LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/MindTerm-SSH-HOWTO/creating-tunnels.html

797 lines
16 KiB
HTML
Raw Permalink Blame History

<HTML
><HEAD
><TITLE
>Creating the tunnels</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.63
"><LINK
REL="HOME"
TITLE="Encrypted Tunnels using SSH and MindTerm HOWTO"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Server and Client Configurations"
HREF="configurations.html"><LINK
REL="NEXT"
TITLE="MindTerm over the web"
HREF="mindterm-web.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Encrypted Tunnels using SSH and MindTerm HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="configurations.html"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="mindterm-web.html"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="CREATING-TUNNELS"
>5. Creating the tunnels</A
></H1
><P
>MindTerm can be started a few ways. If you have the JRE installed then you can double-click on the
mindtermfull.jar application file. Another way is to open up a dos-shell and type the command:</P
><P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
>jview -cp c:\mindterm\mindtermfull.jar mindbright.application.MindTerm</PRE
></FONT
></TD
></TR
></TABLE
></P
><P
> or</P
><P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
>javaw -cp c:\mindterm\mindtermfull.jar mindbright.application.MindTerm</PRE
></FONT
></TD
></TR
></TABLE
></P
><P
> or</P
><P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
>java -cp c:\mindterm\mindtermfull.jar mindbright.application.MindTerm</PRE
></FONT
></TD
></TR
></TABLE
></P
><P
><EM
>(jview is used if you are using Windows and you don't download the JRE. Javaw comes with the
Windows JRE download and is used because a dos-shell box won't be needed in order to run
MindTerm so there is one less window open)</EM
></P
><P
>MindTerm 2.0 is now available. The argument to start it has changed slightly. Instead of the command
above:</P
><P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
>java -cp c:\mindterm\mindtermfull.jar mindbright.application.MindTerm</PRE
></FONT
></TD
></TR
></TABLE
></P
><P
> this will start MindTerm from the commandline:</P
><P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
>java -cp c:\mindterm\mindtermfull.jar com.mindbright.application.MindTerm</PRE
></FONT
></TD
></TR
></TABLE
></P
><P
>Only the "com." was added to the applet parameter.</P
><P
>This will start the MindTerm program and you can then type the server name when prompted and it
will prompt you to "
<A
HREF="minddialog.jpg"
TARGET="_top"
>Save as Alias</A
>". You can type a short server name so when you start the applet
again you can simply type the <B
CLASS="COMMAND"
>Alias</B
> you created. You will then be prompted for your login name. After
you type it, hit enter and a dialog box will appear informing you that the host doesn't exist and prompt
you to create it. Click <B
CLASS="COMMAND"
>Yes</B
>. Another dialog will appear prompting you if you want to add that host to
your <TT
CLASS="FILENAME"
>known_host</TT
> file. Click <B
CLASS="COMMAND"
>Yes</B
>. Then you are prompted for your password. Type your password and
hit enter. If you supplied the proper username and password then you should be at a command line on
the server you specified.</P
><P
>We'll create a tunnel to the POP and SMTP server, first. After you have successfully logged in (and
optionally enabled vlock) click on
<A
HREF="tunnelmenu.jpg"
TARGET="_top"
>Tunnels</A
> on the menu and then click
<A
HREF="tunnelmenubasic"
TARGET="_top"
>Basic</A
>. A dialog box will
appear. Add the following settings to each box, respectively:</P
><P
></P
><UL
><LI
><P
>Local port: <B
CLASS="COMMAND"
>2010</B
></P
></LI
><LI
><P
>Remote Hosts: <EM
>Your remote host (this should be the server running the sshd server)</EM
>.</P
></LI
><LI
><P
>Remote port: <B
CLASS="COMMAND"
>110</B
></P
></LI
></UL
><P
>Now click <B
CLASS="COMMAND"
>Add</B
>.
A dialog box should appear stating "<A
HREF="tunnelconfirm.jpg"
TARGET="_top"
>The
tunnel is now open and operational</A
>". <EM
>(Note: If you
select a port that is already open an error message will appear stating "
<A
HREF="tunnelerror.jpg"
TARGET="_top"
>Could not open tunnel. Error creating tunnel. Error setting up local forward on port XXXX, Address in use.</A
>)</EM
>
Click <B
CLASS="COMMAND"
>OK</B
> and the tunnel configuration should appear in the box now. Click <B
CLASS="COMMAND"
>Close Dialog</B
>. Open up your email client's options or preferences menu. We'll use Netscape Messenger for this example.</P
><P
></P
><OL
TYPE="1"
><LI
><P
>Open up Netscape</P
></LI
><LI
><P
>Click on <B
CLASS="COMMAND"
>Edit -&#62; Preferences</B
>.</P
></LI
><LI
><P
>On the left column click on <B
CLASS="COMMAND"
>Mail " Newsgroups</B
>, if the contents aren't already displayed.</P
></LI
><LI
><P
>Click on <B
CLASS="COMMAND"
>Identity</B
> and type your information in each box.</P
></LI
><LI
><P
>Click on <B
CLASS="COMMAND"
>Mail Servers</B
> in the left column. The default install of Netscape has "mail" in the
box underneath Incoming mail servers.</P
></LI
><LI
><P
>Click on <B
CLASS="COMMAND"
>mail</B
>.</P
></LI
><LI
><P
>Click <B
CLASS="COMMAND"
>Edit</B
> to the right of that box and a dialog box should appear.</P
></LI
><LI
><P
>If POP is not already selected in that drop down box, select it now.</P
></LI
><LI
><P
>In the Server Name box type <B
CLASS="COMMAND"
>localhost:2010</B
> <EM
>(remember we chose that local port in the
MindTerm tunnel creation menu to forward to the remote servers POP (110) port)</EM
> and then
your username. Set any other options as you see fit.</P
></LI
><LI
><P
>Click <B
CLASS="COMMAND"
>OK</B
>.</P
></LI
><LI
><P
>In the box <B
CLASS="COMMAND"
>Outgoing mail (SMTP) server</B
> type your smtp server name and underneath that
type your Outgoing mail server user name.</P
></LI
><LI
><P
>Click <B
CLASS="COMMAND"
>OK</B
>. <EM
>(Don't do anything to the Use Secure Socket Layer (SSL) or TLS for
outgoing messages option)</EM
>.</P
></LI
><LI
><P
>Now click on <B
CLASS="COMMAND"
>Communicator</B
> on the menu.</P
></LI
><LI
><P
>Click <B
CLASS="COMMAND"
>Messenger</B
>.</P
></LI
><LI
><P
>You should then be prompted for your password. Type your password and hit enter. If you
have mail you should now be able to read it.</P
></LI
></OL
><P
>As long as you have a MindTerm ssh session open, this should work with most email clients.
Remember that the remote server name or POP server name will be "<EM
>localhost:</EM
>". If you are asked for
the POP server and port seperately then add it accordingly. Any connections to the local port 2010, in
this example, will be forwarded to the remote hosts' port 110. If you configure an ftp client to connect
to the localhost port 2010, right now it wouldn't work. Why? The POP protocol doesn't understand ftp
protocol. Only POP clients can be forwarded to the localhost port 2010 for the tunnel to be effective.
A POP server isn't any good if you don't have an smtp server. If you have a mail program like Postfix (
<A
HREF="http://www.postfix.net"
TARGET="_top"
>www.postfix.net</A
>), Qmail (<A
HREF="http://www.qmail.org"
TARGET="_top"
>www.qmail.org</A
>), or Sendmail (<A
HREF="http://www.sendmail.org"
TARGET="_top"
>www.sendmail.org</A
>) then a secure tunnel can be created to it, as well.</P
><P
>With the MindTerm client still running click on Tunnels again then Basic and add these settings.</P
><P
></P
><UL
><LI
><P
>Local Port: <B
CLASS="COMMAND"
>2025</B
><EM
>(just type over the settings set from what we did previously)</EM
></P
></LI
><LI
><P
>Remote Host: <EM
>Your remote smtp server</EM
>.</P
></LI
><LI
><P
>Remote Port: <B
CLASS="COMMAND"
>25</B
></P
></LI
></UL
><P
>Click <B
CLASS="COMMAND"
>Add</B
>.
Then click <B
CLASS="COMMAND"
>OK</B
> on the confirmation menu. Now smtp should be added to the list underneath the
settings for POP. In the Netscape Messenger mail server settings add: <B
CLASS="COMMAND"
>localhost:2025</B
> as your
<EM
>Outgoing mail (SMTP) server</EM
>.
All email you send to the remote host will be encrypted. However, if you send mail to someone outside
of the remote host's mail server, your email will be encrypted only from your local machine to your
remote smtp server. From the remote smtp server to any other host, will not be encrypted, unless
you've configured a tunnel to the other hosts.</P
><P
>To enable encrypted ftp sessions add these settings to a new tunnel.</P
><P
></P
><UL
><LI
><P
>Local Port: <B
CLASS="COMMAND"
>2021</B
> <EM
>(just type over the settings set from what we did previously)</EM
></P
></LI
><LI
><P
>Remote Host: <EM
>Your remote ftp server</EM
>.</P
></LI
><LI
><P
>Remote Port: <B
CLASS="COMMAND"
>21</B
></P
></LI
></UL
><P
>Click <B
CLASS="COMMAND"
>Add</B
>.
Then click <B
CLASS="COMMAND"
>OK</B
> on the confirmation menu. Now ftp (see the
<A
HREF="leech.jpg"
TARGET="_top"
>leech ftp example</A
>
and wsftp--
<A
HREF="wsftp.jpg"
TARGET="_top"
>picture 1</A
> and
<A
HREF="wsftpadvanced.jpg"
TARGET="_top"
>picture 2</A
>)
should be added to the list underneath the settings for SMTP.</P
><P
>Imap settings:</P
><P
></P
><UL
><LI
><P
>Local Port: <B
CLASS="COMMAND"
>2043</B
> <EM
>(just type over the settings set from what we did previously)</EM
></P
></LI
><LI
><P
>Remote Host: <EM
>Your remote imap server</EM
>.</P
></LI
><LI
><P
>Remote Port: <B
CLASS="COMMAND"
>143</B
></P
></LI
></UL
><P
>Click <B
CLASS="COMMAND"
>Add</B
>.
Then click <B
CLASS="COMMAND"
>OK</B
> on the confirmation menu. Now ftp should be added to the list underneath the settings
for POP.</P
><P
>All these settings can be automated in a batch file. Simply add the following to a startup script to
automatically create a tunnel to your pop server after authentication:</P
><P
> <TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
>jview (or java or javaw) -cp c:\mindterm\mindtermfull.jar mindbright.application.MindTerm
-server -local0 2010:localhost:110</PRE
></FONT
></TD
></TR
></TABLE
></P
><P
> Here is an example based on what we've done above. Add the following to a file in an editor:</P
><P
> <TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
>jview (or java or javaw) -cp c:\mindterm\mindtermfull.jar mindbright.application.MindTerm
-server -local0 2010:localhost:110 -local1 2025:localhost:25 -local2 /ftp/2021:localhost:21
-local3 2043:localhost:143</PRE
></FONT
></TD
></TR
></TABLE
></P
><P
>now save it with a <TT
CLASS="FILENAME"
>.bat</TT
> extension. Double-click on it. You should be prompted for your login name
when MindTerm starts up then type your password. After you are authenticated click on the <B
CLASS="COMMAND"
>Tunnels</B
>
menu and click <B
CLASS="COMMAND"
>Basic</B
>. You should see the tunnels in the box that opens up. This is an easy way to
allow remote users to start up the tunnels without many configurations on their part. They only need
to click the <TT
CLASS="FILENAME"
>.bat</TT
> file and type their username and password and optionally run vlock. Their client
software can be pre-configured for remote profiles that connect to the tunnels automatically.</P
><P
>When you are finished using the MindTerm, be sure to close all applications that are using a tunnel. If
you forget to close the programs using the tunnels, MindTerm will display a message when you attempt
to exit from the console or quit the program.</P
><P
>What about VNC and NTOP? These services work the same way. Here the VNC server was running
on a RedHat 7.0 workstation. When you start the VNC server, it first listens on port 5901 and each
server after that increments up 1 port so the second instance of VNC will listen on port 5902, and the
third 5903, etc.. On Linux, you can run multiple VNC servers and people can connect to each VNC
server as well. In MindTerm you can simply add a VNC tunnel with the following settings:</P
><P
></P
><UL
><LI
><P
>Local Port: <B
CLASS="COMMAND"
>2001</B
></P
></LI
><LI
><P
>Remote Host: <EM
>Your remote VNC server host name</EM
>.</P
></LI
><LI
><P
>Remote Port: <B
CLASS="COMMAND"
>5901</B
> <EM
>(If this is the first server instance running)</EM
></P
></LI
></UL
><P
>Click <B
CLASS="COMMAND"
>Add</B
>.
Then click <B
CLASS="COMMAND"
>OK</B
> on the confirmation menu.</P
><P
>Run the vncviewer application on your local machine and type: <B
CLASS="COMMAND"
>localhost:2001</B
>, and then the
password, when prompted, for the VNC desktop and you have an encrypted VNC session.</P
><P
>Ntop works the same way. If you want to run ntop in web mode as a network monitor, you can tunnel
connections to your local machine and view the stats in your local browser, without having to install a
webserver or opening port 3000 on your remote server. By default, ntop in web mode listens on port
3000 and waits for an http connection to display network stats. Simply create a tunnel to the server
running the ssh server and ntop. First run ntop in web mode: ntop -d -w 3000 Then add the settings
to the MindTerm tunnel:</P
><P
></P
><UL
><LI
><P
>Local Port: <B
CLASS="COMMAND"
>2080</B
></P
></LI
><LI
><P
>Host: <EM
>Server running ntop</EM
>.</P
></LI
><LI
><P
>Remote Port: <B
CLASS="COMMAND"
>3000</B
></P
></LI
></UL
><P
>Click <B
CLASS="COMMAND"
>Add</B
>.
Then click <B
CLASS="COMMAND"
>OK</B
> on the confirmation menu.</P
><P
>Open up your web browser and in the location bar type: <B
CLASS="COMMAND"
>http://localhost:2080</B
> You should now see
the network stats page for ntop (see the ntop man pages to add password protected access to the ntop
display). Similarly, if you want to install a web server so you can use web-based applications to control
your server or firewall, then just create a tunnel to port 80. You don't have to open up a port on the
public interface. Simply bind the webserver to the local interface and create a tunnel to the remote
hosts' port 80. For Apache, edit the <TT
CLASS="FILENAME"
>httpd.conf</TT
> file and change the <EM
>BindAddress *</EM
> option to
<B
CLASS="COMMAND"
>BindAddress 127.0.0.1</B
>. Then add <B
CLASS="COMMAND"
>localhost</B
> to the <EM
>ServerName directive</EM
>: <B
CLASS="COMMAND"
>ServerName localhost</B
>. Finally, change the <EM
>Listen</EM
> directive to: <B
CLASS="COMMAND"
>Listen 127.0.0.1:80</B
>
As you can see by now MindTerm can secure almost any TCP service. It can be used on a remote
server to run
<A
HREF="http://www.webmin.com/webmin"
TARGET="_top"
>Webmin</A
>,
which is an excellent web-application to
administer your servers. It comes with its own perl-based webserver and listens on port 10000 by
default. Simply create a tunnel to it using MindTerm and it should work without any changes to the
Webmin application or your local web browser. The MindTerm download zip file contains many
useful examples, such as using it from the command line and an explanation of all the menu options.
MindTerm has more features than outlined in this tutorial but the tunnel option is well worth
spending time focusing on.</P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="configurations.html"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="mindterm-web.html"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Server and Client Configurations</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>MindTerm over the web</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink