-
Tunnels allow for one way access (forwarding) from one system to another.
-
Tunnel is always started from the system that runs the inital ssh command, but has nothing to do with local versus remote
-
Local is used when the same system that initiated the tunnel will use a port on its own localhost address, or IP address as the entry point for the tunnel
-
Note that if localhost is used, the tunnel can only be accessed from that host. If another IP address is used, other systems can send traffic to that IP:port as the entry point for the tunnel
-
-
Remote (or reverse) is used when the server that you’re ssh’ing to will use its localhost, or IP to access the tunnel
-
Using 0.0.0.0:port is especially useful (but less secure) as it allows any system to access the tunnel on that side
-
-
-L and -R format are <IP to enter the tunnel>:<port to enter the tunnel>:<IP forwarded to on the other side of the tunnel>:<port forwarded to …>
-
Can omit first IP, which means anyone can access the tunnel through the receiving system’s port
-
Specifying the first IP restricts what system’s can access the tunnel, but only if
GatewayPorts clientspecifiedis set in the receiving server’s sshd_config file
-
-
The LocalForward option in the OpenSSH client configuration file can be used to configure forwarding without having to specify it on command line
-
The AllowTcpForwarding option in the OpenSSH server configuration file must be enabled on the server to allow port forwarding.
-
By default, forwarding is allowed.
-
Possible values for this option are yes or all to allow all TCP forwarding, no to prevent all TCP forwarding, local to allow local forwardings, and remote to allow remote forwardings.
-
-
Can forward to multiple ports, even to different servers, inside the same tunnel:
-
ssh -R 2222:d76767.nyc.example.com:22 -R 5432:postgres3.nyc.example.com:5432 aws4.mydomain.net
-
Would allow the remote system to ssh to one system through its port 2222 and access a postgreSQL database through its port 5432
-
-
|
Important
|
Must ssh as root to monitor privileged ports (1000 and below). I.e. -L 0.0.0.0:443:localhost:443 |
-
`ssh -f -L 8080:localhost:80 root@remote-server -N `
-
Useful when wanting to create a secure connect between your client and a remote-server
-
Will only work if the remote-server can receive ssh connections
-
Won’t work if the remote-server is behind a firewall that blocks incoming SSH
-
Won’t work if the remote-server is behind a NAT router
-
-
-f runs in the background
-
-L runs a listener/forwarder process on the local port (i.e. 8080)
-
:localhost:80 Instructs the ssh process on the receiving server to forward the traffic to its port 80
-
-
-N creates the SSH session but doesn’t open a shell on the remote server
-
w3m http://localhost:8080 - to browse to the entrance of the tunnel on port 8080, which is forwarded to port 80 on the remote-server
|
Important
|
Must ssh as root to monitor privileged ports (1000 and below). I.e. -R 0.0.0.0:443:localhost:443 |
-
ssh -R 2222:localhost:22 root@ssh-reachable-server -
Useful when the server you want to reach is behind a firewall that blocks SSH, or behind a NAT router
-
Command is run on the host that cannot be reached via ssh (i.e. behind the firewall) so it can create an ESTABLISHED connection to root@ssh-reachable-server
-
Can use the same switches as -L
-
Allows the ssh-reachable-server (i.e. -R or remote) to ssh back into the firewalled host through its own localhost:2222
-
Can use
0.0.0.0:2222:localhost:22to make sshd monitor on all IPs-
By default it is only allowed to monitor on localhost
-
Set
GatewayPorts clientspecifiedin /etc/ssh/sshd_config to enable
-
Need to kill the ssh session that is running the tunnel when done.
-
From local system:
ssh -N -D 8080 <username>@<remote host>
|
Note
|
Remote host must be able to resolve hostnames and access HTTP(s) listeners for desired websites |
-
On local browser, change SOCKS Host settings to "127.0.0.1" and port to "8080"
|
Important
|
This tunnels ALL browser traffic through the remote host. Great for working from unsecure locations (i.e. random wifi coffee shop) but allows logging web activity from the remote host to all websites. |
|
Note
|
Remember to close the session and disable SOCKS Host settings on the browser when done. |
-
Create the tunnel:
ssh -L localhost:1234:<destination host IP>:22 -N <Jump Host Username>@<Jump Host IP> & -
SCP the file or directory:
scp -P 1234 -pr <path>/<file or directory> <Desintation Host Username>@localhost:<destination path> -
Destroy the tunnel:
kill %1-
Couldn’t get this to work on a standard NAT router. Not sure why. Fell back to
scp -o ProxyJump=opensuse@kvm-host ~/.ssh/keypair.pem opensuse@VM-behind-NAT-router:~/.ssh/
-