SSH Port Forwarding / Tunneling

This document is not complete.

Introduction

There are a number of tutorials about this subject available. I've found that most of them are difficult to understand. My goal with this tutorial is to make it usable for anyone.

SSH Port Forwarding / Tunneling can be used for a couple of different purposes.

* Connecting to a service on a remote machine that is blocked by a firewall * Allowing incoming connections when you are behind a firewall * Securing a connection between two machines

Example 1

Sometimes you'll run into a situation where you need to connect to a service on a remote machine (we'll call it SERVER), but the service is blocked behind a firewall. If you can ssh into that box, then you can connect to the service.

ssh -L LOCALPORT:localhost:REMOTEPORT user@SERVER

Let me explain. REMOTEPORT is the port you want to connect to on SERVER. LOCALPORT is some available local port on CLIENT that we will tie the tunnel to. So, we must ssh into SERVER, and create a local tunnel (hence the -L) from LOCALPORT on CLIENT to REMOTEPORT on SERVER. That is all accomplished by the ssh command above.

So, let's say that we want to connect to an http server that is blocked on SERVER. We have access to ssh.

ssh -L 80:localhost:80 user@SERVER

Now you can browse to http://localhost in your browser and connect to the http server on SERVER. Note that the LOCALPORT could have been anything (as long as you're root… only root can create ports 1-1024). If you had used 8080 for the LOCALPORT than you would have just connected using http://localhost:8080. It would still be routed through REMOTEPORT on SERVER.

Let's try it again with another example. This time we want to connect to an ssh server on SERVER. We do it exactly the same way!

ssh -L 2022:localhost:22 user@SERVER

This time I used port 2022, although, once again, we could have used anything. This tunnels from port 2022 on your local machine to port 22 on SERVER. Now to connect from CLIENT to SERVER you'd use the following command:

ssh -p 2022 user@localhost

The -p just specifies what port you are connecting to on your local box. If you had used port 22 as the LOCALPORT then you wouldn't have to specify -p. You could also transfer files via this example, using scp (which is a secure file transfer over ssh).

scp -P2022 user@localhost:/some/path/on/server/file.txt .

The above command would transfer file.txt from SERVER to CLIENT. Note that scp requires that -P be capital, instead of lowercase.

Example 2

Another situation that is very similiar to the above case is if you need to connect to a machine (SERVER), but you are completely blocked by a firewall. If you have permission to log into ANOTHER remote machine (we'll call this one PROXY) that does have access, then you can create an indirect connection between your machine (CLIENT) and SERVER. This is done by creating a tunnel through the proxy. Don't get the terms SERVER and PROXY mixed up, as they have changed meaning slightly, based on the previous example.

ssh -L LOCALPORT:SERVER:REMOTEPORT user@PROXY

Let me explain. REMOTEPORT is the port you want to connect to on SERVER. LOCALPORT is some available local port on CLIENT that we will tie the tunnel to. So, we must ssh into PROXY, and create a local tunnel (hence the -L) from LOCALPORT on CLIENT to REMOTEPORT on SERVER. That is all accomplished by the ssh command above.

So, let's say that we want to connect to an http server that is blocked on SERVER. PROXY has access to the server, but CLIENT does not.

ssh -L 80:SERVER:80 user@PROXY

Now you can browse to http://localhost in your browser and connect to the http server on SERVER. Note that the LOCALPORT could have been anything (as long as you're root… only root can create ports 1-1024). If you had used 8080 for the LOCALPORT than you would have just connected using http://localhost:8080. It would still be routed through REMOTEPORT on SERVER.

Let's try it again with another example. This time we want to connect to an ssh server on SERVER. We do it exactly the same way!

ssh -L 2022:SERVER:22 user@PROXY

This time I used port 2022, although, once again, we could have used anything. This tunnels from port 2022 on your local machine to port 22 on SERVER. Now to connect from CLIENT to SERVER you'd use the following command:

ssh -p 2022 user@localhost

Note that user in this case is the user on SERVER, not PROXY. The -p just specifies what port you are connecting to on your local box. If you had used port 22 as the LOCALPORT then you wouldn't have to specify -p. You could also transfer files via this example, using scp (which is a secure file transfer over ssh).

scp -P2022 user@localhost:/some/path/on/server/file.txt .

The above command would transfer file.txt from SERVER to CLIENT. Note that scp requires that -P be capital, instead of lowercase.

 
ssh_port_forwarding.txt · Last modified: 2005/08/08 16:58 (external edit)
 
Except where otherwise noted, content on this wiki is licensed under the following license:CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki