Strange behaviour of ssh client on arch

Oliver oliver at anonsphere.com
Thu May 3 11:49:42 EST 2012 

Hi,

I don't know, if this is a developer question, but it is too strange for
the user list and maybe a possible bug. My setup is a little bit 
complicated, but I will try to explain as simple as possible. I've got 3 server:

All Server:
System: Debian 6
Interfaces on server1: eth0 tun0 tun1
$ ssh -v
OpenSSH_5.5p1 Debian-6+squeeze1, OpenSSL 0.9.8o 01 Jun 2010

Server 1 is for connecting and tunneling via ssh, let's say public ip
123.1.1.1. If I connect to Server 1, I can surf the web with the server
1 ip - fine!

Server 2 is in the same network, let's say public ip 123.1.1.2. It is
connected on tun0 with server 1 - IP 10.1.0.1 (on server 2) and IP
10.1.0.6 (on server 1)

I mark the traffic of the tunnel with the owner (me => uid 2000):

iptables -t mangle -I OUTPUT -m owner --uid-owner 2000 -j MARK
--set-mark 0x1

and add a rule on server 1 with iproute2:

ip rule from 123.1.1.1 fwmark 0x1 lookup vpn_to_server2

This table sets the default gateway on tun0, so the traffic is
redirected. I can connect to server 1 and surf the web with the ip of
server 2 - fine!

Server 3 is in a remote network, let's say public ip 132.1.1.3. It is
connected on tun1 with server 1 - IP 10.2.0.1 (on server3) an IP
10.2.0.6 (on server 1)

I change the ip rule to

ip rule from 123.1.1.1 fwmark 0x1 lookup vpn_to_server3

Exactly the same settings as above with default gateway on tun1.

I connect with with plink.exe -D 8888 me at server1.com on windows xp. I
can connect and surf with the ip of server 3. Fine! Setup works! But ...

I connect from arch (ssh -v => OpenSSH_6.0p1, OpenSSL 1.0.1a 19 Apr
2012) to server 1 with ssh -vvv -D 8888 me at server1.com and when I try to
surf a page, I get these errors:

debug1: Connection to port 8888 forwarding to socks port 0 requested.
debug2: fd 9 setting TCP_NODELAY
debug2: fd 9 setting O_NONBLOCK
debug3: fd 9 is O_NONBLOCK
debug1: channel 3: new [dynamic-tcpip]
debug2: channel 3: pre_dynamic: have 0
debug2: channel 3: pre_dynamic: have 3
debug2: channel 3: decode socks5
debug2: channel 3: socks5 auth done
debug2: channel 3: pre_dynamic: need more
debug2: channel 3: pre_dynamic: have 0
debug2: channel 3: pre_dynamic: have 20
debug2: channel 3: decode socks5
debug2: channel 3: socks5 post auth
debug2: channel 3: dynamic request: socks5 host www.google.de port 443
command 1
debug1: Connection to port 8888 forwarding to socks port 0 requested.
debug2: fd 10 setting TCP_NODELAY
debug2: fd 10 setting O_NONBLOCK
debug3: fd 10 is O_NONBLOCK
debug1: channel 4: new [dynamic-tcpip]
debug2: channel 4: pre_dynamic: have 0
debug2: channel 4: pre_dynamic: have 3
debug2: channel 4: decode socks5
debug2: channel 4: socks5 auth done
debug2: channel 4: pre_dynamic: need more
debug2: channel 4: pre_dynamic: have 0
debug2: channel 4: pre_dynamic: have 20
debug2: channel 4: decode socks5
debug2: channel 4: socks5 post auth
debug2: channel 4: dynamic request: socks5 host www.google.de port 443
command 1
channel 3: open failed: administratively prohibited: open failed
debug2: channel 3: zombie
debug2: channel 3: garbage collecting
debug1: channel 3: free: direct-tcpip: listening port 8888 for
www.google.de port 443, connect from 127.0.0.1 port 34502, nchannels 5
debug3: channel 3: status: The following connections are open:
  #2 client-session (t4 r0 i0/0 o0/0 fd 6/7 cc -1)
  #4 direct-tcpip: listening port 8888 for www.google.de port 443,
connect from 127.0.0.1 port 34503 (t3 r-1 i0/0 o0/10 fd 10/10 cc -1)

Can anybody tell me what I am doing wrong?

regards Oliver

More information about the openssh-unix-dev mailing list