Using SSH for Portforwarding
1. |
Local Forwarding Part 1 |
- What:
-
- Forward a port on your localhost (i.e., SSH client) to a port on a remote host through an SSH server.
ssh -L port:host:hostport user@sshserver # # -- "port" refers to the (local) port on the (local) SSH client. # -- "host" and "hostport" refer to the remote host. #
- Examples:
-
- Set up a tunnel through a gateway machine, e.g, from outside a business/campus into business/campus machines.
- Connecting directly to an HPC cluster compute node.
- Secure proxying, e.g., use a remote Web proxy to workaround local blocks.
- Securing VNC.
1.1. |
Notes |
- May need to allow TCP port forwarding on the gateway SSH server in
/etc/ssh/sshd_config, e.g., on my Solaris 10 gateway:
# Port forwarding ####AllowTcpForwarding no AllowTcpForwarding yes
followd bysvcadm restart ssh
- cat - is simply to keep the connection open — any non-terminating command will do. Omitting the command altogether opens a commandline shell on the gateway machine, but this requires a controlling terminal, so if you wish to use port-forwarding in a script, add cat -, or similar.
1.2. |
Example: Tunnelling Through a Gateway Machine |
Set up a tunnel from outside a business/campus, through a gateway machine, into your business/campus office desktop machine:
ssh -L 2222:officedesktop.machine.net:22 [email protected] [cat -] [email protected]'s password: # # ...forwards port 2222 on local machine to port 22 on officedesktop.machine.net # through my.gateway.net... # # ...the optional "cat -", or any other non-terminating command, is simply # to keep the connection open --- omitting this opens a commandline # shell, which requires a controlling terminal... #then
outside> ssh -p 2222 localhost simonh@localhost's password: # ...this is confusing --- actually officedesktop's password... officedesktop>
1.3. |
Example: Connecting Directly to an HPC Cluster Compute Node |
Suppose you want to connect from your desktop machine directly to a process which is listening on a compute node:
ssh -L 2222:node043:4567 [email protected] [cat -] [email protected]'s password: # # ...forwards port 2222 on local machine to port 4567 on node043 # through the login node (hpc.cluster.org)... # # ...the optional "cat -", or any other non-terminating command, is simply # to keep the connection open --- omitting this opens a commandline # shell, which requires a controlling terminal... #then
outside> ssh -p 2222 localhost simonh@localhost's password: # ...this is confusing --- actually node043's password... node043>
1.4. |
Example: Secure Proxying |
Suppose you work at a company which has blocked Web access to Facebook in an attempt to ensure that the "social" networking site is not used by those who should be working. Simply select a SSH gateway and a Web proxy outside of The Company and all is well:
ssh -L 3128:proxy.net:3128 [email protected] [email protected]'s password:then point your browser at proxy localhost:3128 to access Facebook.
1.5. |
Example: Tunnelling VNC |
Assume the SSH server and VNC server are the same host:
local> ssh -C -L 5901:localhost:5902 -N -f [email protected]any references to display :1 on your local machine would actually connect to display :2 on man2e.nw-grid.ac.uk.
2. |
Local Forwarding Part 2 |
ssh -L bind_address:port:host:hostport user@hostname ssh -g -L :port:host:hostport user@hostname
3. |
Enabling SSH Access to a Host Behing a NATting Firewall |
nattedhost> ssh -R 19999:localhost:22 [email protected] # # ... ... #then
publichost> ssh -p 19999 localhost # # ... #