How to get remote IP address over a ssh remote port forwarding tunnel?Tunnel AFP over SSH over InternetDouble...
How can a valley surrounded by mountains be fertile and rainy?
Wrong corporate name on employment agreement
How hard is it to sell a home which is currently mortgaged?
Why transcripts instead of degree certificates?
Could human civilization live 150 years in a nuclear-powered aircraft carrier colony without resorting to mass killing/ cannibalism?
Why are there so many religions and gods?
What's the safest way to inform a new user of their password on my web site?
Getting geometries of hurricane's 'cone of uncertainty' using shapely?
Is there a nice way to assign std::minmax(a, b) to std::tie(a, b)?
Details of video memory access arbitration in Space Invaders
How can I convince my reader that I will not use a certain trope?
How would an order of Monks that renounce their names communicate effectively?
Should I report a leak of confidential HR information?
In native German words, is Q always followed by U, as in English?
Meaning of もてり and use of が
Being paid less than a "junior" colleague
Miss Toad and her frogs
Spicket or spigot?
Why do I need two parameters in an HTTP parameter pollution attack?
The Confused Alien
Most elegant way to write a one shot IF
Can a police officer film me on their personal device in my own home?
Do I have to roll to maintain concentration if a target other than me who is affected by my concentration spell takes damage?
Sum of Parts of An Array - JavaScript
How to get remote IP address over a ssh remote port forwarding tunnel?
Tunnel AFP over SSH over InternetDouble port forwarding - SSHReverse AutoSSH working, but the proxied LISTEN ports fail randomlySetting up port forwarding on router for reverse SSH tunnelSSH tunnel, port forwarding setupssh tunnel, port forwarding - confusedssh reverse tunnel & gateway ports: forwarding users real (public) IP address?SSH session through jumphost via remote port forwardingSingle step ssh port forwarding not working but only works when ssh port forwarding performed separately on remote jump-server and remote-localhost?ssh local port forwarding with 2 servers
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I'm running a test server behind NAT. I've forwarded remote port 2222
from another public IP server (example.com
) to port 22
of the server behind NAT (localhost
) as follows.
autossh -f -N -i /root/.ssh/id_rsa -R 2222:localhost:22 root@example.com
Now the local ssh
server behind NAT getting only ::1
as IP address of all clients irrespective of client's actual IP address.
Output from w
in localhost
is like this.
22:27:37 up 8:03, 2 users, load average: 0.03, 0.03, 0.09
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
user tty7 :0 14:24 8:03m 1.27s 0.33s /usr/bin/lxsession -s LXDE-pi -e LXDE
user pts/0 ::1 22:27 1.00s 0.34s 0.03s w
/var/log/auth.log
in localhost
has entry like this
Feb 28 22:27:32 localhost sshd[5201]: Accepted password for user from ::1 port 55168 ssh2
Now I want to run fail2ban
or csf
firewall to block spam IP addresses. So, I want client's actual IP address. How can I do this? Is any iptables
NAT
rewriting rule helpful?
ssh ssh-tunneling port-forwarding
bumped to the homepage by Community♦ 2 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I'm running a test server behind NAT. I've forwarded remote port 2222
from another public IP server (example.com
) to port 22
of the server behind NAT (localhost
) as follows.
autossh -f -N -i /root/.ssh/id_rsa -R 2222:localhost:22 root@example.com
Now the local ssh
server behind NAT getting only ::1
as IP address of all clients irrespective of client's actual IP address.
Output from w
in localhost
is like this.
22:27:37 up 8:03, 2 users, load average: 0.03, 0.03, 0.09
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
user tty7 :0 14:24 8:03m 1.27s 0.33s /usr/bin/lxsession -s LXDE-pi -e LXDE
user pts/0 ::1 22:27 1.00s 0.34s 0.03s w
/var/log/auth.log
in localhost
has entry like this
Feb 28 22:27:32 localhost sshd[5201]: Accepted password for user from ::1 port 55168 ssh2
Now I want to run fail2ban
or csf
firewall to block spam IP addresses. So, I want client's actual IP address. How can I do this? Is any iptables
NAT
rewriting rule helpful?
ssh ssh-tunneling port-forwarding
bumped to the homepage by Community♦ 2 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
You cannot use failtoban to block IPs and you only see the IP address of the other side of the SSH tunnel...
– Rui F Ribeiro
Mar 2 '18 at 19:40
@RuiFRibeiro Yes, that's true. I'm asking is there a way to get the client's actual IP instead the IP address of other side of the tunnel's localhost ip::1
?
– Abhik Bose
Mar 2 '18 at 19:43
1
I prefer going in via a VPN and not exposessh
ports to the Internet.
– Rui F Ribeiro
Mar 2 '18 at 19:51
1
Maybe running a tun device and using iptables would be the solution?
– davidbaumann
Mar 3 '18 at 8:01
add a comment |
I'm running a test server behind NAT. I've forwarded remote port 2222
from another public IP server (example.com
) to port 22
of the server behind NAT (localhost
) as follows.
autossh -f -N -i /root/.ssh/id_rsa -R 2222:localhost:22 root@example.com
Now the local ssh
server behind NAT getting only ::1
as IP address of all clients irrespective of client's actual IP address.
Output from w
in localhost
is like this.
22:27:37 up 8:03, 2 users, load average: 0.03, 0.03, 0.09
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
user tty7 :0 14:24 8:03m 1.27s 0.33s /usr/bin/lxsession -s LXDE-pi -e LXDE
user pts/0 ::1 22:27 1.00s 0.34s 0.03s w
/var/log/auth.log
in localhost
has entry like this
Feb 28 22:27:32 localhost sshd[5201]: Accepted password for user from ::1 port 55168 ssh2
Now I want to run fail2ban
or csf
firewall to block spam IP addresses. So, I want client's actual IP address. How can I do this? Is any iptables
NAT
rewriting rule helpful?
ssh ssh-tunneling port-forwarding
I'm running a test server behind NAT. I've forwarded remote port 2222
from another public IP server (example.com
) to port 22
of the server behind NAT (localhost
) as follows.
autossh -f -N -i /root/.ssh/id_rsa -R 2222:localhost:22 root@example.com
Now the local ssh
server behind NAT getting only ::1
as IP address of all clients irrespective of client's actual IP address.
Output from w
in localhost
is like this.
22:27:37 up 8:03, 2 users, load average: 0.03, 0.03, 0.09
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
user tty7 :0 14:24 8:03m 1.27s 0.33s /usr/bin/lxsession -s LXDE-pi -e LXDE
user pts/0 ::1 22:27 1.00s 0.34s 0.03s w
/var/log/auth.log
in localhost
has entry like this
Feb 28 22:27:32 localhost sshd[5201]: Accepted password for user from ::1 port 55168 ssh2
Now I want to run fail2ban
or csf
firewall to block spam IP addresses. So, I want client's actual IP address. How can I do this? Is any iptables
NAT
rewriting rule helpful?
ssh ssh-tunneling port-forwarding
ssh ssh-tunneling port-forwarding
asked Mar 2 '18 at 19:38
Abhik BoseAbhik Bose
1,5921 gold badge5 silver badges26 bronze badges
1,5921 gold badge5 silver badges26 bronze badges
bumped to the homepage by Community♦ 2 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 2 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
You cannot use failtoban to block IPs and you only see the IP address of the other side of the SSH tunnel...
– Rui F Ribeiro
Mar 2 '18 at 19:40
@RuiFRibeiro Yes, that's true. I'm asking is there a way to get the client's actual IP instead the IP address of other side of the tunnel's localhost ip::1
?
– Abhik Bose
Mar 2 '18 at 19:43
1
I prefer going in via a VPN and not exposessh
ports to the Internet.
– Rui F Ribeiro
Mar 2 '18 at 19:51
1
Maybe running a tun device and using iptables would be the solution?
– davidbaumann
Mar 3 '18 at 8:01
add a comment |
You cannot use failtoban to block IPs and you only see the IP address of the other side of the SSH tunnel...
– Rui F Ribeiro
Mar 2 '18 at 19:40
@RuiFRibeiro Yes, that's true. I'm asking is there a way to get the client's actual IP instead the IP address of other side of the tunnel's localhost ip::1
?
– Abhik Bose
Mar 2 '18 at 19:43
1
I prefer going in via a VPN and not exposessh
ports to the Internet.
– Rui F Ribeiro
Mar 2 '18 at 19:51
1
Maybe running a tun device and using iptables would be the solution?
– davidbaumann
Mar 3 '18 at 8:01
You cannot use failtoban to block IPs and you only see the IP address of the other side of the SSH tunnel...
– Rui F Ribeiro
Mar 2 '18 at 19:40
You cannot use failtoban to block IPs and you only see the IP address of the other side of the SSH tunnel...
– Rui F Ribeiro
Mar 2 '18 at 19:40
@RuiFRibeiro Yes, that's true. I'm asking is there a way to get the client's actual IP instead the IP address of other side of the tunnel's localhost ip
::1
?– Abhik Bose
Mar 2 '18 at 19:43
@RuiFRibeiro Yes, that's true. I'm asking is there a way to get the client's actual IP instead the IP address of other side of the tunnel's localhost ip
::1
?– Abhik Bose
Mar 2 '18 at 19:43
1
1
I prefer going in via a VPN and not expose
ssh
ports to the Internet.– Rui F Ribeiro
Mar 2 '18 at 19:51
I prefer going in via a VPN and not expose
ssh
ports to the Internet.– Rui F Ribeiro
Mar 2 '18 at 19:51
1
1
Maybe running a tun device and using iptables would be the solution?
– davidbaumann
Mar 3 '18 at 8:01
Maybe running a tun device and using iptables would be the solution?
– davidbaumann
Mar 3 '18 at 8:01
add a comment |
1 Answer
1
active
oldest
votes
The SSH protocol messages for opening a TCP forwarding session include the IP address and port of the client which connected to the forwarded port. The OpenSSH ssh
utility just logs the information and doesn't do anything else with it:
$ ssh -v -R 2048:localhost:22 localhost
...
debug1: client_request_forwarded_tcpip: listen localhost port 2048, originator ::1 port 49341
^^^^^^^^^^^^^^^^^^^^^^^^^
To do something useful with the information, you'd have to do one of the following:
- Run
ssh
in debug mode and capture and parse the relevant debug output.
Modify thessh
utility to log the information or otherwise do what you need it to do with the information.- Use a different ssh client, or write your own. SSH libraries exist for most modern programming languages.
Sounds cumbersome....
– Rui F Ribeiro
Mar 2 '18 at 20:23
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f427758%2fhow-to-get-remote-ip-address-over-a-ssh-remote-port-forwarding-tunnel%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The SSH protocol messages for opening a TCP forwarding session include the IP address and port of the client which connected to the forwarded port. The OpenSSH ssh
utility just logs the information and doesn't do anything else with it:
$ ssh -v -R 2048:localhost:22 localhost
...
debug1: client_request_forwarded_tcpip: listen localhost port 2048, originator ::1 port 49341
^^^^^^^^^^^^^^^^^^^^^^^^^
To do something useful with the information, you'd have to do one of the following:
- Run
ssh
in debug mode and capture and parse the relevant debug output.
Modify thessh
utility to log the information or otherwise do what you need it to do with the information.- Use a different ssh client, or write your own. SSH libraries exist for most modern programming languages.
Sounds cumbersome....
– Rui F Ribeiro
Mar 2 '18 at 20:23
add a comment |
The SSH protocol messages for opening a TCP forwarding session include the IP address and port of the client which connected to the forwarded port. The OpenSSH ssh
utility just logs the information and doesn't do anything else with it:
$ ssh -v -R 2048:localhost:22 localhost
...
debug1: client_request_forwarded_tcpip: listen localhost port 2048, originator ::1 port 49341
^^^^^^^^^^^^^^^^^^^^^^^^^
To do something useful with the information, you'd have to do one of the following:
- Run
ssh
in debug mode and capture and parse the relevant debug output.
Modify thessh
utility to log the information or otherwise do what you need it to do with the information.- Use a different ssh client, or write your own. SSH libraries exist for most modern programming languages.
Sounds cumbersome....
– Rui F Ribeiro
Mar 2 '18 at 20:23
add a comment |
The SSH protocol messages for opening a TCP forwarding session include the IP address and port of the client which connected to the forwarded port. The OpenSSH ssh
utility just logs the information and doesn't do anything else with it:
$ ssh -v -R 2048:localhost:22 localhost
...
debug1: client_request_forwarded_tcpip: listen localhost port 2048, originator ::1 port 49341
^^^^^^^^^^^^^^^^^^^^^^^^^
To do something useful with the information, you'd have to do one of the following:
- Run
ssh
in debug mode and capture and parse the relevant debug output.
Modify thessh
utility to log the information or otherwise do what you need it to do with the information.- Use a different ssh client, or write your own. SSH libraries exist for most modern programming languages.
The SSH protocol messages for opening a TCP forwarding session include the IP address and port of the client which connected to the forwarded port. The OpenSSH ssh
utility just logs the information and doesn't do anything else with it:
$ ssh -v -R 2048:localhost:22 localhost
...
debug1: client_request_forwarded_tcpip: listen localhost port 2048, originator ::1 port 49341
^^^^^^^^^^^^^^^^^^^^^^^^^
To do something useful with the information, you'd have to do one of the following:
- Run
ssh
in debug mode and capture and parse the relevant debug output.
Modify thessh
utility to log the information or otherwise do what you need it to do with the information.- Use a different ssh client, or write your own. SSH libraries exist for most modern programming languages.
answered Mar 2 '18 at 20:22
KensterKenster
1,5041 gold badge8 silver badges12 bronze badges
1,5041 gold badge8 silver badges12 bronze badges
Sounds cumbersome....
– Rui F Ribeiro
Mar 2 '18 at 20:23
add a comment |
Sounds cumbersome....
– Rui F Ribeiro
Mar 2 '18 at 20:23
Sounds cumbersome....
– Rui F Ribeiro
Mar 2 '18 at 20:23
Sounds cumbersome....
– Rui F Ribeiro
Mar 2 '18 at 20:23
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f427758%2fhow-to-get-remote-ip-address-over-a-ssh-remote-port-forwarding-tunnel%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
You cannot use failtoban to block IPs and you only see the IP address of the other side of the SSH tunnel...
– Rui F Ribeiro
Mar 2 '18 at 19:40
@RuiFRibeiro Yes, that's true. I'm asking is there a way to get the client's actual IP instead the IP address of other side of the tunnel's localhost ip
::1
?– Abhik Bose
Mar 2 '18 at 19:43
1
I prefer going in via a VPN and not expose
ssh
ports to the Internet.– Rui F Ribeiro
Mar 2 '18 at 19:51
1
Maybe running a tun device and using iptables would be the solution?
– davidbaumann
Mar 3 '18 at 8:01