I understand and regularly use SSH tunneling to get around the firewall at work. Now I'd like to be home, and get around the firewall to my machine at work. I know I'm missing a key word that would pull up what I need in a search, but I'm stumped.

To open a remote desktop (VNC) connection from work to home I type:
#ssh -L 5900:localhost:5900 user@homepc

Now, what I'd like to do is find the SSH command that I can run from work so that I can allow ONLY my homepc to SSH into my workpc. It's gotta be a simple argument that I can't figure out.

Also, at the same time I'd like to figure out how to change the time out variable. Currently, an SSH Connection to a new vanilla FC5 will time out in 5 minutes. Not enough time to get home and log in :)

Any help, or documentation you can point me to to further my research would be helpful.

You need to open correct ports in your firewall (at both ends) check your VPN server's and client's documentation which ones it uses (5900 to start with). Also, you need to set port forwarding in the server's router to direct traffic to your server.

Yes, I have been through that Hoop, and we don't have any VPN software. Sorry I didn't clarify that in the origional post. The VNC (http://www.realvnc.com) is just remote desktop, not quite the same as VPN.

I cannot open the ports on the router. Theoretically in my mind, you should be able to open an SSH connection to a specific host that will allow the remote host access to turn around and SSH back in. Sort of like opening a door that only has a nob on the inside. I can SSH out to my machine at home, but I would like to ssh back in with out needing to change anything with the firewall.

I am only intersted in SSH access from home to work. Once I have that, I can do everything else I am looking to do.

I don't think it's possible. You'd HAVE to have access to the firewall and router due to port numbers and port forwarding. It's a one-way thing: Out. I highly doubt you can get back in w/ out VPN :(
Firewing1

Yes, I have been through that Hoop, and we don't have any VPN software. Sorry I didn't clarify that in the origional post. The VNC (http://www.realvnc.com) is just remote desktop, not quite the same as VPN.

I cannot open the ports on the router. Theoretically in my mind, you should be able to open an SSH connection to a specific host that will allow the remote host access to turn around and SSH back in. Sort of like opening a door that only has a nob on the inside. I can SSH out to my machine at home, but I would like to ssh back in with out needing to change anything with the firewall.

I am only intersted in SSH access from home to work. Once I have that, I can do everything else I am looking to do.

How do you expect a firewall allow any traffic through unless you punch holes through it, or router to redirect it to correct IP# without configuring port forwarding in the router/ network switches (admittedly this is not strictly necessary if server actively listens traffic on the port on the network)?

Also, ssh uses port 22 by default, for your server, you have to configure sshd to listen port 5900 (that's port you're redirecting your ssh in original post) instead of 22.

I cannot open the ports on the router. Theoretically in my mind, you should be able to open an SSH connection to a specific host that will allow the remote host access to turn around and SSH back in. Sort of like opening a door that only has a nob on the inside.

I think you want "ssh -R". The exact incantation will depend on your setup...

I can SSH out to my machine at home, but I would like to ssh back in with out needing to change anything with the firewall.

Without opening ports on the firewall, you can't open a TCP connection inbound. It's deliberately set up that way.

You could STUN your way through with UDP packets, but I'm not aware of any apps that will give you a ssh-like connection over UDP - I'd recommend googling...

Vic.

"ssh -R" is so close! It's the same as "ssh -L" except instead of setting up the listening port on the local machine (-L) it sets up the listening port on the remote machine (-R). -R is going to send the packets from my home to work using the ports specified, which will get blocked since they aren't open.

Now, I know that this sort of thing can be done in other ways, I just would like to see if I can do it with SSH. For example, I can subscribe to a service that allows me to log in through port 80 that opens a connection to the server. With that program listening and logged in, I can go to any other computer, log into their site, and view the desktop of that machine. I think it's PC Anywhere.

What are they doing that teaches the packets what IP behind the NAT router to hit? It's a really small application. I can get more details on it later from a coworker here at the office on Monday.

To clarify for pete_1967:
"ssh -L" will take the localhost port, and send requests for it to the remote host port specified. This way, I can connect through my computer's open ports at home all through the SSH port. For example, VNC (Virtual Network Computer www.realvnc.com) is a listening service on port 5900. To SSH from my computer at the office to my computer at home, I run the command:
ssh -L 5900:localhost:5900 user@domain.com

This means I can open my VNC viewer program and connect to the "localhost" server on port 5900, and SSH takes the request, packages it up, shoots it over to my computer at home and makes the "localhost" request there.

For another example, if I want to administrate my router remotely, and I don't have port 8080 open (Which I don't), I run this command:

ssh -L 8080:192.168.1.1:80 user@domain.com

Then in my browser I type "localhost:8080", ssh picks up the package request, sends it to user@domain.com, and asks it to send the information to 192.168.1.1:80. Now I see my router's information from my computer at home.

Nifty trick to get around your Outbound firewall. I can set up IM from behind the firewall:
ssh -L 1863:messenger.hotmail.com:1863 user@domain.com

Now if I wanted to run a -L on a machine, but I don't want to SSH into that machine first, I can use the -R command instead.

All of this makes sense, but I can't quite get it to work exactly the way I want it to. Anybody else more proficient with Google than I am? I just can't figure out what keywords will pull up the info I need. I'll try looking up STUN next, cause it sounds interesting.

"ssh -R" is so close! It's the same as "ssh -L" except instead of setting up the listening port on the local machine (-L) it sets up the listening port on the remote machine (-R). -R is going to send the packets from my home to work using the ports specified, which will get blocked since they aren't open.

No -that's not how it works.

You run ssh -R on your work machine. This opens up a TCP connection on port 22 to your home machine - this is permitted by your firewall.

Your home machine now has another listening port open - and that maps to a port on your work machine. *However*, the only traffic that passes through your firewall is on the port 22 connection you opened previously - the other port numbers are all tunnelled.

The only difficulty I can see here is that you have to remember to run the ssh command before you leave work. Or run a cron job to do it for you. And don't tell your SysAds, who would not be best pleased by such a job...

Vic.

If I'm not misunderstanding...

You can't ssh to your work machine from your home because your work firewall doesn't allow access to the machine, but you can ssh from work to home. In that case, from work do this:

ssh -R 2222:localhost:22 user@homebox

Then, from a shell on your home machine you can do "ssh -p 2222 workusername@localhost". Ssh will then connect to port 2222 on your local machine, that port will be forwarded to your work machine and connected to port 22 on what your work machine knows as localhost, i.e. itself.

In one case I wrote a little script that would loop every 5 minutes on my work machine. It would ssh to my home box and look for the existence of a file called "starttunnel" in my homedir, if it found it it would create another ssh with the appropriate tunnel, then I could connect to my work machine.

Slightly off topic, but the latest sshes have a totally cool dynamic tunnel option. The tunnels we've been talking about are point to point and restricted to the single port listed. If you have a remote machine with open internet access and want to tunnel traffic from a firewalled network, then "ssh -D 1080 remotehost" and any client that understands how to use a SOCKS proxy (like firefox) can be pointed at localhost:1080 and traffic to any host will be tunneled through the remote machine.

Also note that for security reasons only the localhost can connect to an ssh tunnel, unless you use the -g option, which allows other networked systems to use the tunnel, also.

Ha! Then it IS what I needed! I tried it with:
ssh -R 22:localhost:22 user@homebox
cause I'm an idiot. Course that wouldn't work. The only question left to clarify, which I can do by testing, is to verify that this:
"*However*, the only traffic that passes through your firewall is on the port 22 connection you opened previously - the other port numbers are all tunnelled."
Means that I don't need port 2222 open on the firewall at work. I'm assuming this is the case, which would be really awesome!

The idea of the script is the last piece of the pie, which I'll take pleasure in hashing out later. Thanks for the great help! I just knew it was possible.

Ok have you got anything worked out yet?

At work is there a firewall and if so what kind of device is ths. Store bought cable/dsl router, Linux firewall, Other firewall machine OS, High priced router like Cisco.

Now is port 22 opened on the router and is going to the firewall machine itself or to and internal machine with portforwarding enabled?

Okay if portfrward to and internal machine with ssh and vnc running with only port 22 open on the machine and as well as the router portforwarding to the internal machine then use a command like this.
ssh -f -L 25903:127.0.0.1:5902 username@xxx.xxx.xxx.xxx sleep 10; vncviewer 127.0.0.1:25903:3

Now this command is connecting to the my vncserver on display 2 which is defined in /etc/syslog/vncserver. Using 5900 is the real display and it depends on how you setup vnc.

What did you do to setup VNC?
Did you follow a guide somewhere if so post the link because there are so many ways to setup vnc?
I follow this guide to get a basic start and fine tune from there. http://fedoranews.org/tchung/vnc/

Lets go from there and see what answers happen.

Also I seen a PM to me about the sata setup. Did you get it resolved. I have no idea which post it is. It is best to stay in the forum to ask the questions so other can help because I did not see this pm to me till today. If you have the link to your post on the sata subject and still not working I will see where it has gone. Also in your PM don't use partition magic to make linux partitions. Not very good at it.

Brian1

Sorry, I posted from a different machine (hargoth) last time. I'm at the office now, and these two commands work like a champ:
workpc# ssh -R 2222:localhost:22 user@homepc
homepc# ssh -p 2222 localhost -L 5800:localhost:5900

These two commands allow me to SSH and VNC from home to work. It's on port 5800 cause I'm already VNC'ing home on port 5900, and I'm not planning on using the default 5800 for the Web based VNC java client any time in the near future.

For my VNC set up, I do a
#yum install vnc vncserver
Then follow the instructions here:
http://www.realvnc.com/products/free/4.1/x0.html

Basically add a few lines to xorg.conf, and it allows you to VNC to the :0 display and control the Desktop as it appears on the monitor. I love to VNC home and find my Wife surfing the net. Then I start a vncserver on the :1 display, and start playing music or do other crap and watch her panic! It's my favorite.

To answer the specific questions from Brian1,

I'm pretty sure it's a cisco router that blocks all port 22 requests, and it was a matter of updating my BIOS to get the Fedora Core 5 install to work properly on my SATA Drive. I didn't use Partition Magic to create the partitions I was going to keep, it just wouldn't let me keep the chunk unlabled, so I left it ext3 just 'cause. I reformatted and cut up the partitoin with the installer later.

I figured you were setting it up that way since using port 5900. Glad to see you got it going and also the update to the bios on the other post.

Brian1