SSH tunneling/port-forwarding tricks

Here are a few tricks about SSH tunnels I don't want to forget.

Tunneling through a “jump host”

It is possible to access a service behind a firewall or NAT by using a public SSH server as a “jump host”.

A possible script to make connections to port 1234 of the “jump host” to be forwarded to port 80 of the host not publicly accessible is the following:

#!/bin/sh

set -e

LOCAL_USER=me
LOCAL_SSH_PORT=22
LOCAL_SERVICE_PORT=80

REMOTE_USER=user
REMOTE_HOST=example.com
REMOTE_PUBLIC_PORT=1234

REMOTE_PRIVATE_PORT=1235
ssh -t -R ${REMOTE_PRIVATE_PORT}:localhost:${LOCAL_SSH_PORT} ${REMOTE_USER}@${REMOTE_HOST} \
  "ssh -c none -g -L ${REMOTE_PUBLIC_PORT}:localhost:${LOCAL_SERVICE_PORT} ${LOCAL_USER}@localhost -p ${REMOTE_PRIVATE_PORT}"

Someone calls this approach “double tunneling”, here is a graphical explanation to make it stick into my memory:

SSH tunneling/port-forwarding through a “jump host”

Keep in mind that connections to port 1234 must be allowed by the firewall on the “jump host”, in my iptables setup (which uses a chain named in-new for new input connections), I'd do something like that:

REMOTE_PUBLIC_PORT=1234
INPUT_CHAIN="in-new"
sudo iptables -A $INPUT_CHAIN -p tcp -m tcp --dport $REMOTE_PUBLIC_PORT --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

In order to delete this single rule it is possible to list all the rules with this command:

 sudo iptables -v -n -L $INPUT_CHAIN --line-numbers

take note of the rule number, and then call:

sudo iptables -D $INPUT_CHAIN <rule number>

Tunneling to your IM contacts

SSH port forwarding can be combined with Telepathy and ssh-contact too.

For instance the command below makes your SSH server accessible to the local port 2222 of the contact you choose:

ssh-contact -- -l remote_ssh_user -R 2222:localhost:22

This other command makes the SSH server of your contact accessible on your local port 2222:

ssh-contact -- -l remote_ssh_user -L 2222:localhost:22

These kind of tricks can be useful if you want to do some file transfers via SCP/sftp, for example.

Note

It's been a while since I did some networking stuff, so my terminology may sound a little off: I could have used “Jump Node” or “Relay Node” instead of “Jump Host”, let me know if you think there is room for improvement in the article or in the drawing.


CommentsSyndicate content

Respect. Thanks for the post.

Anonymous's picture

Respect. Thanks for the post.

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account associated with the e-mail address you provide, it will be used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
G
h
N
v
Z
L
Enter the code without spaces.