Re: ssh tunnel

From: Fabrizio <fabrizio.magni@xxxxxxxxxxxxxxx>
Date: Fri, 26 Aug 2005 11:46:44 +0200

I'm playing around with tunneling sqlnet over ssh. I set up a tunnel on
the client that forwards port 9521 to 1521 on the database server and
can connect to the listener on local port 9521. I also know that once
the connection is established by the listener, the connection gets
handed off to a server process on a different port. Does that mean that
all traffic after that point is not going through the tunnel?

Hi Chuck, if you are using dedicated server on a Unix machine then the communication port between client and listener, on server side, is always the listening port.

So ssh tunneling has no problems there.

But what on shared server?
(below a test to show that the communication is still crypted).

Just a test:

two machine:
bremosdbls02  (client side)
breobsbsls01  (server side)

One DB: RMAN10G

one listener, listening on PORT 1529
default dispatcher for 10g.

tunneling opened with:

nohup ssh -f -g -L 1530:breobsbsls01.ras:1529 oracle10g@xxxxxxxxxxxxxxxx ping -i 100 breobsbsls01.ras

from bremosdbls02  (user oracle)

I connect via sqlplus to local port 1530 using the shared server

RMAN10G =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = bremosdbls02.ras)(PORT = 1530))
    (CONNECT_DATA =
      (SERVICE_NAME = RMAN10GXDB)
      (SERVER=shared)
    )
  )

and check what happens via tcpdump (none but me is connected at the DB):

sqlplus system/rman_10g_@rman10g

SQL*Plus: Release 10.2.0.1.0 - Production on Fri Aug 26 11:37:08 2005

Copyright (c) 1982, 2005, Oracle.  All rights reserved.


Connected to:
Oracle Database 10g Enterprise Edition Release 10.1.0.4.0 - Production
With the Partitioning and Data Mining options

SQL> select * from v$circuit;

CIRCUIT DISPATCH SERVER WAITER SADDR STATUS QUEUE -------- -------- -------- -------- -------- ---------------- ---------------- MESSAGE0 MESSAGE1 MESSAGE2 MESSAGE3 MESSAGES BYTES BREAKS ---------- ---------- ---------- ---------- ---------- ---------- ---------- PRESENTATION -------------------------------------------------------------------------------- PCIRCUIT -------- 599FC18C 5AC6E140 5AC6E650 00 5AD46828 NORMAL SERVER 0 1 0 0 33 5066 0 TTC 00

ps -fe|grep sqlplus oracle 16427 27367 0 11:41 pts/1 00:00:00 sqlplus root 16791 14492 0 11:43 pts/3 00:00:00 grep sqlplus You have new mail in /var/mail/root bremosdbls02:~ # lsof -p 16427|grep ESTAB sqlplus 16427 oracle 8u IPv4 4717301 TCP bremosdbls02.ras:32987->bremosdbls02.ras:rap-service (ESTABLISHED) bremosdbls02:~ # grep rap-service /etc/services rap-service 1530/tcp # rap-service rap-service 1530/udp # rap-service

Client side the connection is kept on the 1530.


While on server side it is still on 1529:

lsof -p 20664|grep ESTAB oracle 20664 oracle10g 15u IPv4 339804982 TCP breobsbsls01.ras:coauthor->breobsbsls01.ras:8647 (ESTABLISHED) oracle10g@breobsbsls01:~> grep coauthor /etc/services coauthor 1529/tcp # oracle coauthor 1529/udp # oracle


192.168.25.92 is breobsbsls01

As you can see below all the packages are cripted and tunneled on ssh.

tcpdump -vvv -A -t -XX -i eth0 src 192.168.25.92 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes IP (tos 0x8, ttl 63, id 47322, offset 0, flags [DF], length: 52) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: . [tcp sum ok] 2846929684:2846929684(0) ack 1544053150 win 12848 <nop,nop,timestamp 1371701225 1122327277> ..PV.H|..0..P..E..4..@.?..3...\.......M....\.a...20.......

Q...B.Z. IP (tos 0x8, ttl 63, id 47326, offset 0, flags [DF], length: 100) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 0:48(48) ack 1 win 12848 <nop,nop,timestamp 1371701225 1122327277> ..PV.H|..0..P..E..d..@.?......\.......M....\.a...20.......

Q...B.Z......O....#.u.>......;..X.f.Bk IP (tos 0x8, ttl 63, id 47331, offset 0, flags [DF], length: 100) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 48:96(48) ack 289 win 12848 <nop,nop,timestamp 1371701225 1122327279> ..PV.H|..0..P..E..d..@.?......\.......M...D\.b...20?......

Q...B.Z...I]c........+..O...!..Q.x.Q.. IP (tos 0x8, ttl 63, id 47334, offset 0, flags [DF], length: 132) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 96:176(80) ack 577 win 12848 <nop,nop,timestamp 1371701225 1122327287> ..PV.H|..0..P..E.....@.?......\.......M...t\.c...20h......

..n..1..uR.I}.?....X+. IP (tos 0x8, ttl 63, id 47337, offset 0, flags [DF], length: 228) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 176:352(176) ack 769 win 12848 <nop,nop,timestamp 1371701226 1122327295> ..PV.H|..0..P..E.....@.?..t...\.......M....\.d...20.(.....

Q...B.Z..cn...)|.......tw..3..H0.I@..D IP (tos 0x8, ttl 63, id 47342, offset 0, flags [DF], length: 276) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 352:576(224) ack 865 win 12848 <nop,nop,timestamp 1371701227 1122327312> ..PV.H|..0..P..E.....@.?..?...\.......M...t\.d...20w......

Q...B.[........ri.m.K.....j.....AU|od. IP (tos 0x8, ttl 63, id 47347, offset 0, flags [DF], length: 116) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 576:640(64) ack 977 win 12848 <nop,nop,timestamp 1371701228 1122327323> ..PV.H|..0..P..E..t..@.?......\.......M...T\.en..20.......

Q...B.[.[...W.S...f.@.oq.....w..W....? IP (tos 0x8, ttl 63, id 47352, offset 0, flags [DF], length: 324) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 640:912(272) ack 1249 win 12848 <nop,nop,timestamp 1371701229 1122327336> ..PV.H|..0..P..E..D..@.?......\.......M....\.f~..20-......

Q...B.[(...r5:..D....0.....E.I....F..? IP (tos 0x8, ttl 63, id 47357, offset 0, flags [DF], length: 644) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 912:1504(592) ack 2417 win 15184 <nop,nop,timestamp 1371701232 1122327364> ..PV.H|..0..P..E.....@.?......\.......M....\.k...;P.s..... Q...B.[D.%~{ ' ..-..uI..PeFN.4.Y~.D.*\r. IP (tos 0x8, ttl 63, id 47362, offset 0, flags [DF], length: 228) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 1504:1680(176) ack 2497 win 15184 <nop,nop,timestamp 1371701232 1122327376> ..PV.H|..0..P..E.....@.?..[...\.......M....\.k^..;P.......

Q...B.[P.....0YVST.[f.....%(.f.c...}-m IP (tos 0x8, ttl 63, id 47367, offset 0, flags [DF], length: 772) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 1680:2400(720) ack 2705 win 15184 <nop,nop,timestamp 1371701233 1122327391> ..PV.H|..0..P..E.....@.?..6...\.......M....\.l...;P.E.....

Q...B.[_.......{aF.3..;.9.OC...b.[..e? IP (tos 0x8, ttl 63, id 47372, offset 0, flags [DF], length: 228) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 2400:2576(176) ack 2769 win 15184 <nop,nop,timestamp 1371701234 1122327399> ..PV.H|..0..P..E.....@.?..Q...\.......M...t\.ln..;P....... Q...B.[g}.Cm.g..[.....b.Jy.Z w .....y7.. IP (tos 0x8, ttl 63, id 47377, offset 0, flags [DF], length: 116) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 2576:2640(64) ack 2833 win 15184 <nop,nop,timestamp 1371701234 1122327405> ..PV.H|..0..P..E..t..@.?......\.......M...$\.l...;P.......

Q...B.[m..;..}L...I$.N]..L.c.x.t3.&V.E IP (tos 0x8, ttl 63, id 47382, offset 0, flags [DF], length: 228) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 2640:2816(176) ack 3057 win 15184 <nop,nop,timestamp 1371701234 1122327411> ..PV.H|..0..P..E.....@.?..G...\.......M...d\.m...;P.......

Q...B.[s..G......%.........k%c.aDuM;:; IP (tos 0x8, ttl 63, id 47387, offset 0, flags [DF], length: 116) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 2816:2880(64) ack 3121 win 15184 <nop,nop,timestamp 1371701235 1122327420> ..PV.H|..0..P..E..t..@.?......\.......M....\.m...;PY(.....

Q...B.[|8..v.).!W.......`...J.....pV/. IP (tos 0x8, ttl 63, id 47392, offset 0, flags [DF], length: 260) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 2880:3088(208) ack 3409 win 15184 <nop,nop,timestamp 1371701235 1122327426> ..PV.H|..0..P..E.... @.?......\.......M...T\.n...;PV......

Q...B.[...!.....0`..,......a....g.b..I IP (tos 0x8, ttl 63, id 47397, offset 0, flags [DF], length: 116) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 3088:3152(64) ack 3473 win 15184 <nop,nop,timestamp 1371701235 1122327430> ..PV.H|..0..P..E..t.%@.?......\.......M...$\.o...;P.w.....

Q...B.[.rH.i...T..3...Vc.......uR..... IP (tos 0x8, ttl 63, id 47402, offset 0, flags [DF], length: 420) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 3152:3520(368) ack 3729 win 15184 <nop,nop,timestamp 1371701236 1122327434> ..PV.H|..0..P..E....*@.?..s...\.......M...d\.p...;P.......

Q...B.[...8....n!ZX....N\....?s...6.j. IP (tos 0x8, ttl 63, id 47407, offset 0, flags [DF], length: 116) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 3520:3584(64) ack 3793 win 15184 <nop,nop,timestamp 1371701236 1122327441> ..PV.H|..0..P..E..t./@.?......\.......M....\.pn..;P.......

Q...B.[.}t..?8...n...+a....}.......b>. IP (tos 0x8, ttl 63, id 47412, offset 0, flags [DF], length: 116) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 3584:3648(64) ack 3889 win 15184 <nop,nop,timestamp 1371701236 1122327445> ..PV.H|..0..P..E..t.4@.?......\.......M....\.p...;P.......

...(sG3.....#V[..}.#Bc...."5. IP (tos 0x8, ttl 63, id 47417, offset 0, flags [DF], length: 116) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 3648:3712(64) ack 3985 win 15184 <nop,nop,timestamp 1371701236 1122327449> ..PV.H|..0..P..E..t.9@.?......\.......M...T\.q...;P.......

Q...B.[.j#a`...8.-.M..S.d.)R.?...R.w.. IP (tos 0x8, ttl 63, id 47576, offset 0, flags [DF], length: 1284) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 3712:4944(1232) ack 4193 win 15184 <nop,nop,timestamp 1371702269 1122332372> ..PV.H|..0..P..E.....@.?..e...\.......M....\.q...;P.*.....

Q...B.n..... u..P.1+s'.V.D.n..Y|M,i .W IP (tos 0x8, ttl 63, id 47581, offset 0, flags [DF], length: 228) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 4944:5120(176) ack 4257 win 15184 <nop,nop,timestamp 1371702270 1122332383> ..PV.H|..0..P..E.....@.?......\.......M...d\.r>..;PC......

Q...B.n.e..2@...Zw.. ......>`q..<..... IP (tos 0x8, ttl 63, id 47586, offset 0, flags [DF], length: 116) breobsbsls01.ras.ssh > bremosdbls02.ras.32845: P 5120:5184(64) ack 4321 win 15184 <nop,nop,timestamp 1371702270 1122332392> ..PV.H|..0..P..E..t..@.?......\.......M....\.r~..;P....... Q...B.n....( .. E_ .c... LdN....).8J4. .

24 packets captured
25 packets received by filter
0 packets dropped by kernel
You have new mail in /var/mail/root

--
Fabrizio Magni

fabrizio.magni@xxxxxxxxxxxxxxx

replace mycontinent with europe
.

Follow-Ups:
- Re: ssh tunnel
  - From: Chuck

References:
- ssh tunnel
  - From: Chuck

Prev by Date: Re: Foreign Key to table in other schema?
Next by Date: UNDOTBS01.DBF file size
Previous by thread: Re: ssh tunnel
Next by thread: Re: ssh tunnel
Index(es):
- Date
- Thread

Relevant Pages

Re: Unable to print to networked printer - get access denied messa
... Check the permissions on the server assuming the client has a true RPC ... How is the Standard TCP/IP port configured for the device? ...
(microsoft.public.windowsxp.print_fax)
Re: interfaces lo:1 lo:2 lo:3? (for remote ssh tunnels)
... That's the problem tunneling (port forwarding) solves. ... >>can't get past the client firewall. ... > I don't understand why the server would be making the ... server initiates another connection to the client -- in this ...
(Debian-User)
Re: Remote Connection Issue
... through port number 3389 and a workstation on the LAN through port number ... I understand that you want to allow a LAN client ... and you have configured server publishing rule ... > By default Terminal Server and Windows 2000 Terminal Services uses TCP ...
(microsoft.public.windows.server.sbs)
Re: Ver�ffentlichung von zwei https Webservern
... die Anfrage auf Server 1 oder Server 2 umleiten soll? ... Meiner Meinung nach, kann ich im Listener ... How can I publish multiple SSL sites using the same IP address and port, ... Aber offensichtlich unterstützt das unsere Sonicwall ...
(microsoft.public.de.german.isaserver)
Re: RealVNC
... Default listening port for RealVNC server that runs on the machine on which ... Then there is default Java listening port on port 5800 on the client machine ...
(microsoft.public.windows.server.sbs)