6

I have a remote machine (IP XX.XX.XX.XX) which runs an app written in python/cherrypy which opens a port for http connections on the loopback interface. If I login into the remote machine (using ssh) and then execute

curl http://127.0.0.1:8021

everything works ok. But, when I set up a tunnel from my local machine using

ssh -L 6868:XX.XX.XX.XX:8021 -fN XX.XX.XX.XX

and then run

curl http://localhost:6868

or

curl http://127.0.0.1:6868

I get this message

curl: (52) Empty reply from server

ssh shows this message in the terminal where I created the tunnel

channel 2: open failed: connect failed: Connection refused

For testing, I changed the app to open the port on the real network interface (XX.XX.XX.XX instead of 127.0.0.1) and I used curl from another machine in the same remote network and it worked. Nevertheless, trying to create a tunnel between both remote machines yielded the same results as between a remote server and my local machine.

I've tried to make sure that the problem is not the firewall, so I ran

iptables -A INPUT -d 127.0.0.1/32 -i lo -j ACCEPT

which I think is enough, but I'm not sure. Here is the ssh -v output

[____@YYYY ~]$ ssh -vvL 6868:XX.XX.XX.XX:8021 -fN XX.XX.XX.XX OpenSSH_5.4p1, OpenSSL 1.0.0-fips 29 Mar 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to [XX.XX.XX.XX] port 22. debug1: Connection established. debug1: identity file /home/____/.ssh/id_rsa type -1 debug1: identity file /home/____/.ssh/id_rsa-cert type -1 debug1: identity file /home/____/.ssh/id_dsa type -1 debug1: identity file /home/____/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.4 debug1: match: OpenSSH_5.4 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.4 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 117/256 debug2: bits set: 510/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'XX.XX.XX.XX' is known and matches the RSA host key. debug1: Found key in /home/____/.ssh/known_hosts:5 debug2: bits set: 514/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/____/.ssh/id_rsa ((nil)) debug2: key: /home/____/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,hostbased debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_524' not found debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_524' not found debug1: Unspecified GSS failure. Minor code may provide more information debug2: we did not send a packet, disable method debug1: Next authentication method: publickey debug1: Trying private key: /home/____/.ssh/id_rsa debug1: Trying private key: /home/____/.ssh/id_dsa debug2: we did not send a packet, disable method debug1: Next authentication method: password [email protected]'s password: debug2: we sent a password packet, wait for reply debug1: Authentication succeeded (password). debug1: Local connections to LOCALHOST:6868 forwarded to remote address XX.XX.XX.XX:8021 debug1: Local forwarding listening on ::1 port 6868. debug2: fd 4 setting O_NONBLOCK debug1: channel 0: new [port listener] debug1: Local forwarding listening on 127.0.0.1 port 6868. debug2: fd 5 setting O_NONBLOCK debug1: channel 1: new [port listener] debug1: Requesting [email protected] debug1: Entering interactive session. debug1: Connection to port 6868 forwarding to XX.XX.XX.XX port 8021 requested. debug2: fd 6 setting TCP_NODELAY debug2: fd 6 setting O_NONBLOCK debug1: channel 2: new [direct-tcpip] channel 2: open failed: connect failed: Connection refused debug2: channel 2: zombie debug2: channel 2: garbage collecting debug1: channel 2: free: direct-tcpip: listening port 6868 for XX.XX.XX.XX port 8021, connect from 127.0.0.1 port 47048, nchannels 3
Improve this question

1 Answer 1

Reset to default
12

The connection from your server to XX.XX.XX.XX:8021 is refused.

If a program is configured to listen on the loopback interface, it will only answer to connections on the loopback interface's addresses (127.0.0.1 and ::1), not on any other addresses the same computer has.

You need to use:

ssh -L 6868:127.0.0.1:8021 -fN XX.XX.XX.XX

Note that the tunnel target is from the SSH server's perspective.

Improve this answer
2
  • How is this different from what the OP tried? Commented Apr 13, 2016 at 17:21
  • @AdamSpiers: If a program is only listening on 127.0.0.1, you can only connect to it at that specific address, even when connecting from the same machine. Commented Apr 13, 2016 at 20:43

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.