SSH has a huge number of features, SSH Tunnel being just one of them. SSH Tunnel is a secure connection between two machines and is often refered to as “SSH Tunneling” or also “Port Forwarding”.
Using the “ssh” command we can bind a desired port on a local machine to a desired port on a remote machine. This creates an encrypted SSH Tunnel between these machines and enables direct communication via localhost socket address. We can use SSH Tunnel to secure an insecure connection or to bypass different firewall restrictions.
Before we create our first SSH Tunnel check that you can run “ssh” command on your system. If you are running CentOS 6 minimal then you probably need to install openssh-clients package (Ubuntu users need to install openssh-client package).
There are three types of Port Forwarding and thus three ways of using an SSH Tunnel:
- Local Port Forwarding (enables access from local socket address via intermediate SSH server to a destination socket address)
- Remote Port Forwarding (enables access from remote location via intermediate SSH server socket address to a localsocket address)
- Dynamic Port Forwarding (SOCKS Proxy Server – NOT COVERED IN DETAIL IN THIS HOW TO!)
I use “SSH Tunneling” (Local Port Forwarding) on a daily basis since an environment from a customer I am working for, is designed in a way I can only access Workstation linux server on SSH port 22. All of the other infrastructure machines are only accessible from this Workstation, so using “SSH Tunneling” is the best way to go, to directly access different services.
SSH Tunnel – Local Port Forwarding
Local Port Forwarding lets you connect from a local machine to a remote machine even if you do not have direct access to this remote machine from your local environment. In order for this to work, you need to have SSH access to an intermediate machine, which of course has access to the remote machine you want to connect to. The intermediate machine can reside in your local network and be subject to a different firewall policy or be outside of your local network.
Example #1:
We have SSH access on port 22 to a Workstation machine (user: wsuser, hostname: workstation). Behind the Workstation machine is an Application server (hostname: appserver) running Apache Tomcat on port 8080.We can not directly access Apache Tomcat administrator webpage on port 8080 from our Local machine, but Tomcat webpage port 8080 is accessible from Workstation machine thus we can create an SSH Tunnel and forward local port 8080 from our Local machine via Workstation to the Application server.
We can do this by running the following command on my Local machine:
ssh -f wsuser@workstation -L 8080:appserver:8080 -N
After authenticating to Workstation SSH server the connection is established and Apache Tomcat administration webpage is accessible when we open a web browser on our Local machine and point it to http://localhost:8080
Example #2:
Let’s say the situation is the same as in Example #1 but with one difference – there is also a firewall between Workstation (user: wsuser, hostname: workstation) and Application server (user: appuser, hostname: appserver) which only allows SSH access on port 22 from Workstation to Application server. This means Workstation can not directly access Apache Tomcat on port 8080.
There is still a way we can access Apache Tomcat administration webpage from our Local machine, but we need to make 2 hops via SSH.
1. SSH to Workstation machine:
ssh wsuser@workstation
2. When connected to Workstation machine, forward port 8080 via SSH to the Application server:
ssh -f appuser@appserver -L 8080:localhost:8080 -N
3. Next we need to forward port 8080 via SSH from our Local machine to Workstation:
ssh -f wsuser@workstation -L 8080:localhost:8080 -N
Voila, Apache Tomcat administration webpage is accessible if i open up a web browser on my Local machine and point it to http://localhost:8080
SSH Tunnel – Remote Port Forwarding
Remote Port Forwarding works the other way around like the Local Port Forwarding. With Local Port Forwarding we enable access from our local machine via intermediate machine with SSH Server to a remote machine and with Remote Port Forwarding we enable access from a remote machine via intermediate machine with SSH server to our local machine. Of course for this to work we need to have SSH access to the intermediate machine. Remote Port Forwarding comes useful when we do not have Router administration rights so we can not configure port forwarding on a Router level. SSH Tunnel Remote Port forwarding does the same trick.
Before we can start Remote Port Forwarding we must reconfigure SSH server on an intermediate machine to accept it. We must edit “/etc/ssh/sshd_config” and uncomment and change to “yes” the following option:
GatewayPorts yes
… of course followed by a SSH service restart!
Example #1:
We are running Apache Tomcat on our Local machine on port 8080. We want our friend, not from our local network, to access ourApache Tomcat administration webpage on port 8080 and help us configure something or deploy a new application. Thank god we have a Webserver (user: myuser, hostname: webserver) hosting some webpage accessible from the internet and also accessible via SSH from our local network. We will configure a Remote Port Forwarding and enable our friend to access the Apache Tomcat administration webpage we are running on our Local machine via Webserver.
We can do this by running the following command:
ssh -f myuser@webserver -R 8080:localhost:8080 -N
Voila, we can now tell our friend to access Webserver on port 8080 and Apache Tomcat administration webpage running on our Local machine will open up to him.
As we can see the only difference when using Remote Port Forward is the syntax change from “-L” to “-R” option.
SSH Tunnel – Dynamic Port Forwarding
Dynamic Port Forwarding will turn your machine into a SOCKS Proxy. SOCKS Proxy can proxy all requests through the network or the internet, but programs usually must be configured to use the SOCKS proxy. SOCKS proxy can be started with the following command:
ssh -C -D 1080 localmachine
… where the -C options enables compression, -D option specifies dynamic port forwarding and 1080 is the standard SOCKS Proxy port. The next step would be to reconfigure your web browser to use 127.0.0.1 on port 1080 as a SOCKS Proxy.
Using Dynamic Port Forwarding and configuring your browser to use local SOCKS Proxy will encrypt all traffic visited from your web browser and make your connections secure.
SSH Tunnel – GeekPeek Tips
- If you are running SSH server on a non-default port, you need to specify your port when running “ssh” command with the “-p” option
ssh -f wsuser@workstation -p 22222 -L 8080:appserver:8080 -N
- Double check the ports that are already used on the intermediate machine before doing Local or Remote Port Forwarding. You can use netstat command and grep the port you want to forward
netstat -anp |grep 8080
- Do not forget to reconfigure SSH server before trying Remote Port Forwarding and restarting SSH server
GatewayPorts yes
- The “-f” option requests SSH to go to backgrouns and “-N” option tells it not to execute a remote command. If you do not want the SSH to go into background just remove the “-f” and “-N” option
- Make sure your IPTables configuration is compatible with Port Forwarding you configured!