SSH tunneling/port-forwarding tricks

Here are a few tricks about SSH tunnels I don't want to forget.

Tunneling through a “jump host”

It is possible to access a service behind a firewall or NAT by using a public SSH server as a “jump host”.

A possible script to make connections to port 1234 of the “jump host” to be forwarded to port 80 of the host not publicly accessible is the following:

#!/bin/sh

set -e

LOCAL_USER=me
LOCAL_SSH_PORT=22
LOCAL_SERVICE_PORT=80

REMOTE_USER=user
REMOTE_HOST=example.com
REMOTE_PUBLIC_PORT=1234

REMOTE_PRIVATE_PORT=1235
ssh -t -R ${REMOTE_PRIVATE_PORT}:localhost:${LOCAL_SSH_PORT} ${REMOTE_USER}@${REMOTE_HOST} \
  "ssh -c none -g -L ${REMOTE_PUBLIC_PORT}:localhost:${LOCAL_SERVICE_PORT} ${LOCAL_USER}@localhost -p ${REMOTE_PRIVATE_PORT}"

Someone calls this approach “double tunneling”, here is a graphical explanation to make it stick into my memory:

SSH tunneling/port-forwarding through a “jump host”

Keep in mind that connections to port 1234 must be allowed by the firewall on the “jump host”, in my iptables setup (which uses a chain named in-new for new input connections), I'd do something like that:

REMOTE_PUBLIC_PORT=1234
INPUT_CHAIN="in-new"
sudo iptables -A $INPUT_CHAIN -p tcp -m tcp --dport $REMOTE_PUBLIC_PORT --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

In order to delete this single rule it is possible to list all the rules with this command:

 sudo iptables -v -n -L $INPUT_CHAIN --line-numbers

take note of the rule number, and then call:

sudo iptables -D $INPUT_CHAIN <rule number>

Tunneling to your IM contacts

SSH port forwarding can be combined with Telepathy and ssh-contact too.

For instance the command below makes your SSH server accessible to the local port 2222 of the contact you choose:

ssh-contact -- -l remote_ssh_user -R 2222:localhost:22

This other command makes the SSH server of your contact accessible on your local port 2222:

ssh-contact -- -l remote_ssh_user -L 2222:localhost:22

These kind of tricks can be useful if you want to do some file transfers via SCP/sftp, for example.

Note

It's been a while since I did some networking stuff, so my terminology may sound a little off: I could have used “Jump Node” or “Relay Node” instead of “Jump Host”, let me know if you think there is room for improvement in the article or in the drawing.


CommentiCondividi contenuti

Respect. Thanks for the post.

Ritratto di Anonymous

Respect. Thanks for the post.

Invia nuovo commento

Il contenuto di questo campo è privato e non verrà mostrato pubblicamente. If you have a Gravatar account associated with the e-mail address you provide, it will be used to display your avatar.
  • Indirizzi web o e-mail vengono trasformati in link automaticamente
  • Elementi HTML permessi: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Linee e paragrafi vanno a capo automaticamente.

Ulteriori informazioni sulle opzioni di formattazione

CAPTCHA
Questa domanda serve a verificare che il form non venga inviato da procedure automatizzate
T
E
N
U
m
L
Enter the code without spaces.