Combining Port Forwarding Scripts

Discussion in 'macOS' started by s4yunkim, Jun 29, 2011.

  1. s4yunkim macrumors regular

    Joined:
    Feb 6, 2009
    #1
    So I have a few scripts to tunnel things over SSH, that read like this:

    Apple File Sharing
    Code:
    #!/bin/sh
    sudo ssh server.server.com -l username -L 22:127.0.0.1:548
    Plex Media Server
    Code:
    #!/bin/sh
    dns-sd -R PMS _plexmediasvr._tcp . 32400 &
    ssh -N -L 32400:localhost:32400 server.server.com -l username -p 22
    General SOCKS Proxy
    Code:
    #!/bin/bash
    ssh -D 9879 username@server.server.com
    iTunes Home Sharing
    Code:
    #!/bin/sh
    dns-sd -P "Home iTunes" _daap._tcp local 3689 localhost.local. \
      127.0.0.1 "Arbitrary text record" &
    PID=$!
    ssh -C -N -L 3689:localhost:3689 server.server.com
    kill $PID

    I have 4 aliases to them in a folder and launch them each as needed, and each opens them in a terminal window, which I hide in the background. I also have to type the password to the ssh account I'm logging into on each tunnel.

    Since all of them point to the same server/account, is there a better way to do this than to have 4 terminal windows open? As in combine them all into one script, type my password once, and let it be done?
     
  2. eggfoam macrumors member

    eggfoam

    Joined:
    Jun 21, 2011
    #2
    Try SSH Tunnel Manager. It's a GUI front-end for this purpose. It won't handle your dns-sd commands. I've never used those -- are they cosmetic or functional? I.e., could you just connect to localhost on the appropriate port to get to the forwarded one? That's what I do for SSH-tunneled screen sharing.

    BTW, SSH Tunnel Manager is a PPC binary, but the full Xcode bundle is available for download. I recompiled it for Intel for my own use.
     
  3. s4yunkim thread starter macrumors regular

    Joined:
    Feb 6, 2009
    #3
    As far as I know (these scripts were found on the internet) they are required to announce the presence of such services (bonjour, plex media server), so they are necessary.... I guess I can just keep them as they are ... unless there a better idea out there... :-\

    I've tried the port forwarder, but somehow never had any luck with it, maybe it's because I didn't have it set up right...
     
  4. eggfoam, Jun 30, 2011
    Last edited: Jun 30, 2011

    eggfoam macrumors member

    eggfoam

    Joined:
    Jun 21, 2011
    #4
    You should be able to combine your ssh lines into one command so that you just have to enter your password once. You can also use the "-f" option to force it to run in the background -- then you can close the Terminal window. However, once you've done this, you can no longer stop the forwarding just by closing the window. If you want to end the forwarding, you'll need to either reboot or use "ps" and "kill" in Terminal.

    Of course, the "&" after your dns-sd commands already means that they're running in the background until you reboot or kill them. If you run your scripts more than once without killing the processes or rebooting in between, you might get some weird behavior.

    Assuming as you mentioned that all four commands point to the same target server with the same username and password, I think you can combine all four scripts into one as follows:

    Code:
    dns-sd -R PMS _plexmediasvr._tcp . 32400 &
    dns-sd -P "Home iTunes" _daap._tcp local 3689 localhost.local. \
      127.0.0.1 "Arbitrary text record" & 
    sudo ssh -f server.server.com -l username -L 22:127.0.0.1:548 -L 32400:localhost:32400 -L 3689:localhost:3689 -D 9879
    
    This should ask for your password twice: once for the sudo, which will need the password of the local machine you're running the script on, and then ssh should prompt for the password for username@server. Then you'll just have one SSH process running that does three port forwardings and one SOCKS proxy (the -D part).

    What you're doing pretty much makes sense to me except for the -L 22:127.0.0.1:548 part. (Is there some reason to use 127.0.0.1 instead of localhost there? Those are more or less the same, or at least point to the same place, but perhaps in a slightly different way.) The reason you need the sudo at the beginning of the command is that you're forwarding local port 22 (which is a port that requires superuser privileges and is usually reserved for SSH, at least for inbound traffic) to remote port 548, I guess for AFP file-sharing. What do you do with that? Maybe do "Connect to Server" and enter afp://localhost:22 or something? I would suggest changing that 22 to an arbitrary higher number (e.g., 9999). Then you can remove the "sudo" part and be able to enter your password only once.
     
  5. s4yunkim thread starter macrumors regular

    Joined:
    Feb 6, 2009
    #5
    Thanks for the detailed reply!

    Alas, I tried it out and got this error:


    Code:
    Cannot fork into background without a command to execute.
    
    I'm guessing this has something to do with the -f command. Any ideas?
     
  6. eggfoam macrumors member

    eggfoam

    Joined:
    Jun 21, 2011
    #6
    Ah, I think you need to add the -N flag to tell ssh that it doesn't need to execute a command. That was in some of your existing scripts but not all. So now the ssh line will begin: sudo ssh -f -N ...

    See if that does the trick. I'm not entirely sure that the proxy server command (the -D part) will work properly with the port forwarding commands (the -L parts) and the -N flag, but if it successfully runs, you can just try out all four services and make sure they work.

    Just to be clear, it will ask for your password twice. The first time it's sudo wanting the password, and for that you need to enter the password for your *local* account to get superuser privileges. The second password prompt is coming from SSH and requires your *remote* machine's password. One caveat: if you have recently (last 10 minutes maybe?) used sudo for another command, sudo won't make you enter it again, and you'll get only one prompt from SSH for the remote machine. Unfortunately, the prompts look exactly the same, so there's no way to tell which you're looking at until you go ahead and find out whether it asks once or twice. If you do what I suggested and change that port 22 to something above 1000, you can remove "sudo" and it'll only ask once (for the remote password) every time.
     

Share This Page