I have a running instance on host2 on port p2. I want to access through localhost:p2.
I can ssh to host1 with h1.pem and from host1 i can ssh to host2 with h2.pem.
I believe you are describing a situation where you have access from localhost (host h0) to host h1 (IP address a.a.a.a), and host h1 has access to host h2 (IP address b.b.b.b), but h0 does not have connectivity to host h2.
You want to connect from h0 to h2 via h1, and establish a TCP tunnel from a port on h0 to a destination port on h2.
I will teach you how to catch this fish, rather than just catching one for you.
First, assuming for a moment that you did have direct access from h0 to h2, how would you make an SSH connection?
You would connect like this:
ssh -i h2.pem h2user#b.b.b.b
...and you could establish a tunnel like this...
ssh -i h2.pem h2user#b.b.b.b -L 31337:127.0.0.1:3306
This would accept connections on h0 port 31337 and connect it to h2's loopback adapter 127.0.0.1 on port 3306.
I believe is what you want.
But, you don't have direct access to h2, so you need to proxy the SSH connection via h1.
From h0, we can connect to h1 like this:
ssh -i h1.pem h1user#a.a.a.a
So we take that info, and tell SSH that we want to use it to create a ProxyConnection to h1, where we'll run the nc command, which establishes a remote connection and ties its payload back to stdin and stdout. SSH will pass the hostname and SSH port of h2 to nc running on h1, which will pass back to us on the SSH connection to h1, which we will use to speak SSH to h2. We pass this as ProxyCommand to our ssh attempt from h0 to h2.
'-o ProxyCommand=ssh -i h1.pem h1user#a.a.a.a nc %h %p'
Putting it all together (line breaks for clarity):
ssh '-o ProxyCommand=ssh -i h1.pem h1user#a.a.a.a nc %h %p' \
-i h2.pem \
h2user#b.b.b.b \
-L 31337:127.0.0.1:3306
And there you have it.
Under the hood, h0 makes an ssh connection to h1, where it runs nc b.b.b.b 22. SSH on h0 uses these streams to create a second ssh session to h2 via the connection it already has to h1. The tunnel is negotiated directly with h2 over this connection.
Note that in this scenario, both of the keys h1.pem and h2.pem are on your local machine. The h2.pem key does not need to be present on h1 at all.
Note also that this has nothing to do with AWS. It's just standard SSH usage.
You can add the -N option to the end of the command if you just want to allow the tunnels but you don't want or need to start a shell on h2.
Or if you want a spiffy little monitor showing that your tunnel is still up, you can add this to the very end of the complete ssh command shown above. Be sure to include all of the ' exactly as shown.
'perl -MPOSIX -e '\''$|=1; while(sleep(1)){ print "\e[0GConnected " . POSIX::strftime("%Y-%m-%d %H:%M:%S",gmtime)}'\'''
This will show a continuously updating message on the console of h0 "Connected YYYY-mm-dd HH:MM:SS" message confirming that your connection is still established end to end.
Related
I used to have an ssh reverse port forwarding from my local computer to a remote EC2 AWS server on port 9999. (9999 for both machines.)
It used to work, but I created a new instance, and now it doesn't anymore. (Half working.) I'm not sure what I did to make it work back then... (Or something was changed.)
I have a process running on my computer on port 9999 and I want it to listen to the port 9999 of my EC2.
On my computer, curl "127.0.0.1:9999" is working.
But I want the code curl "ec2-xx-xx-xx-xx-xx.compute.amazonaws.com:9999" to work, for now it doesn't, giving me the error curl: (7) Failed to connect to ec2-xx-xx-xx-xx-xx.compute.amazonaws.com port 9999 after 59 ms: Connection refused
EC2 Security group is set to open 9999 on TCP for 0.0.0.0/0.
I create the forwarded port with the command :
ssh -R 9999:localhost:9999 -i "/home/example/XXX.pem" ubuntu#ec2-xx-xx-xx-xx-xx.compute.amazonaws.com
The connection ssh is established without errors.
Inside this ssh session I can even do curl "127.0.0.1:9999" inside and IT IS WORKING. Reaching my local computer.
But the request from the web isn't... (curl "ec2-xx-xx-xx-xx-xx.compute.amazonaws.com:9999" doesn't work...)
The path is good, if I install apache2 on port 80 curl "ec2-xx-xx-xx-xx-xx.compute.amazonaws.com:80" is working. (port 80 is added the same way to the security group)
I did sudo ufw disable, same problem.
Do you have an idea what I'm missing ?
EDIT : On the ssh -R forward session on the EC2 :
ubuntu#awsserver:~$ php -S 0.0.0.0:9999 -t .
[Wed Dec 14 16:35:11 2022] Failed to listen on 0.0.0.0:9999 (reason: Address already in use)
BUT, if I open a normal ssh session, I can run php -S 0.0.0.0:9999 -t ., the code curl "ec2-xx-xx-xx-xx-xx.compute.amazonaws.com:9999" is working everywhere as expected.
So... it is telling me that the port is already used (By the ssh -R command), but is closed when I try to connect to it... I don't get it.
The answer wasn't EC2/AWS related.
It's a security feature from SSH that I had to disable : GatewayPorts yes
This is an odd scenario. Essentially, within a vpc, I am attempting to create an ssh tunnel from server A to server B in which server B hosts the api at port 9000, and server A wants to be able to reverse proxy to port say 5000 which should pass the query to server B's port 9000, and return data. I have been tearing my hair out. I currently have gotten this far:
ssh 3000:localhost3000 -vvv -N -i rsa.pem serverB#serverBIP
after which I have attempted to access the port 22 on server A using a curl request but I got a response -- curl: (1) Received HTTP/0.9 when not allowed
I also tried specifying a port
ssh -vvv -N -i rsa.pem serverB#serverBIP -p3000
which quits on me entirely with the response: ssh: connect to host serverBIp port 3000: No route to host
Finally, I tried
ssh -vvv -N -i workstation_pem.pem 3000:localhost:3000 serverBUser#serverBID
which results in Could not resolve hostname 3000:localhost:3000: Name or service not known
Please advise, I am not sure what I am doing wrong. I feel like this should be simple, but I am struggling to get it to work - a simple tunnel from one instance to another at a port to port on server B where serverB has a gunicorn server running
You would need to login to ServerA and then run this command:
ssh -i key.pem -N -L 5000:serverBIP:9000 serverBUser#serverBIP
This tells the computer on which it is run (which is ServerA) to listen on port 5000 and send any incoming requests to port 9000 on ServerB.
Detailed explanation: explainshell.com - ssh -i key.pem -N -L 5000:serverBIP:9000 serverBUser#serverBIP
See also: SSH/OpenSSH/PortForwarding - Community Help Wiki
Best
Basically, I've the next line of code :
ssh -i AWS-EC2.pem -o ProxyCommand='ssh -i Server-Key abc#52.00.00.00 nc %h %p' AWS-User#99.00.00.00
But, what I would like to have, (And not able to do (yet)) is, to create a connection from my windows 10 pc with the AWS-EC2 server via PuTTY.
In general, we have 1 server which you can only access with a key "Server-Key", and via this connection, we should be able to connect with the AWS-EC2-server via AWS-EC2.pem
Thus:
my_pc --- Server-key ---> Server --- AWS-EC2.pem ---> AWS-EC2-server
I already made 2 ppk files frome the Server-key & AWS-EC2.pem
kind regards
To solve this problem,
ssh -i AWS-EC2.pem -o ProxyCommand='ssh -i Server-Key abc#52.00.00.00 nc %h %p' AWS-User#99.00.00.00
whereby you've a two keys (AWS-EC2.pem and Server-key),
You've to configure your PuTTY as follows. + don't forget to generate 2 pkk files from the PuTTY generator
I have just created an EC2 instance on a brand new AWS account, behind a security group, and loaded some software on it. I am running Sinatra on the machine on port 4567 (currently), and have opened that port in my security group to whole world. Further, I am able to ssh into the EC2 instance, but I cannot connect on port 4567. I am using the public IP to connect:
shakuras:~ tyler$ curl **.***.**.***:22
SSH-2.0-OpenSSH_6.2p2 Ubuntu-6ubuntu0.1
curl: (56) Recv failure: Connection reset by peer
shakuras:~ tyler$ curl **.***.**.***:4567
curl: (7) Failed connect to **.***.**.***:4567; Connection refused
But my webserver is running, since I can see the site when I curl from localhost:
ubuntu#ip-172-31-8-160:~$ curl localhost:4567
Hello world! Welcome
I thought it might be the firewall but I ran iptables and got:
ubuntu#ip-172-31-8-160:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I'm pretty lost on what is going on here. Why can't I connect from the outside world?
Are you sure that the web server is listening on other interfaces than localhost?
Check the output of
netstat -an | grep 4567
If it isn't listening on 0.0.0.0 then that is the cause.
This sounds like issue with the Sinatra binding. Could check this and this and even this link which talks about binding Sinatra to all IP addresses.
You are listening on 127.0.0.1 based on your netstat command. This is what the output should be something like this:
tcp 0 0 :::8080 :::* LISTEN
Can you post your Sinatra configs? What are you using to start it ?
This doesnot work on a simple Amazon AMI , with installation as shown in http://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-install.html
Step 1 , 2, 3 works (agent installation and starting demon ) as shown
[ec2-user#ip-<ip> ~]$ curl http://localhost:51678/v1/metadata
curl: (7) Failed to connect to localhost port 51678: Connection refused
infact netstat shows some listening tcp ports but one able to connect , definitely not 51678 tcp .
If you're using Amazon EC2 and make sure that you have security rule in Custom TCP for 0.0.0.0 in security groups, and still can't connect; try adding 0.0.0.0 to first line of the /etc/hosts by
sudo nvim /etc/hosts
add space to the last ip on the first line, and it should look like
127.0.0.1 localhost 0.0.0.0
For some reason my Vagrant/Puppet instance stopped working out of the blue--I am no longer able to reach the VM from my host machine, despite no configuration or network changes.
Interestingly, the private network must be recognized as the browser is attempting to connect, however the request seems to be timing out when issued from OSX... Also worth noting, I have not installed any system updates at this time. The VM was working previously on 10.9.
Steps I have tried to resolve the issue:
vagrant destroy && vagrant up
Result: Vagrant loads properly, SSH works and apache is running with the proper result returned from ping 127.0.0.1
vagrant reload
Result: Same as above; VM reloads successfully, no change in network accessibility
sudo killall -HUP mDNSResponder
Result: No change in accessibility via the bound IP (10.0.0.100)
Port forwarding (explicit) vs "private_network" in vagrant file
Result: No change in accessibility via the bound IP (10.0.2.15)
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
Result: No change in accessibility via the bound IP, connection still times out
Vagrant File: http://pastebin.com/Hk8drWxF
Puppet File: http://pastebin.com/20Sp1m22
Any thoughts? Thanks!
Could this be an issue with netmask ? You specify 2 ips there : 10.0.0.100 and 10.0.2.15 if you're using default subnet (class C) you would end up on different subnets and be unable to speak directly to each other.