Differences

This shows you the differences between two versions of the page.

ssh_port_forwarding [2005/08/08 16:58] (current)
Line 1: Line 1:
 +====== SSH Port Forwarding / Tunneling ======
 +
 +//This document is not complete.//
 +
 +==== Introduction ====
 +
 +There are a number of tutorials about this subject available. I've found that most of them are difficult to understand. My goal with this tutorial is to make it usable for anyone.
 +\\ \\
 +SSH Port Forwarding / Tunneling can be used for a couple of different purposes.
 +
 + * Connecting to a service on a remote machine that is blocked by a firewall
 + * Allowing incoming connections when you are behind a firewall
 + * Securing a connection between two machines
 +
 +=== Example 1 ===
 +
 +Sometimes you'll run into a situation where you need to connect to a service on a remote machine (we'll call it **SERVER**), but the service is blocked behind a firewall. If you can ssh into that box, then you can connect to the service.
 +
 +  ssh -L LOCALPORT:localhost:REMOTEPORT user@SERVER
 +
 +Let me explain. **REMOTEPORT** is the port you want to connect to on **SERVER**. **LOCALPORT** is some available local port on **CLIENT** that we will tie the tunnel to. So, we must ssh into **SERVER**, and create a local tunnel (hence the -L) from **LOCALPORT** on **CLIENT** to **REMOTEPORT** on **SERVER**. That is all accomplished by the ssh command above.
 +\\ \\
 +So, let's say that we want to connect to an http server that is blocked on **SERVER**. We have access to ssh.
 +
 +  ssh -L 80:localhost:80 user@SERVER
 +
 +Now you can browse to http://localhost in your browser and connect to the http server on **SERVER**. Note that the **LOCALPORT** could have been anything (as long as you're root... only root can create ports 1-1024). If you had used 8080 for the **LOCALPORT** than you would have just connected using http://localhost:8080. It would still be routed through **REMOTEPORT** on **SERVER**.
 +\\ \\
 +Let's try it again with another example. This time we want to connect to an ssh server on **SERVER**. We do it exactly the same way!
 +
 +  ssh -L 2022:localhost:22 user@SERVER
 +
 +This time I used port 2022, although, once again, we could have used anything. This tunnels from port 2022 on your local machine to port 22 on **SERVER**. Now to connect from **CLIENT** to **SERVER** you'd use the following command:
 +
 +  ssh -p 2022 user@localhost
 +
 +The **-p** just specifies what port you are connecting to on your local box. If you had used port 22 as the **LOCALPORT** then you wouldn't have to specify **-p**. You could also transfer files via this example, using scp (which is a secure file transfer over ssh).
 +
 +  scp -P2022 user@localhost:/some/path/on/server/file.txt .
 +
 +The above command would transfer file.txt from **SERVER** to **CLIENT**. Note that scp requires that **-P** be capital, instead of lowercase.
 +
 +=== Example 2 ===
 +
 +Another situation that is very similiar to the above case is if you need to connect to a machine (**SERVER**), but you are completely blocked by a firewall. If you have permission to log into ANOTHER remote machine (we'll call this one **PROXY**) that does have access, then you can create an indirect connection between your machine (**CLIENT**) and **SERVER**. This is done by creating a tunnel through the proxy. Don't get the terms **SERVER** and **PROXY** mixed up, as they have changed meaning slightly, based on the previous example.
 +
 +  ssh -L LOCALPORT:SERVER:REMOTEPORT user@PROXY
 +
 +Let me explain. **REMOTEPORT** is the port you want to connect to on **SERVER**. **LOCALPORT** is some available local port on **CLIENT** that we will tie the tunnel to. So, we must ssh into **PROXY**, and create a local tunnel (hence the -L) from **LOCALPORT** on **CLIENT** to **REMOTEPORT** on **SERVER**. That is all accomplished by the ssh command above.
 +\\ \\
 +So, let's say that we want to connect to an http server that is blocked on **SERVER**. **PROXY** has access to the server, but **CLIENT** does not.
 +
 +  ssh -L 80:SERVER:80 user@PROXY
 +
 +Now you can browse to http://localhost in your browser and connect to the http server on **SERVER**. Note that the **LOCALPORT** could have been anything (as long as you're root... only root can create ports 1-1024). If you had used 8080 for the **LOCALPORT** than you would have just connected using http://localhost:8080. It would still be routed through **REMOTEPORT** on **SERVER**.
 +\\ \\
 +Let's try it again with another example. This time we want to connect to an ssh server on **SERVER**. We do it exactly the same way!
 +
 +  ssh -L 2022:SERVER:22 user@PROXY
 +
 +This time I used port 2022, although, once again, we could have used anything. This tunnels from port 2022 on your local machine to port 22 on **SERVER**. Now to connect from **CLIENT** to **SERVER** you'd use the following command:
 +
 +  ssh -p 2022 user@localhost
 +
 +Note that //user// in this case is the user on **SERVER**, not **PROXY**. The **-p** just specifies what port you are connecting to on your local box. If you had used port 22 as the **LOCALPORT** then you wouldn't have to specify **-p**. You could also transfer files via this example, using scp (which is a secure file transfer over ssh).
 +
 +  scp -P2022 user@localhost:/some/path/on/server/file.txt .
 +
 +The above command would transfer file.txt from **SERVER** to **CLIENT**. Note that scp requires that **-P** be capital, instead of lowercase.
 
ssh_port_forwarding.txt · Last modified: 2005/08/08 16:58 (external edit)
 
Except where otherwise noted, content on this wiki is licensed under the following license:CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki