ssh Port Forwarding Stopped Working

Question

Level 1

18 points

ssh Port Forwarding Stopped Working

I have used ssh port forwarding in the past, and it has come in handy.

I have recently upgraded to Mavericks, but it does appear that my ssh port forwarding stopped some time before this. The last time I know it worked was 5/14/14, and feel it has worked more recently as well.

Here's what I do, from my Mac I ssh to my work jump server (port 22, let's say its IP is 11.22.33.44), and my jump server has access to work PC (lets say IP of 10.1.2.3). My work PC has RDP running on it on the common port 3389. I have verified that I can set up a working RDP session at work from another box. Also, I know that my jump server can get to my PC at work as I can ping my work IP if I just ssh straight to my jump server. And I know that there is no firewall stopping me from the jump server as I can also open a telnet session to my work PC on port 3389, without errors.

So, here's how I have done it in the past and it has worked, but now recently stopped working in Terminal app:

ssh -f me@11.22.33.44 -L 3388:10.1.2.3:3389 -Nnv

The verbose logging shows that it sets up connectivity. If I then look to see if my local port is listening I can type:

netstat -an | grep 127.0

I will note that port 3387 is in fact LISTENing and waiting for connection

I then start my RDP client app, and start a session to "localhost:3387" (I could also use "127.0.0.1:3387", and have, but it does not work either). My RDP client eventually times out. I have turned my firewall off and on, neither way works.

Does anyone know why this may have stopped working?

Your input is most appreciated.

The verbose log shows the following is setup appropriately (with noted modifications to server names and actual IPs):

debug1: Authentication succeeded (keyboard-interactive).

Authenticated to somewhere.net ([11.22.33.44]:22).

debug1: Local connections to localhost:3387 forwarded to remote address 10.1.2.3:3389

debug1: Local forwarding listening on 127.0.0.1 port 3387.

Posted on Sep 2, 2014 8:49 PM

Reply

Answer 1

Linc Davis

Level 10

209,739 points

Sep 2, 2014 9:35 PM in response to ChazH

Does your RDP client work on the local network?

Reply

Answer 2

ChazH Author

Level 1

18 points

Sep 3, 2014 4:00 AM in response to ChazH

Unfortunately I don't have another device to test if RDP is working on my LAN, however, when I check out my network connections and this is what I see after setting up the ssh tunnel and prior to attempting the RDP connection (again names protected):

my-rmbp:~ me2$ netstat -an | grep 127.0

tcp4 0 0 127.0.0.1.3387 *.* LISTEN

Then, as it is difficult to catch in the middle of TCP 3-way handshaking, here's what happens after an attempt with the RDP client while it sits and spins:

my-rmbp:~ me2$ netstat -an | grep 127.0

tcp4 0 0 127.0.0.1.3387 127.0.0.1.50323 FIN_WAIT_2

tcp4 0 0 127.0.0.1.50323 127.0.0.1.3387 CLOSE_WAIT

tcp4 0 0 127.0.0.1.3387 *.* LISTEN

You can clearly see it's attempting to make a connection over the tunnel via my RDP client, but it's being shut down right away. I will obtain a WireShark packet capture and see exactly what's happening. Oh, and if I tried to RDP to a port other than the one I set up the port forwarding tunnel with, RDP would disconnect right away.

What I'm most interested in is why, without any known changes, other than OS updates, did this work a few months ago, and now it does not?

I have also tried other test ssh port forwarding, such as to www.apple.com forwarding 8080 on localhost to 80, and others, and none of those work either with web browsers, I assume this is something Apple has done to disable ssh port forwarding/tunneling. Perhaps someone else has bumped into this and found a fix? Please share!

Also, I have heard that you have to be root in order to set up port forwarding, but clearly this is not accurate, as it worked before, and also as you can see above it worked without root. But I tried both ways, and sadly neither worked.

Could it by my jump server? Possibly, but others at work do this and it works just fine for them from their Windoze PCs. So can't be that either.

Perhaps my capture will tell me, I'll report back here with what I discover. Thanks in advance!

Reply

Answer 3

BobHarris

Level 9

57,041 points

Sep 3, 2014 6:21 AM in response to ChazH

I do not have an answer, but I can tell you that ssh port forwarding is working for me under Mavericks. I use it to tunnel VNC connections between my Macbook Pro and my Mom's iMac 300 miles away, as well as tunneling into my office iMac from home.

HOWEVER, I do not use an intermediate gateway system, I just ssh directly to the target system and use the Tunnel to make sure my VNC connection is encrypted.

ssh -L 44422:localhost:22 moms_username@moms.dynamic.dns.name

open vnc://localhost:44422

Similar connection for work iMac.

I've used both just last week.

Your setup is a secure ssh tunnel between you and the gateway system 11.22.33.44, then the gateway system makes an open (unencrypted) connection to your work system 10.1.2.3

Things that can go wrong, are of course your connection to the gateway, but you seem to have diagnosed that fairly well. But there is from the gateway system to your work systems. And of course there is your work system.

Since you can interactive ssh into the gateway system, you might want to do some network checks between the gateway and your work system. For example see if the work system's RDC ports are responding correctly, when you are trying to make your tunneled RDC connection.

Also if you want to very ssh port forwarding is working OK, you could try tunneling some other protocol over the tunnel to another cooperative system. I once used 3 successive ssh commands to tunnel through several gateway systems (just for fun, but it was a way to show tunneling was working and that I understood how it worked). For example do you have VNC available you could experiment with. I know VNC is not as robust as RDC, and does not send sound, but as an experiment it could be useful.

Reply