[forkies]

I can't access certain ports on my college network connection (like all of the file sharing apps) and UDP is completely axed.

Some things I'd like to do with ssh tunneling:

access TCP & UDP port 6112
access TCP port 5500
access TCP port 6346

I've tried going through some tutorials but they are confusing as hell with local, remote, this port that server, blech

I'd appreciate any help

[Camelot]

SSH Tunneling is pretty straightforward. There's two forms - local and remote, but I'll only discuss local forwarding here since it's a little easier to setup.

In general, it uses 3 systems, the source machine (where you are), the target machine (you're trying to connect to) and the SSH host.

The target and ssh host can be the same machine - this lets you securely access services on that machine over ssh, even though the normal protocol doesn't normally support encryption (e.g. ftp)

In addition to the systems themselves, you need to provide two port numbers - one on the local (source) system and one on the target.

The two port numbers identify which port on the local machine should be forwarded to the remote machine.

Putting it altogether, say you want to connect to port 5500 on the machine at target.domain.dom using the machine ssh.domain.dom as the ssh proxy, you'd:

ssh -L 5500:target.domain.dom:5500 ssh.domain.dom

This open a ssh connection to ssh.domain.dom and listens to port 5500 on your machine. Any connections to localhost:5500 get forwarded over the ssh connection and relayed to port 5500 on target.domain.dom.

Note that the port numbers can be different on the local and remote ends, so you could use:

ssh -L 12345:target.domain.dom:5500 ssh.domain.dom

and connections to localhost:12345 would be relayed to port 5500 on the target host.

Just remember that the hostname specified in the relaying options are relative to the ssh host, not your machine. This can be useful for using a SSH tunnel to get to a private or internal system behind the ssh gateway.

Additionally, if the target machine is the same as the ssh host, you can use 'localhost' as the target name, so:

ssh -L 12345:localhost:5500 ssh.domain.dom

will relay localhost:12345 connections to port 5500 on ssh.domain.dom

Hope that helps.

[forkies]

I have a couple more questions:

1) Does this in fact forward all traffic on the specified port, including UDP?
2) Is there a way to forward ranges of ips, or perhaps all traffic?

Thank you very much for your clarifications on this!

[ghporter]

Another thing to keep in mind is that your school may have intentionally blocked certain ports. There is an amazingly large amount of hacking going on worldwide, and without some control over the network, like blocking particularly troublesome ports, the network could be rendered useless by the hackers. In particular, those filesharing ports tend to do two very notable things: hog bandwidth and bring in malicious logic. The virus writers are starting to use peer to peer filesharing as a conduit for distributing their malware, with KaZaA being the biggest victim/enabler right now as far as I know.

The bottom line is that if you set everything right and it still doesn't work, you're probably blocked. Sorry, but blame the pirates and hackers.

[forkies]

Is it possible to tell ssh to forward any ip that wants to use a specific port? For example, to use a filesharing network like gnutella, wouldn't i need to set up an ssh tunnel for each ip my computer might talk to?

[ghporter]

You may be able to get the IPs to show up, but if the pipe to the Internet is specifically blocking ports you want, you won't get the data you want.

[forkies]

Seriously, how does that answer my above question? If anyone can be of a bit more help than "don't do, the network admins might not like it" or "don't even bother trying" I'd really appreciate it.

I'm wondering if I can forward a range of ips with one port. Specifically for starcraft which requires traffic to multiple ips on port 6112.

[ghporter]

I'm not saying don't try, just don't be surprised if things don't work. Camelot gave some pretty basic instructions for you to play with, and as I wrote earlier, if you do everything right and it still doesn't work, you can expect that the problem is that the network won't let you do what you want-I'm trying to give you a valid explanation for why things might not work. You're trying to do things with specific ports that may be blocked by the school's firewall, or may be redirected to some other port through a proxy-both situations would be in place to ensure the security of the school's network.

About two weeks ago somebody broke into the University of Texas' system and got lots of private information, more than enough for identity theft, on tens of thousands of faculty, staff, and students. Schools have to take these steps to keep from being liable for the loss of this data. Many schools block everything above port 1024, and selectively block a lot of ports below 1024 for security reasons.

Further, as I mentioned earlier, schools have to worry about the use of certain ports-specifically those used by peer to peer applications. It would be very useful if we could simply identify pirates and block them, but we can't so the next safest thing for a school, company, etc. is to block the ports that pirates use.

[forkies]

omg why are you torturing me like this?

[Xeo]

Originally posted by GHPorter:
I'm not saying don't try, just don't be surprised if things don't work. Camelot gave some pretty basic instructions for you to play with, and as I wrote earlier, if you do everything right and it still doesn't work, you can expect that the problem is that the network won't let you do what you want-I'm trying to give you a valid explanation for why things might not work. You're trying to do things with specific ports that may be blocked by the school's firewall, or may be redirected to some other port through a proxy-both situations would be in place to ensure the security of the school's network.

About two weeks ago somebody broke into the University of Texas' system and got lots of private information, more than enough for identity theft, on tens of thousands of faculty, staff, and students. Schools have to take these steps to keep from being liable for the loss of this data. Many schools block everything above port 1024, and selectively block a lot of ports below 1024 for security reasons.

Further, as I mentioned earlier, schools have to worry about the use of certain ports-specifically those used by peer to peer applications. It would be very useful if we could simply identify pirates and block them, but we can't so the next safest thing for a school, company, etc. is to block the ports that pirates use.

I'm sure you realize that what you're saying isn't all true. Yes, schools have to protect their systems and do so by blocking different protocols, ports, types of packets, or any combination of those. However, if you have a computer on the inside, a computer on the outside, and at least one fully open port in between, you can bypass the restrictions with a little work.

Forkies and I both know this works on a single IP, single port basis, but what forkies is asking is if you can take a range of IPs on a single port and forward them to yourself using SSH tunneling. It works on a single IP basis. Can it be done for a range?

Unfortunately you aren't addressing the question. We're not saying it doesn't work, so we don't need reasons why it might not work. We are looking for the possibility and if so, how? What are the flags we use for SSH? What's the specific command we should use to forward a range?

[ghporter]

Originally posted by Xeo:
I'm sure you realize that what you're saying isn't all true.

It's true that not all schools, hospitals, companies, etc., have found it necessary to control the use of their networks to the extent that I have mentioned. However, that is the trend-more control over what the users on the network can access. My point in my posts was to identify a major stumbling block, not to paint a picture of utter gloom and dispair.

Forkies and I both know this works on a single IP, single port basis, but what forkies is asking is if you can take a range of IPs on a single port and forward them to yourself using SSH tunneling. It works on a single IP basis. Can it be done for a range?

I have never messed with SSH beyond the single IP/single port scenario, so I can't add anything to whether SSH can handle a range of ports. However, a little research turns up the fact that most of the instructions for using SSH indicate only limited numbers of port forwarding options-that is, you seem to have to select a protocol and then forward ports individually, as opposed to as a group.

Unfortunately you aren't addressing the question. the flags we use for SSH? We're not saying it doesn't work, so we don't need reasons why it might not work. We are looking for the possibility and if so, how?

My appologies-I had misinterpreted forkies' posts to indicate that it wasn't working. Northeastern University has instructions about using SSH to connect to their mail servers, and they provide this example command line entry:
ssh -L 110:mail.ccs.neu.edu:110 -L 25:mail.ccs.neu.edu:25
This makes it look to me that you should be able to forward as many ports as you can fit on the command line, but you have to forward them one by one.