View Single Post
  #1   (View Single Post)  
Old 13th November 2010
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Indonesia
Posts: 2,236
Default Tunnelling SSH though a firewall with ssh -L

Here’s a little tip on how to tunnel ssh through another machine with the -L option. While not terribly difficult, I did spend some time figuring this out…Maybe this will save someone else some time ;-)

The network setup at work (simplified):

Code:
    [ Workstation ]
          |
          |
     [ Firewall ]
          |
          |
   ~ The Internet ~
          |
          |
   [Public webserver]
The problem is connecting to public webserver from my workstation, I had to first ssh or sftp to the Linux firewall, and from that to the webserver.

There has to be an easier way … And a look at the SSH manpage provided the answer: The -L option.

Excerpt from From ssh(1):

Code:
       -L [bind_address:]port:host:hostport
               Specifies that the given port on the local (client) host is to be
               forwarded to the given host and port on the remote side.  This
               works by allocating a socket to listen to port on the local side,
               optionally bound to the specified bind_address.
Let me just give you an example on how to create the tunnel:

Code:
  $ ssh -f -N -p 22 username@firewall -L 2844/webserver.example.com/22
To briefly explain what the other options mean:
  • -f Runs the tunnel in the background.
  • -N Don't execute a login command, just setup the tunnel.
  • -p Connect to the firewall on port 22

You can now connect with ssh, sftp, or scp though localhost:2844

Code:
  $ ssh -p 2844 myusername@localhost
  $ scp -P 2844 file.tar.gz myusername@localhost:file.tar.gz
Note that ssh(1) requires -p and scp(1) -P.

Testing
For debugging, don’t forget you can specify -v up to three times to get more information about what’s going on. In addition, it’s probably best to test with telnet since this excludes things like authentication problems.

Code:
  $ telnet localhost 2844
  Trying ::1...
  Connected to localhost.
  Escape character is '^]'.
  SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
If you don’t see the last line, something is wrong.

Bonus tip
As a free complimentary bonus tip, it’s also very easy to setup a convenient shortcut in ~/.ssh/config

Code:
  Host webserver
  	Hostname localhost
  	Port 2844
  	User myusername
Further reading
ssh(1)
ssh_config(5)
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote