Bind SSH client to two different host addresses
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I have this port forwarding solution for testing purposes. There is a distant server named box and a local machine named tower, on two separate networks. box is accessible through the internet.
On tower, I run the following command:
ssh -R 80:localhost:80 box.sleblanc
This connects to box and setups a socket on port 80 that will access a web service on tower, port 80. When a connection is established with box:80, I find that it appears to the web service in the logs as coming from 127.0.0.1. I find this annoying as I cannot reliably distinguish between the connections that are legitimately from my localhost as opposed to those that come from via the proxy.
By setting the BindAddress
option to something different (e.g. 192.168.0.100) the connections to the proxy actually show up as that address instead, which solves my problem, but it forces my service to run on a network address other than localhost.
I found that running curl --interface 127.0.0.2 localhost:80
will produce requests from the IP address 127.0.0.2
, which fulfills my requirement of being able to distinguish between legitimately local requests versus proxied requests, however, when setting BindAddress
to 127.0.0.2, SSH can no longer reach box, as the 127.0.0.0/8 network is not routeable.
Ultimately, my question is: how can I bind the SSH client to multiple different addresses, so that the client can connect to an Internet host while the remote port redirection will come from an unrouteable address other than 127.0.0.1? That is, strictly bind connections to the remote forwarded port to the local address 127.0.0.2?
Toying with socat, I discovered this solution:
% socat TCP4-Listen:1234,fork TCP:127.0.0.1:80,bind=127.0.0.2 &
% ssh -R 80:127.0.0.1:1234 box.sleblanc
This sets up a socket on that listens to incoming connections on port 1234 and forwards them to 127.0.0.1:80 by binding to the local address 127.0.0.2. It works exactly as intended, but I am wondering if there is a way to streamline this into the SSH command.
ssh networking port-forwarding
add a comment |
I have this port forwarding solution for testing purposes. There is a distant server named box and a local machine named tower, on two separate networks. box is accessible through the internet.
On tower, I run the following command:
ssh -R 80:localhost:80 box.sleblanc
This connects to box and setups a socket on port 80 that will access a web service on tower, port 80. When a connection is established with box:80, I find that it appears to the web service in the logs as coming from 127.0.0.1. I find this annoying as I cannot reliably distinguish between the connections that are legitimately from my localhost as opposed to those that come from via the proxy.
By setting the BindAddress
option to something different (e.g. 192.168.0.100) the connections to the proxy actually show up as that address instead, which solves my problem, but it forces my service to run on a network address other than localhost.
I found that running curl --interface 127.0.0.2 localhost:80
will produce requests from the IP address 127.0.0.2
, which fulfills my requirement of being able to distinguish between legitimately local requests versus proxied requests, however, when setting BindAddress
to 127.0.0.2, SSH can no longer reach box, as the 127.0.0.0/8 network is not routeable.
Ultimately, my question is: how can I bind the SSH client to multiple different addresses, so that the client can connect to an Internet host while the remote port redirection will come from an unrouteable address other than 127.0.0.1? That is, strictly bind connections to the remote forwarded port to the local address 127.0.0.2?
Toying with socat, I discovered this solution:
% socat TCP4-Listen:1234,fork TCP:127.0.0.1:80,bind=127.0.0.2 &
% ssh -R 80:127.0.0.1:1234 box.sleblanc
This sets up a socket on that listens to incoming connections on port 1234 and forwards them to 127.0.0.1:80 by binding to the local address 127.0.0.2. It works exactly as intended, but I am wondering if there is a way to streamline this into the SSH command.
ssh networking port-forwarding
You would needssh
to bind on a specified interface when creating the local sockets for-R
, but I see no way to specify this inman ssh
. So if you want to do this withssh
only, you'll likely have to modify the code to provide this option (and submit a patch). You can also connect the remote box to your local box with a different kind of tunnel which preserves IP addresses.
– dirkt
Mar 16 at 19:47
On a Linux system, this hack (on tower) will "fix" ssh:iptables -t nat -I POSTROUTING -s 127.0.0.1 -d 127.0.0.2 -j SNAT --to-source 127.0.0.2
– A.B
Mar 16 at 22:49
@A.B, interesting. This rewrites packets addressed to 127.0.0.2 so that they show up as coming from 127.0.0.2 instead of 127.0.0.1, is that so?
– sleblanc
Mar 16 at 23:39
yes. even tested it (using.. socat with -d -d of course) before commenting. But your question doesn't specify the OS
– A.B
Mar 16 at 23:41
GNU plus Linux.
– sleblanc
Mar 17 at 2:25
add a comment |
I have this port forwarding solution for testing purposes. There is a distant server named box and a local machine named tower, on two separate networks. box is accessible through the internet.
On tower, I run the following command:
ssh -R 80:localhost:80 box.sleblanc
This connects to box and setups a socket on port 80 that will access a web service on tower, port 80. When a connection is established with box:80, I find that it appears to the web service in the logs as coming from 127.0.0.1. I find this annoying as I cannot reliably distinguish between the connections that are legitimately from my localhost as opposed to those that come from via the proxy.
By setting the BindAddress
option to something different (e.g. 192.168.0.100) the connections to the proxy actually show up as that address instead, which solves my problem, but it forces my service to run on a network address other than localhost.
I found that running curl --interface 127.0.0.2 localhost:80
will produce requests from the IP address 127.0.0.2
, which fulfills my requirement of being able to distinguish between legitimately local requests versus proxied requests, however, when setting BindAddress
to 127.0.0.2, SSH can no longer reach box, as the 127.0.0.0/8 network is not routeable.
Ultimately, my question is: how can I bind the SSH client to multiple different addresses, so that the client can connect to an Internet host while the remote port redirection will come from an unrouteable address other than 127.0.0.1? That is, strictly bind connections to the remote forwarded port to the local address 127.0.0.2?
Toying with socat, I discovered this solution:
% socat TCP4-Listen:1234,fork TCP:127.0.0.1:80,bind=127.0.0.2 &
% ssh -R 80:127.0.0.1:1234 box.sleblanc
This sets up a socket on that listens to incoming connections on port 1234 and forwards them to 127.0.0.1:80 by binding to the local address 127.0.0.2. It works exactly as intended, but I am wondering if there is a way to streamline this into the SSH command.
ssh networking port-forwarding
I have this port forwarding solution for testing purposes. There is a distant server named box and a local machine named tower, on two separate networks. box is accessible through the internet.
On tower, I run the following command:
ssh -R 80:localhost:80 box.sleblanc
This connects to box and setups a socket on port 80 that will access a web service on tower, port 80. When a connection is established with box:80, I find that it appears to the web service in the logs as coming from 127.0.0.1. I find this annoying as I cannot reliably distinguish between the connections that are legitimately from my localhost as opposed to those that come from via the proxy.
By setting the BindAddress
option to something different (e.g. 192.168.0.100) the connections to the proxy actually show up as that address instead, which solves my problem, but it forces my service to run on a network address other than localhost.
I found that running curl --interface 127.0.0.2 localhost:80
will produce requests from the IP address 127.0.0.2
, which fulfills my requirement of being able to distinguish between legitimately local requests versus proxied requests, however, when setting BindAddress
to 127.0.0.2, SSH can no longer reach box, as the 127.0.0.0/8 network is not routeable.
Ultimately, my question is: how can I bind the SSH client to multiple different addresses, so that the client can connect to an Internet host while the remote port redirection will come from an unrouteable address other than 127.0.0.1? That is, strictly bind connections to the remote forwarded port to the local address 127.0.0.2?
Toying with socat, I discovered this solution:
% socat TCP4-Listen:1234,fork TCP:127.0.0.1:80,bind=127.0.0.2 &
% ssh -R 80:127.0.0.1:1234 box.sleblanc
This sets up a socket on that listens to incoming connections on port 1234 and forwards them to 127.0.0.1:80 by binding to the local address 127.0.0.2. It works exactly as intended, but I am wondering if there is a way to streamline this into the SSH command.
ssh networking port-forwarding
ssh networking port-forwarding
asked Mar 16 at 19:11
sleblancsleblanc
872914
872914
You would needssh
to bind on a specified interface when creating the local sockets for-R
, but I see no way to specify this inman ssh
. So if you want to do this withssh
only, you'll likely have to modify the code to provide this option (and submit a patch). You can also connect the remote box to your local box with a different kind of tunnel which preserves IP addresses.
– dirkt
Mar 16 at 19:47
On a Linux system, this hack (on tower) will "fix" ssh:iptables -t nat -I POSTROUTING -s 127.0.0.1 -d 127.0.0.2 -j SNAT --to-source 127.0.0.2
– A.B
Mar 16 at 22:49
@A.B, interesting. This rewrites packets addressed to 127.0.0.2 so that they show up as coming from 127.0.0.2 instead of 127.0.0.1, is that so?
– sleblanc
Mar 16 at 23:39
yes. even tested it (using.. socat with -d -d of course) before commenting. But your question doesn't specify the OS
– A.B
Mar 16 at 23:41
GNU plus Linux.
– sleblanc
Mar 17 at 2:25
add a comment |
You would needssh
to bind on a specified interface when creating the local sockets for-R
, but I see no way to specify this inman ssh
. So if you want to do this withssh
only, you'll likely have to modify the code to provide this option (and submit a patch). You can also connect the remote box to your local box with a different kind of tunnel which preserves IP addresses.
– dirkt
Mar 16 at 19:47
On a Linux system, this hack (on tower) will "fix" ssh:iptables -t nat -I POSTROUTING -s 127.0.0.1 -d 127.0.0.2 -j SNAT --to-source 127.0.0.2
– A.B
Mar 16 at 22:49
@A.B, interesting. This rewrites packets addressed to 127.0.0.2 so that they show up as coming from 127.0.0.2 instead of 127.0.0.1, is that so?
– sleblanc
Mar 16 at 23:39
yes. even tested it (using.. socat with -d -d of course) before commenting. But your question doesn't specify the OS
– A.B
Mar 16 at 23:41
GNU plus Linux.
– sleblanc
Mar 17 at 2:25
You would need
ssh
to bind on a specified interface when creating the local sockets for -R
, but I see no way to specify this in man ssh
. So if you want to do this with ssh
only, you'll likely have to modify the code to provide this option (and submit a patch). You can also connect the remote box to your local box with a different kind of tunnel which preserves IP addresses.– dirkt
Mar 16 at 19:47
You would need
ssh
to bind on a specified interface when creating the local sockets for -R
, but I see no way to specify this in man ssh
. So if you want to do this with ssh
only, you'll likely have to modify the code to provide this option (and submit a patch). You can also connect the remote box to your local box with a different kind of tunnel which preserves IP addresses.– dirkt
Mar 16 at 19:47
On a Linux system, this hack (on tower) will "fix" ssh:
iptables -t nat -I POSTROUTING -s 127.0.0.1 -d 127.0.0.2 -j SNAT --to-source 127.0.0.2
– A.B
Mar 16 at 22:49
On a Linux system, this hack (on tower) will "fix" ssh:
iptables -t nat -I POSTROUTING -s 127.0.0.1 -d 127.0.0.2 -j SNAT --to-source 127.0.0.2
– A.B
Mar 16 at 22:49
@A.B, interesting. This rewrites packets addressed to 127.0.0.2 so that they show up as coming from 127.0.0.2 instead of 127.0.0.1, is that so?
– sleblanc
Mar 16 at 23:39
@A.B, interesting. This rewrites packets addressed to 127.0.0.2 so that they show up as coming from 127.0.0.2 instead of 127.0.0.1, is that so?
– sleblanc
Mar 16 at 23:39
yes. even tested it (using.. socat with -d -d of course) before commenting. But your question doesn't specify the OS
– A.B
Mar 16 at 23:41
yes. even tested it (using.. socat with -d -d of course) before commenting. But your question doesn't specify the OS
– A.B
Mar 16 at 23:41
GNU plus Linux.
– sleblanc
Mar 17 at 2:25
GNU plus Linux.
– sleblanc
Mar 17 at 2:25
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506715%2fbind-ssh-client-to-two-different-host-addresses%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506715%2fbind-ssh-client-to-two-different-host-addresses%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
You would need
ssh
to bind on a specified interface when creating the local sockets for-R
, but I see no way to specify this inman ssh
. So if you want to do this withssh
only, you'll likely have to modify the code to provide this option (and submit a patch). You can also connect the remote box to your local box with a different kind of tunnel which preserves IP addresses.– dirkt
Mar 16 at 19:47
On a Linux system, this hack (on tower) will "fix" ssh:
iptables -t nat -I POSTROUTING -s 127.0.0.1 -d 127.0.0.2 -j SNAT --to-source 127.0.0.2
– A.B
Mar 16 at 22:49
@A.B, interesting. This rewrites packets addressed to 127.0.0.2 so that they show up as coming from 127.0.0.2 instead of 127.0.0.1, is that so?
– sleblanc
Mar 16 at 23:39
yes. even tested it (using.. socat with -d -d of course) before commenting. But your question doesn't specify the OS
– A.B
Mar 16 at 23:41
GNU plus Linux.
– sleblanc
Mar 17 at 2:25