip>...
* connect to <my-ip> port 5984 failed: Connection refused
* Failed to connect to my-server port 5984: Connection refused
* Closing connection 0
When I connect to the couchdb instance locally via either 127.0.0.1 or 0.0.0.0 I can see the 200 response in my couchdb log:
$ sudo journalctl -u couchdb2
...
[notice] 2017-06-06T00:35:01.159244Z couchdb#localhost <0.3328.0> 222d655c69 0.0.0.0:5984 127.0.0.1 undefined GET / 200 ok 28
[notice] 2017-06-06T00:37:21.819298Z couchdb#localhost <0.5598.0> 2f8986d14b 127.0.0.1:5984 127.0.0.1 undefined GET / 200 ok 1
But when I curled from my laptop nothing shows up in the couchdb log for the Connection Refused error
This suggests to me that the problem may be the firewall and not CouchDB but I'm not sure about that.
Is Connection Refused always the firewall? Would I be getting some other error if this where the CouchDB instance having a problem?
To the best of my knowledge both CouchDB and firewalld are configured correctly, but its not working like I expected.
Any help would be appreciated, whether you know the problem or whether you can just help me discern if the problem is related to CouchDB or firewalld.
I have these two containers, say backend (CentOs) and mongo. What I would like to have is that from within the backend container I can connect to the mongo database as if it was running locally, $> mongo localhost:27017
Anyway, as far as I understand all this, you can map the port localhost:27017 to mongo:27017 like this
$backend> ssh -L 27017:mongo:27017 root#mongo
However, if I do this I have to provide the root password and after that it logs me into the mongo container and no port forwarding is happening
Background: I want to do this because I'm running a Java program which connects to a Mongo database on localhost and I cannot change that.
I found the correct SSH port forwarding command
$> ssh root#mongo -L 27017:localhost:27017 -Nf
Normally the idea with this command is that you map a non-public port - through a public server to you own server/compute.
* `root#mongo` - the public server
* -L <port on your server>:<third server address>:<port>
* `-Nf` - Do not login
Because the public server and third server are the same computer/container you have to use localhost :)
What is the best way to run a command through an ssh tunnel? Not running the command on the remote server, but forwarding locally created traffic to it through a tunnel.
For example, wget. How can I run wget on my local machine so that it tunnels to a VPS that I have ssh access to? Both the local and remote servers are running Arch Linux.
From what i got, your question is about a proxy, specifically, a socks proxy . So the easiest way to do this is to show you some examples. and work from that.
ssh -NT -D 1080 user#remoteserver.net
What this is doing is keeping the port 1080 open as a socks5 proxy -NT keeps the connection alive.
Then what needs to be done is to use the proxy. I dont think wget has the option to use a socks proxy so we will have to use curl as i know that can use them.
curl -O --socks5-hostname 127.0.0.1:1080 url
This connects to the socks proxy and downloads from url.
I have an SSH tunnel from an EC2 instance (say A) to another with an Elastic IP (say B). It worked perfectly. Yet, B had a failure. So I had to stop it, and start a new instance with the same Elastic IP. And now the exact same SSH tunnel does not work anymore. Yet:
I can still SSH from A to B. So I know my keys are in place
I tried the exact same tunnel from another instance than A, and it works as expected.
So somehow, it is as if A detected a problem when B went down, and it is now blocking the traffic.
Tunnel:
/usr/bin/ssh -o StrictHostKeyChecking=no -i /path_to/id_dsa -f -p 22 -N -L 26:www.foo.com:80 ssh_tunnel#amazon_public_ip
And when I try Curl here is what I get:
curl -v -H "Host: www.foo.com" http://localhost:26/foofoo
* Hostname was NOT found in DNS cache
* Trying 127.0.0.1...
* connect to 127.0.0.1 port 26 failed: Connection refused
* Failed to connect to localhost port 26: Connection refused
* Closing connection 0
curl: (7) Failed to connect to localhost port 26: Connection refused
Am I missing something?
I found the issue. I did not pay attention, but when I was SSH-ing into the instance, I was getting a warning message: WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!. Since it worked anyway, I thought it was not a problem. It turns out it makes the tunnel fail.
So I just removed the offending RSA key from known_hosts and now it works.
On my local machine I have an SSH tunnel setup for postgres like so:
ssh -fNL 5434:127.0.0.1:5432 user#host
Then running psql -h localhost --port 5434 works just fine and dandy, giving me a postgres terminal.
Then, on my VM (VirtualBox), I have the host vmhost defined as 192.168.56.1. SSHing into vmhost works fine- connects to the host.
But, running from the vm psql -h vmhost --port 5434 yields:
psql: could not connect to server: Connection refused
Is the server running on host "vmhost" (192.168.56.1) and accepting
TCP/IP connections on port 5434?
Is there some kind of SSH tunnel forwarding magic thing that's not happening here? How can I allow this to work?
You want to use the -g option when opening the SSH connection. Otherwise, only localhost itself can connect to the tunnel.
Use
ssh -fNL '*:5434:127.0.0.1:5432' user#host
Note the '*' used as the binding address.