Port-Forwarding question

mbausche · 27 October 2023 16:15

Hi I’ve created a setup with the lscr.io/linuxserver/openssh-server:latest and a postgres image:

version: "3.5"
services:
  openssh-server:
    image: lscr.io/linuxserver/openssh-server:latest
    container_name: openssh-server
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - PUBLIC_KEY=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDrRaurzBo7rvg5nftj5zCWOvpy7ynsJCpEt2XYWC9YudtQIL0OerEy3F6E5+kYFHUXUHvgNfzlSQTFoEnoUvChkBkrXTb7+xVtdI6U1MTbN1CRN1DpyRrN3JPyrZHYObkyLJ4WDJqlBfSGymQigAIcUym08X7hJFMNauJRIC1qImVV3uyTdPRFFx2hzTa7qy4aZnK0wEh7A+qREXu+rhFbEKHtI6ho3MxOhFomHqna09U0LVAuA0mlRC0hArcoiWBvhj/YTKWmixYjOQWfFQI0xgyHNh/sV9IZazhARgD8yppWodFl7s378PPuFobcyiRXtdXTZoQNiVAn8p1h704wRv1p2kCI8/k4T0xk8bTX92In8VV8EEIyyjxpapj20hVvt2eF72rnpZ7ENXtRzF/DodGQe8TX0hG0mkhfVLELrnOe3hiSHpU3VDr48F2JAqxxnNvWrlVd7EvcqO7M64ZHyZB2znrKRTllbly2PP+ywYj/k8uEbUmv46pwoWGnj30= emea\bauscmi@CMTCL0X61044103
      - SUDO_ACCESS=false
      - PASSWORD_ACCESS=false
      - USER_NAME=sshtest
    volumes:
      - /path/to/appdata/config:/config
    ports:
      - 2222:2222
    restart: unless-stopped
    networks:
      - ssh-network
  db:
    container_name: db
    image: postgres
    restart: always
    ports:
      - 5555:5432
    environment:
      POSTGRES_PASSWORD: db_pw
      POSTGRES_USER: db_user
      POSTGRES_DB: db_name
    networks:
      - ssh-network
  adminer:
    container_name: adminer
    image: adminer
    restart: always
    ports:
      - 1111:8080
    networks:
      - ssh-network
networks:
  ssh-network:
    driver: bridge

The containers are up and running and i can do a ping from the ssh container to db container or the webmin container (for the webmin a wget to the local port is also working)

But when i try to create a ssh connection with a port forward to the postgres or the webminer it’s not working:

my tunnel is so configured that for example local port is 8888 and the remote side is adminer:8080 - If i try to do a GET on 127.0.0.1:8888 there is no response

GET http://127.0.0.1:8888/
Error: read ECONNRESET

Of Course:

GET http://127.0.0.1:1111/

is working…

Thank you so much for your help and kind regards
Michael

mbausche · 27 October 2023 16:48

In the ssh log I can see is a ‘administratively prohibited: open failed’ and that error is coming even if i’m setting

PermitTunnel yes

Part from the ssh.log:

debug1: Connection to port 8888 forwarding to adminer port 8080 requested.
debug2: fd 10 setting TCP_NODELAY
debug2: fd 10 setting O_NONBLOCK
debug3: fd 10 is O_NONBLOCK
debug1: channel 3: new [direct-tcpip]
debug3: send packet: type 90
debug1: Connection to port 8888 forwarding to adminer port 8080 requested.
debug2: fd 11 setting TCP_NODELAY
debug2: fd 11 setting O_NONBLOCK
debug3: fd 11 is O_NONBLOCK
debug1: channel 4: new [direct-tcpip]
debug3: send packet: type 90
debug3: receive packet: type 92
channel 3: open failed: administratively prohibited: open failed
debug3: receive packet: type 92
channel 4: open failed: administratively prohibited: open failed
debug2: channel 3: zombie
debug2: channel 3: garbage collecting
debug1: channel 3: free: direct-tcpip: listening port 8888 for adminer port 8080, connect from ::1 port 57508 to ::1 port 8888, nchannels 5
debug3: channel 3: status: The following connections are open:
  #2 client-session (t4 r0 i0/0 o0/0 e[write]/0 fd 7/8/9 sock -1 cc -1)

mbausche · 28 October 2023 12:28

Aaah thanks to SSH tunneling error: "channel 1: open failed: administratively prohibited: open failed" - Unix & Linux Stack Exchange

I’ve saw that that in the sshd_config this option was not correctly set:

AllowTcpForwarding yes

aptalca · 28 October 2023 18:18

Fyi, there is a mod that does all that for you

mbausche · 28 October 2023 19:54

Sorry but what do you mean by “mod”? Do you have a link with further information?

Kind regards
Michael

aptalca · 28 October 2023 20:09

Linked in the image readme

mbausche · 28 October 2023 20:19

Ah ok i guess it’s that:

Thank you!