That leaves you down to checking the ssh server config on your home system, and your ssh client config on your Linux box at work.

On the Windows/Cygwin system look in /etc/sshd_config for the line "AllowTcpForwarding".  By default it is commented out and shows "yes", meaning sshd.exe was built with the option to allow inbound TCP forwarding.  I don't always trust the "default" setting, so I recommend uncommenting AllowTcpForwarding and make sure it says "yes".

On the client side (the Linux box) if /etc/ssh/ssh_config has ClearAllForwardings set to "yes" (it's "no" by default) then no outbound forwarding will be allowed.  The option essentially means "any forwarding rules I have on the command-line or in a config file will be cleared as though they were not there".

If you intend to connect to the Linux box at work from yet another system then your ssh command needs -g, or /etc/ssh/ssh_config needs to have "GatewayPorts" uncommented (or added if missing) and set to yes.  (Since you do not have admin access you will not be able to change this, but you can check this since users need to be able to read ssh_config when they run ssh.)  By default, when you forward ports out with -L the ssh client only listens on localhost/127.0.0.1.  On your Linux box, while ssh'd to your home system, if you run 'netstat -lnp | grep ssh' you might see something like this:

---begin result of 'ssh -L 3389:10.29.0.102:3389 remotesystem'---
apr777> netstat -lnp | grep ssh
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3703/sshd
tcp        0      0 127.0.0.1:3389          0.0.0.0:*               LISTEN      18890/ssh
unix  2      [ ACC ]     STREAM     LISTENING     9059   5762/ssh-agent      /tmp/ssh-XXcWSmA1/agent.5747
unix  2      [ ACC ]     STREAM     LISTENING     23319  6505/ssh-agent      /tmp/ssh-XXtOXwcG/agent.6490

---end---

...but if I add -g:

---begin result of 'ssh -g -L 3389:10.29.0.102:3389 remotesystem'---
apr777> netstat -lnp | grep ssh
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3703/sshd
tcp        0      0 0.0.0.0:3389            0.0.0.0:*               LISTEN      18917/ssh
unix  2      [ ACC ]     STREAM     LISTENING     9059   5762/ssh-agent      /tmp/ssh-XXcWSmA1/agent.5747
unix  2      [ ACC ]     STREAM     LISTENING     23319  6505/ssh-agent      /tmp/ssh-XXtOXwcG/agent.6490

---end---

Note the second line in both cases.  The default was listening only on localhost (127.0.0.1:3389), but with -g it will listen on all adapters (0.0.0.0:3389).

On the Linux box /etc/ssh/ssh_config will be readable, since users need to be able to read it when they run ssh.  You should be able to view the options.

Add -v to see everything that happens as you connect.  When you do that you ought to see something like this when you forward 3389:

---begin sample debug on 3389 forward with -g global option---
debug1: Connections to local port 3389 forwarded to remote address 10.10.7.63:3389
socket: Address family not supported by protocol
debug1: Local forwarding listening on 0.0.0.0 port 3389.

---end---

On the other hand, if your admin has port forwarding locked down for the ssh client but not for the ssh server (since your reverse works from home), there is an inconsistency.  It should either be allowed for both, or denied for both.  Once you figure out what /etc/ssh/ssh_config has set for AllowTcpForwarding you can ask your admin to clarify the policy and then change the settings to match.  Of course, this might result in you losing even the inbound reverse forwarding.


sh


On Mon, 2006-01-23 at 17:25, O. Olson wrote:
Thank you – Norbert, Scot and Dave for your responses.
Though I have used port forwarding before I just
learnt that I did not know enough. This is probably
not a rdesktop problem – rather it’s a port forwarding
problem. I just learnt of it when I was discussing it
with my friends. 

To restate my problem:  My Windows computer is buried
behind a router, but it runs a ssh server which I can
connect to. (Cygwin SSHD). I was trying to ssh into my
home computer from work – and forward ports to the RDP
3389. I was then hoping to remote desktop into the
local work Linux machine – and get forwarded to my
Windows home machine. So one of the things I tried
(among many others was) 

ssh -L  3389:10.1.169.25:3389
usern...@your.sshserver.hostname 
rdesktop localhost   or rdesktop localhost:3389

(10.1.169.25 = Win machine lan Address)

This does not work (though I successfully ssh). My
friend then suggested that I 

netstat -an| grep LISTEN

On the linux machine to see if the ports really get
forwarded – and I realized that this was not
happening. I was not seeing anywhere the port 3389. 


I ultimately normally ssh'd into my windows machine
i.e. 

ssh  usern...@your.sshserver.hostname

I then re-ssh'd – back from my windows machine to my
Linux machine, this time forwarding the ports using
something like 

ssh -R 3389:localhost:3389
usern...@lab.work.linux.machine

Then from my Linux machine I 

rdesktop localhost


This works – so this means I cannot forward ports for
some reason from my Linux box to the Windows – but I
can do it the other way around. 
	I would be contacting my Linux network admin to know
why this is so – because I don’t have admin
priveledges on that machine.

Thanks to all you guys. 
O.O. 

--
Scot Harkins (KA5KDU)
Technical Support Engineer
www.epicor.com
Tel: 425-672-1304
Fax: 425-670-1810
E-Mail: sharkins@epicor.com
Epicor|CRS Retail Solutions Division
3400 188th St. SW, Suite 185
Lynnwood, WA 98037-4708

-----------------------------------------------------------------------
root@linux # fortune -s
Spreading peanut butter reminds me of opera!!  I wonder why?
-----------------------------------------------------------------------