SSH Tunnel (SSH Port forwarding)

1 Local Forwarding

Make Remote resource accessible on your local system.

Forward a port from the client machine to the server machine. SSH Client listens for connections on a local configured port, and when it receives a connection, it tunnels the connection to an SSH Server. The server connects to a configured destination port, possibly on a different machine than SSH Server.

$ ssh -L 3000:RemoteAppServer:4000 user@RemoteSSHServer:22

2 Remote Forwarding

Make Local resource accessible on a remote system.

Open port on the remote SSH server, any connection to the port on remote SSH server will be tunneled back to the client host, client host will forward connection to local resource.

$ ssh -R 5000:LocalAppIp:3000 user@SshServer:22

By default, OpenSSH only allows connecting to remote forwarded ports from the server host. However, the GatewayPorts option in the server configuration file sshd_config can be used to control this. The following alternatives are possible:

GatewayPorts no  # This prevents connecting to forwarded ports from outside the server computer.

GatewayPorts yes # This allow anyone to connect to forwarded ports from outside the server computer.

GatewayPorts clientspecified # This means the client can specifi an IP address from which connections to the port are allowed.

$ ssh -R RemoteClientIp:5000:localhost:3000 user@SshServer:22

Only connections from RemoteClientIp to port 5000 are allowed.

OpenSSH also allows the forwarded remote port to specified as 0. In this case, the server will dynamically allocate a port ant report it to the client. When used with the -O forward option, the client will print the allocated port number to standard output.

Multiple remote port forwarding can be done in one command line.

$ ssh -R 5000:LocalAppIp0:3000 -R 5001:LocalAppIp1:3001 user@SshServer:22

In above example, two ports(5000 / 5001) will be opened and listen for connections in SshServer.

3 Dynamic Port Forwarding: Use SSH Server as proxy

Dynamic port forwarding works similar to a proxy or VPN. The SSH client will create a SOCKS proxy you can configure applications to use. All traffic sent through the proxy will be send through the SSH Server. This is similar to local fowarding - it takes local traffic sent to a specific port on your PC and sends it over the SSH connection to a remote location.

For example, if you are using a public Wi-Fi network, and you have access to an SSH server at home, you could connect to it and use dynamic port fowarding. The SSH client will create a SOCKS proxy on your PC. All traffic sent to that proxy will be sent over the SSH server connection.

Another example, you may want to access a media server application you have on your home network. For security reasons, you may only have an SSH server exposed to the internet. You don’t allow incoming conenctions from the internet to your media server application. You could set up dynamic port forwarding, configure a web browser to use the SOCKS proxy. and then access servers running on your home network through the web browser as if you were sitting in front of your SSH server on your home network, you could plug the home network address into any application using the SOCKS proxy.

To use dynamic forwarding, run the ssh command with the -D argument.

$ ssh -D local_port username@server.com

4 SSH Server configuration

AllowTcpForwarding must be enabled on the server to allow port forwarding.

By default, forwarding is allowed. Possible values for this option are yes or all to allow all TCP forwarding, no to prevent all TCP forwarding, local to allow local forwardings, and remote to allow remote forwardings.

5 SSH client options

ssh -fNT -R remote_port:local_server:local_port user@ssh_server

-f  Requests ssh to go to background just before command execution.
-N  Do not execute a remote command.
-T  Disable pseudo-tty allocation.

References:

https://www.ssh.com/ssh/tunneling/example

https://superuser.com/questions/827934/ssh-port-forwarding-without-session

https://www.howtogeek.com/168145/how-to-use-ssh-tunneling


© 2015-2020 tendant