2

I often temporarily and quickly (ad-hoc) want to tunnel http traffic (and other protocols also) from one server to another using an ssh tunnel. I use for this (at source server):

ssh -f -n -L *:80:target-server.com:80 target-server.com sleep 11555200

Problem is that after a while there is hundreds of connections that I'll see by 

lsof -n -i:80 ssh 17076 root 5u IPv6 425353159 TCP <source-serverIP>:http->173.245.48.218:52116 (ESTABLISHED) ssh 17076 root 8u IPv6 425352908 TCP <source-serverIP>:http->82.177.80.10:49936 (FIN_WAIT2) ssh 17076 root 9u IPv6 425353148 TCP <source-serverIP>:http->173.245.48.218:31791 (ESTABLISHED) ssh 17076 root 10u IPv6 425353029 TCP <source-serverIP>:http->80.125.175.214:49837 (FIN_WAIT2) ssh 17076 root 11u IPv6 425353100 TCP <source-serverIP>:http->90.10.149.220:47749 (FIN_WAIT2) ssh 17076 root 12u IPv6 425353160 TCP <source-serverIP>:http->79.22.138.109:60744 (ESTABLISHED) ssh 17076 root 13u IPv6 425353105 TCP <source-serverIP>:http->90.10.149.220:53312 (FIN_WAIT2)

Those connections never seem to timeout. And when number of those reaches ~1024 tunnel does not accept new connections at all. What should I do for these connections timeout like it would without tunnel? 

# lsof -n -i:80|grep 'FIN_WAIT2'|wc -l 1016

changing /proc/sys/net/ipv4/tcp_fin_timeout to a small value does not fix anything.

Also this issue seems to happen only with tunneled http traffic (maybe https too). With tunneling pop3/imap I saw no such issues.

Also I wonder how to change max limit of open tunnel connection to > 1024. I tied 

ulimit -n 99999 ssh -f -n -L *:80:target-server.com:80 target-server.com 'ulimit -n 99999 && sleep 11555200'

but it does not fix it. Also setting tcp_max_orphans to a high value does not affect this.

Improve this question
3
  • You need a proper VPN. Commented Sep 24, 2013 at 12:43
  • Not really. It is very difficult to tunel only selected tcp port traffic via vpn if not almost impossible, not to mention is requires configuration changes on both sites and that is hardly ad-hoc material. Commented Sep 24, 2013 at 19:32
  • Look into policy routing. Commented Sep 24, 2013 at 19:37

2 Answers 2

Reset to default
1

There are three sets of commands that enable connection keepalives.

TCPKeepAlive
ServerAliveInterval combined with ServerAliveCountMax
ClientAliveInterval combined with ClientAliveCountMax

TCPKeepAlive keeps a connection alive by sending a keepalive OUTSIDE of the standard ssh encryption, meaning any networking equipment can see that it's just a keepalive. This is spoofable. This method is not recommended.

ServerAliveInterval is initiated by the CLIENT. ServerAliveCountMax will set a maximum number of keepalives to send, after which a disconnect occurs.

ClientAliveInterval is the same as ServerAliveInterval except it is initiated by the Server.

Ensure that all three options are not being invoked. Check $HOME/.ssh/config and /etc/ssh/ssh_config.

Improve this answer
2
  • 1
    As far as I gathered these options does not affect connection open via ssh tunelling but original ssh connection only - which should not and does not timeout. I use default ssh and sshd values on both sides and that means TCPKeepAlive is on so dead connections ssh are detected, however apparently not tunneled connections. Commented Sep 24, 2013 at 20:20
  • The only keepalive that matters is the SSH connection. All machines between Host A and Host B only see an SSH connection. It does not see tunnels. It does not see that you're using vi on a file. It does not see that your tunnel is streaming the latest episode of Breaking Bad. It sees SSH. The SSH connection is the only thing that needs the keepalive. The SSH connection cannot and will not time out one of the tunnels. If the tunnel has timed out, so has the SSH connection itself. Commented Sep 25, 2013 at 11:58
1

You had it right the first time, except for the sleep delay.. which is in seconds! try a smaller value, for me this works (will close in 5 minutes):

ssh -f -n -L *:80:target-server.com:80 target-server.com sleep 300

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.