CODEWITHSUNDEEP
centosportforwardingssh-tunnelautossh
James Oravec
James Oravec

Reputation: 20391

CentOS with AutoSSH 127.0.0.1 versus *

I'm using autossh and set it up like shown in the following example: http://surniaulula.com/2012/12/10/autossh-startup-script-for-multiple-tunnels/

I found it works really well, but need some clarification. Particularly, the difference between 127.0.0.1 and * in the following examples:

ForwardPort=(
    "L 127.0.0.1:3397:127.0.0.1:3306"
)

versus

ForwardPort=(
    "L *:3397:127.0.0.1:3306"
)

The first one seems to do the redirect if coming from the host machine itself, where the 2nd seems to forward from anywhere. To me this translated as if the * was for any IP to forward the traffic through, but someone told me that it just says for any adapter on the machine. I'm curious is it any IP, or any adapter? I assume the end result is the same, but would like clarification for my own understanding.

Update

I updated my test to include a specific IP of a network I'm using and then tried to connect to the port and found that it did not work with the specific port specified, e.g.

ForwardPort=(
    "L x.x.x.x:3397:127.0.0.1:3306"
    "L 127.0.0.1:3397:127.0.0.1:3306"
)

Since this did not work, it makes me believe my buddy was right about the adapters. I am thus seeking details of how the adapter stuff works.

Upvotes: 0

Views: 245

Answers (1)

James Oravec
James Oravec

Reputation: 20391

Figured out my answer, figured I would post my answer, in case anyone is interested or googles an answer like I did and not find it.

So when I did x.x.x.x this was the WAN IP of my remote server. The autossh has not clue of this as the IP is not one of its adapters. If you run ifconfig on the server then you'll get your local loopback of 127.0.0.1 and other adapters like eth0, which would have the WAN IP. By doing the *, it does the forwarding for any requests comes from the local loop back as well as from the WAN. So * routes all requests, where 127.0.0.1 only does the ones that come from the machine itself.

If you wanted to allow external forwards, but limit who could do it, you could achieve this by doing * and then limiting communication of the server via iptables.

Upvotes: 0

Related Questions