I got access via SSH (root access) to a Machine that's inside a network at my client's office.
I'm programming in my computer a PHP application that needs to integrate to LDAP. The LDAP server is in another server at my client's network and not accesible from outside, however I can perfectly access it via the server I can connect to via SSH.
My question is: IS there anyway I can make a tunnel and setup a port in my computer to get the traffic forwarded to the LDAP server using my SSH connection to one of the computers on the network?
Thanks!!!!
Yes, ssh has a "-L" option to create a tunnel. That option takes 3 parameters, separated by colons (:). Local listen port, remote host, remote port.
ssh -L 9999:ldapserver:389 user#otherhost
Where 9999 is the local port that the tunnel will be created on. The ldapserver:389 bit tells it where to connect to on the other side.
Then, tell your application to connect to localhost:9999 (or whatever port you choose) and it will be tunneled across.
Related
Here is what i have:
GCP instance without external IP (on VPC, and NAT), and it accepts HTTP HTTPS requests
firewall allows ingress TCP for 0.0.0.0 and also for IAP's IP 35.235.240.0/20 on all ports for all instances
I ssh to the instance via IAP and run the application in the terminal on port 5000 and 0.0.0.0 host and leave the terminal hanging, but when I connect in parallel through cloud shell and ssh to this instance through IAP, and then click on web preview on port 5000, I get "Couldn't connect to a server on port 5000".
I have said that it could be a firewall rule blocking IAP, so that's why I gave access to all ports for IAP (for testing)
P.S: the process has been done on a VM with external IP and it got validated ( but without the need to connect to cloud shell to do web preview, I checked the UI with IP:port in the browser )
What did I miss?
You may be following the guide on Building Internet Connectivity for private VMs and this part on Configuring IAP tunnels for interacting with instances and the use of TCP Forwarding in IAP. By Tunneling other TCP connections:
"The local port tunnels data traffic from the local machine to the remote machine in an HTTPS stream. IAP then receives the data, applies access controls, and forwards the unwrapped data to the remote port."
You can create an encrypted tunnel to a port of the VM instance by:
gcloud compute start-iap-tunnel INSTANCE_NAME INSTANCE_PORT \
--local-host-port=localhost:LOCAL_PORT \
--zone=ZONE
I guess you want to use INSTACE_PORT and LOCAL_PORT the same, 5000.
Be aware of it's known limitations.
I want to access machine A which is behind the firewall through a jump host from machine B.
I want to do the same either via ssh keys or via username and password.
What will be the steps and the commands to achieve the same?
The feature is called port forwarding:
ssh -L localport:machine-a-address.domain:remote-port machine-b
Then you can simply use localpott on localhost to access the remote service on machine-a, for example:
telnet localhost localport
I am in a situation where I am running my GridServer and Nodes on the cloud and
when I want to access the Grid I use:
http://someip:4444/grid/console
When I want to access the node I use:
http:someip:<nodeport>/wd/hub
I think its a kind of threat as the IPs are publicly accessible. How can I limit that it shouldn't be opened by external users.
Is there any solution for it?
Selenium is not supporting that.
For that purposes you should make a p2p connection between you and grid.
VPN or ssh tunnel will work. Just forward remote server port to a local port:
ssh user#SERVER -L 4444:127.0.0.1:4444
Now, connecting to a local 4444 port will forward you to the remote address "SERVER". All the connection is secured by ssh login/password now and the traffic is hidden in a secure tunnel.
My web server is running on localhost (127.0.0.1:8800) and I would like to send HTTP posts from another machine to that server.
Does anyone know how I will be able to access the server from the outside? (I did a SSL port forwarding from the external address to localhost, but it is a kind of hack and some aspects do not working properly, e.g. web socket does not detect traffic that's been forwarded)
127.0.0.1 is the loopback address of your network card. Only your computer can access that. 127.0.0.1 on any other computer will be that other computer.
You will have to run your server on your internal ip-address (if you're doing this in an internal network). It will probably look something like 192.168.0.x. If you're instead connecting to the computer using the internet you will of course have to bind the server to the external ip-address.
You can find your internal ip-address on Windows by opening cmd.exe and typing ipconfig. On OSX or Linux/BSD you run ifconfig in a terminal.
Imagine we have a hosting containing:
a search engine running on port 5678 (it's required this port it's open in order to work).
nginx running on port 80.
When a user connects to our website and search something on it, he is only connecting through port 80, but never through 5678. We can check this running "netstat -an".
So my question is: If the client it's never connecting directly with the search engine's port, why we need to keep it open?
Normally client requests are coming to your web server (port 80 or 443), and your web server (your php,or your java code) has a logic to connect to your search engine and send back the result to the client via port 80/443 (local socket connection, if web server and search server running on the same server). so clients need not to connect directly to your search engine port (5678). (from external networks). may be your web server internal interface and search engines internal interface connect locally via local s socket connection.
I'm not sure how you run your web server and search engine, is it two different servers or nginx act as a load balancer and send the client request to your multiple search servers. i think your search engine port use internally to communicate with your web server hosted software. or may be you run both nginx and search server on the same server.
other guess is your firewall or router forwarding port 80 request to your search server port 5678 (port forwarding).
try this on your search server
netstat -pant
this will give your all connection details, like local address,foreign address,state, and PID/Program name
Hope that helps
You can connect to a webserver using a different port. Port 80 is the default for web servers. (port 443 for secure, https, connections) so it's not normally specified since it's 'understood'
But you can, actually, specify a different port to connect to. In your example, a user would specify which port they want to connect to in the URL
http://www.example.com:5678
The same reason why some services live on other ports, like 22, 3000, 3306, 8080, 9000, you might not access those ports directly but maybe some other apps/services/protocols connect to it internally, or could even be not on the same server, like if you have separate app/db/mail servers, they would contact each others by ports.